Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

outdated sentence in perlsec #16571

Closed
p5pRT opened this issue May 28, 2018 · 6 comments
Closed

outdated sentence in perlsec #16571

p5pRT opened this issue May 28, 2018 · 6 comments

Comments

@p5pRT
Copy link

p5pRT commented May 28, 2018

Migrated from rt.perl.org#133230 (status was 'open')

Searchable as RT133230$
@p5pRT
Copy link
Author

p5pRT commented May 28, 2018

From lortav72@gmail.com

This is a bug report for perl from lortav72@​gmail.com,
generated with the help of perlbug 1.39 running under perl 5.14.2.

In perlsec, the 'Taint mode and @​INC' paragraph begins with the sentence​:
'When the taint mode (-T ) is in effect, the "." directory is removed from
@​INC ,..'
which it seems no more needed because "." was removed from @​INC since
5.26

Possible better sentence can be​:

For perl version prior of 5.26 hen the taint mode (-T ) is in effect, the
"." directory is removed from @​INC, and
the environment variables PERL5LIB and PERLLIB are ignored by Perl (note
that since Perl 5.26 "." is no more present in
@​INC anyway).

thanks for reading

lortav72@​gmail.com---
Flags​:
  category=docs
  severity=low

Site configuration information for perl 5.14.2​:

Configured by 1 at Tue Nov 22 18​:26​:53 2011.

Summary of my perl5 (revision 5 version 14 subversion 2) configuration​:

  Platform​:
  osname=MSWin32, osvers=4.0, archname=MSWin32-x86-multi-thread
  uname='Win32 strawberryperl 5.14.2.1-portable #1 Tue Nov 22 18​:24​:29
2011 i386'
  config_args='undef'
  hint=recommended, useposix=true, d_sigaction=undef
  useithreads=define, usemultiplicity=define
  useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef
  use64bitint=undef, use64bitall=undef, uselongdouble=undef
  usemymalloc=n, bincompat5005=undef
  Compiler​:
  cc='gcc', ccflags =' -s -O2 -DWIN32 -DPERL_TEXTMODE_SCRIPTS
-DUSE_SITECUSTOMIZE -DPERL_IMPLICIT_CONTEXT -DPERL_IMPL
ICIT_SYS -fno-strict-aliasing -mms-bitfields',
  optimize='-s -O2',
  cppflags='-DWIN32'
  ccversion='', gccversion='4.4.7', gccosandvers=''
  intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=1234
  d_longlong=undef, longlongsize=8, d_longdbl=define, longdblsize=12
  ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='long long',
lseeksize=8
  alignbytes=8, prototype=define
  Linker and Libraries​:
  ld='g++.exe', ldflags ='-s -L"C​:\ulisse\strawberry\perl\lib\CORE"
-L"C​:\ulisse\strawberry\c\lib"'
  libpth=C​:\ulisse\strawberry\c\lib
C​:\ulisse\strawberry\c\i686-w64-mingw32\lib
  libs=-lmoldname -lkernel32 -luser32 -lgdi32 -lwinspool -lcomdlg32
-ladvapi32 -lshell32 -lole32 -loleaut32 -lnetapi32
-luuid -lws2_32 -lmpr -lwinmm -lversion -lodbc32 -lodbccp32 -lcomctl32
  perllibs=-lmoldname -lkernel32 -luser32 -lgdi32 -lwinspool -lcomdlg32
-ladvapi32 -lshell32 -lole32 -loleaut32 -lneta
pi32 -luuid -lws2_32 -lmpr -lwinmm -lversion -lodbc32 -lodbccp32 -lcomctl32
  libc=, so=dll, useshrplib=true, libperl=libperl514.a
  gnulibc_version=''
  Dynamic Linking​:
  dlsrc=dl_win32.xs, dlext=dll, d_dlsymun=undef, ccdlflags=' '
  cccdlflags=' ', lddlflags='-mdll -s
-L"C​:\ulisse\strawberry\perl\lib\CORE" -L"C​:\ulisse\strawberry\c\lib"'

Locally applied patches​:

@​INC for perl 5.14.2​:
  C​:/ulisse/strawberry/perl/site/lib/MSWin32-x86-multi-thread
  C​:/ulisse/strawberry/perl/site/lib
  C​:/ulisse/strawberry/perl/vendor/lib
  C​:/ulisse/strawberry/perl/lib
  .

