mirror/perl
1
0
Fork 0
mirror of https://github.com/Perl/perl5.git synced 2026-01-26 08:38:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

Document that empty PATH components are also insecure.

Browse Source
This commit is contained in:
dakkar 2024-09-26 13:55:33 +01:00 committed by Karl Williamson
parent 78005a324b
commit 1c0b416e85
2 changed files with 14 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
pod/perldiag.pod
View File

@ -3123,8 +3123,9 @@ L<perlsec> for more information.
(F) You can't use system(), exec(), or a piped open in a setuid or
setgid script if C<$ENV{PATH}> contains a directory that is writable by
the world. Also, the PATH must not contain any relative directory.
See L<perlsec>.
the world. Also, the PATH must not contain any relative directory or
empty component (so C<''>, C<':'>, and C<'/usr/bin::/usr/local/bin'>
would all trigger this error). See L<perlsec>.
=item Insecure $ENV{%s} while running %s

19
pod/perlsec.pod
View File

@ -274,14 +274,17 @@ default.
For "Insecure C<$ENV{PATH}>" messages, you need to set C<$ENV{'PATH'}> to
a known value, and each directory in the path must be absolute and
non-writable by others than its owner and group. You may be surprised to
get this message even if the pathname to your executable is fully
qualified. This is I<not> generated because you didn't supply a full path
to the program; instead, it's generated because you never set your PATH
environment variable, or you didn't set it to something that was safe.
Because Perl can't guarantee that the executable in question isn't itself
going to turn around and execute some other program that is dependent on
your PATH, it makes sure you set the PATH.
non-writable by others than its owner and group. Notice that, at least on
Unix-like environments, an empty component of the PATH may be interpreted
as if it were C<.> (the local directory), which will also trigger this
message. You may be surprised to get this message even if the pathname
to your executable is fully qualified. This is I<not> generated because
you didn't supply a full path to the program; instead, it's generated
because you never set your PATH environment variable, or you didn't set
it to something that was safe. Because Perl can't guarantee that the
executable in question isn't itself going to turn around and execute some
other program that is dependent on your PATH, it makes sure you set the
PATH.
The PATH isn't the only environment variable which can cause problems.
Because some shells may use the variables IFS, CDPATH, ENV, and