CODEWITHSUNDEEP
perl
Gabriel Furstenheim
Gabriel Furstenheim

Reputation: 3432

Perl INC not updated when running with T flag

I'm trying to modify PERLLIB in order to give access to the folder where a certain library is.

In order to do so I'm modifying the PERLLIB variable:

export PERLLIB=/some/folder

Now if I do:

perl
print "$_\n" for @INC;

The new folder is displayed. However, If I do

perl -wT
print "$_\n" for @INC;

The new folder is not displayed. Is there a way to modify INC variable with env variables with the T flag?

Upvotes: 0

Views: 107

Answers (2)

Dave Cross
Dave Cross

Reputation: 69274

The perlsec man page has this to say on Taint mode and @INC.

When the taint mode (-T ) is in effect, the "." directory is removed from @INC, and the environment variables PERL5LIB and PERLLIB are ignored by Perl. You can still adjust @INC from outside the program by using the -I command line option as explained in perlrun. The two environment variables are ignored because they are obscured, and a user running a program could be unaware that they are set, whereas the -I option is clearly visible and therefore permitted.

Another way to modify @INC without modifying the program, is to use the lib pragma, e.g.:

 perl -Mlib=/foo program

The benefit of using -Mlib=/foo over -I/foo, is that the former will automagically remove any duplicated directories, while the latter will not.

Note that if a tainted string is added to @INC, the following problem will be reported:

Insecure dependency in require while running with -T switch

Upvotes: 5

ikegami
ikegami

Reputation: 385917

No. That would defy the point. The whole purpose of -T is to avoid letting the caller execute arbitrary code, and giving them control of @INC would allow just that.

$ cat script
#!/usr/bin/perl
use strict;
use warnings;
print "Hello World\n";

$ printf '%s' 'print "owned\n";' >strict.pm

$ PERL5LIB=. script
owned
Hello World

Since -T is usually used by setuid scripts, allowing the caller to modify @INC would allow the caller to execute arbitrary code as the script owner.

You can use either of the following (but the script's setuid and setgid bits will be ignored):

perl -I/some/folder -T script


perl -Mlib=/some/folder -T script

You could add the following to the script itself if it's a setuid/setgid script:

use lib '/some/folder';

Make sure to use an absolute path, or you'll effectively invalidate -T.

Upvotes: 5

Related Questions