[Koha-bugs] [Bug 17717] Fix broken cronjobs due to permissions of the current directory
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Fri Mar 2 17:13:18 CET 2018
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17717
--- Comment #58 from Tomás Cohen Arazi <tomascohen at gmail.com> ---
(In reply to Marco Moreno from comment #57)
> Hmmm...I'm now reconsidering this and wonder if option #3 is really the best
> solution by removing '.' from @INC.
>
> You made a good point about /tmp being a concern. This, plus the fact that
> they have removed '.' from @INC in recent versions of Perl, has convinced me
> that having '.' in @INC is generally a very bad idea and a major security
> concern.
>
> Therefore, I want to propose revisiting comment #40 which removes '.' from
> @INC in a common library early in the bootstrapping process. This
> effectively undoes the "feature" added in Perl 5.18 and removed in Perl
> 5.26. Additionally, this prevents exploits that attempt to insert '.' via
> PERL5LIB.
I considered that option. But we would need to do it on every script, and we
would also be changing the current behaviour. Someone might be using their own
lib (or version of some lib) on purpose and we'd be breaking them. So, for the
general user base, we should stick with the cleaner solution IMHO.
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list