From 1c0b416e85e27c8e2a2ac2fb36c88212f3c09c2f Mon Sep 17 00:00:00 2001 From: dakkar Date: Thu, 26 Sep 2024 13:55:33 +0100 Subject: [PATCH] Document that empty PATH components are also insecure. --- pod/perldiag.pod | 5 +++-- pod/perlsec.pod | 19 +++++++++++-------- 2 files changed, 14 insertions(+), 10 deletions(-) diff --git a/pod/perldiag.pod b/pod/perldiag.pod index 00a2587453..1af0dcc364 100644 --- a/pod/perldiag.pod +++ b/pod/perldiag.pod @@ -3123,8 +3123,9 @@ L for more information. (F) You can't use system(), exec(), or a piped open in a setuid or setgid script if C<$ENV{PATH}> contains a directory that is writable by -the world. Also, the PATH must not contain any relative directory. -See L. +the world. Also, the PATH must not contain any relative directory or +empty component (so C<''>, C<':'>, and C<'/usr/bin::/usr/local/bin'> +would all trigger this error). See L. =item Insecure $ENV{%s} while running %s diff --git a/pod/perlsec.pod b/pod/perlsec.pod index c5f6c3175c..b0c3c2d062 100644 --- a/pod/perlsec.pod +++ b/pod/perlsec.pod @@ -274,14 +274,17 @@ default. For "Insecure C<$ENV{PATH}>" messages, you need to set C<$ENV{'PATH'}> to a known value, and each directory in the path must be absolute and -non-writable by others than its owner and group. You may be surprised to -get this message even if the pathname to your executable is fully -qualified. This is I generated because you didn't supply a full path -to the program; instead, it's generated because you never set your PATH -environment variable, or you didn't set it to something that was safe. -Because Perl can't guarantee that the executable in question isn't itself -going to turn around and execute some other program that is dependent on -your PATH, it makes sure you set the PATH. +non-writable by others than its owner and group. Notice that, at least on +Unix-like environments, an empty component of the PATH may be interpreted +as if it were C<.> (the local directory), which will also trigger this +message. You may be surprised to get this message even if the pathname +to your executable is fully qualified. This is I generated because +you didn't supply a full path to the program; instead, it's generated +because you never set your PATH environment variable, or you didn't set +it to something that was safe. Because Perl can't guarantee that the +executable in question isn't itself going to turn around and execute some +other program that is dependent on your PATH, it makes sure you set the +PATH. The PATH isn't the only environment variable which can cause problems. Because some shells may use the variables IFS, CDPATH, ENV, and