Environment for perl 5.14.2​:
  HOME (unset)
  LANG (unset)
  LANGUAGE (unset)
  LD_LIBRARY_PATH (unset)
  LOGDIR (unset)

PATH=C​:\ulisse\strawberry\perl\site\bin;C​:\ulisse\strawberry\perl\bin;C​:\ulisse\strawberry\c\bin;C​:\ulisse\bin\UnxUt
ils\usr\local\wbin;C​:\Windows;C​:\Windows\system32;;.;
  PERL_BADLANG (unset)
  PERL_JSON_BACKEND=JSON​::XS
  PERL_RL=Perl
  PERL_YAML_BACKEND=YAML
  SHELL (unset)

@p5pRT
Copy link
Author

p5pRT commented May 31, 2018

From @tonycoz

On Mon, 28 May 2018 13​:41​:43 -0700, lortav72@​gmail.com wrote​:

In perlsec, the 'Taint mode and @​INC' paragraph begins with the
sentence​:
'When the taint mode (-T ) is in effect, the "." directory is removed
from
@​INC ,..'
which it seems no more needed because "." was removed from @​INC since
5.26

Possible better sentence can be​:

For perl version prior of 5.26 hen the taint mode (-T ) is in effect,
the
"." directory is removed from @​INC, and
the environment variables PERL5LIB and PERLLIB are ignored by Perl
(note
that since Perl 5.26 "." is no more present in
@​INC anyway).

Something like the attached, maybe.

Tony

@p5pRT
Copy link
Author

p5pRT commented May 31, 2018

From @tonycoz

0001-perl-133230-.-is-no-longer-in-INC-by-default.patch 
From fd1d01e82034d5a4e1bde1a7db296bb10c1ac479 Mon Sep 17 00:00:00 2001
From: Tony Cook <tony@develop-help.com>
Date: Thu, 31 May 2018 11:52:45 +1000
Subject: (perl #133230) . is no longer in @INC by default

---
 pod/perlmodlib.PL | 3 ++-
 pod/perlsec.pod   | 6 +++---
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/pod/perlmodlib.PL b/pod/perlmodlib.PL
index b92f9ca151..0af82929e5 100644
--- a/pod/perlmodlib.PL
+++ b/pod/perlmodlib.PL
@@ -186,7 +186,8 @@ double quotes should be used instead of single quotes).
       'find { wanted => sub { print canonpath $_ if /\.pm\z/ },
       no_chdir => 1 }, @INC'
 
-(The -T is here to prevent '.' from being listed in @INC.)
+(The -T is here to prevent @INC from being populated by C<PERL5LIB>,
+C<PERL5LIB> and C<PERL_USE_UNSAFE_INC>.)
 They should all have their own documentation installed and accessible
 via your system man(1) command.  If you do not have a B<find>
 program, you can use the Perl B<find2perl> program instead, which
diff --git a/pod/perlsec.pod b/pod/perlsec.pod
index b210445685..9bc40f216b 100644
--- a/pod/perlsec.pod
+++ b/pod/perlsec.pod
@@ -245,11 +245,11 @@ Unix-like environments that support #! and setuid or setgid scripts.)
 
 =head2 Taint mode and @INC
 
-When the taint mode (C<-T>) is in effect, the "." directory is removed
-from C<@INC>, and the environment variables C<PERL5LIB> and C<PERLLIB>
+When the taint mode (C<-T>) is in effect, the environment variables
+C<PERL5LIB>, C<PERLLIB> and C<PERL_USE_UNSAFE_INC>
 are ignored by Perl.  You can still adjust C<@INC> from outside the
 program by using the C<-I> command line option as explained in
-L<perlrun>.  The two environment variables are ignored because
+L<perlrun>.  The three environment variables are ignored because
 they are obscured, and a user running a program could be unaware that
 they are set, whereas the C<-I> option is clearly visible and
 therefore permitted.
-- 
2.11.0

@p5pRT
Copy link
Author

p5pRT commented May 31, 2018

The RT System itself - Status changed from 'new' to 'open'

@p5pRT
Copy link
Author

p5pRT commented May 31, 2018

From @hvds

On Wed, 30 May 2018 18​:53​:40 -0700, tonyc wrote​:

+(The -T is here to prevent @​INC from being populated by C<PERL5LIB>,
+C<PERL5LIB> and C<PERL_USE_UNSAFE_INC>.)

s/PERL5LIB/PERLLIB/ the second time, I assume.

@xenu xenu removed the Severity Low label Dec 29, 2021
@khwilliamson
Copy link
Contributor

Applied with @hvds fix as 96acb8b

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@khwilliamson @xenu @p5pRT