[perl #127810] Provide -Dfortify_inc Configure option to remove .from @INC

Front page | perl.perl5.porters | Postings from April 2016

[perl #127810] Provide -Dfortify_inc Configure option to remove .from @INC

Thread Previous | Thread Next

From:

Todd Rinaldo

Date:

April 1, 2016 00:01

Subject:

[perl #127810] Provide -Dfortify_inc Configure option to remove .from @INC

Message ID:

rt-4.0.18-4222-1459468871-747.127810-75-0@perl.org

# New Ticket Created by  "Todd Rinaldo" 
# Please include the string:  [perl #127810]
# in the subject line of all future correspondence about this issue. 
# <URL: https://rt.perl.org/Ticket/Display.html?id=127810 >


This is a bug report for perl from toddr@cpan.org,
generated with the help of perlbug 1.40 running under perl 5.22.1.


-----------------------------------------------------------------
[Please describe your issue here]

Several discussions have been had over the years about removing . from @INC.

In 2010, Ansgar brought it up:
http://www.nntp.perl.org/group/perl.perl5.porters/2010/08/msg162729.html
In 2012, I brought it up:
http://code.activestate.com/lists/perl5-porters/176081/

My summary of the responses to these email chains would be:

1. A certain percentage of people do not agree that . in @INC is a
security issue. Others feel it's "a basic sanity provision"
2. There is a general agreement that the Perl toolchain highly depends
on this behavior so the toolchain would have to be fixed.
3. Some predicted disastrous consequences.
4. Many feel the problem is unfixable because of how long Perl has
been this way.

I didn't quite make the Perl 5.18 deadline like I promised in the
email, but I now have a proposal complete with patches.

What I propose is a small patch to perl.c which causes . to be missing
from @INC unless the environment variable PERL_USE_UNSAFE_INC=1 is
present. This would only happen based on a Configure question which
would default to being off so that the default Perl install does not
change.

Cpanel currently ships and updates Perl 5.22 along with roughly 900
perl modules. In the coming version of our product, we will be
shipping a Perl that does not have . in @INC. These modules are all
built as RPMs and I consider the RPMs a failed build if their unit
tests cannot pass. There were about 3 of these 900 modules I had to do
something weird with (because they were stripping %ENV or just being
weird themselves). I did this by Simply adding PERL_USE_UNSAFE_INC=1
in the appropriate places to EU::MM, M::B, M::B::Tiny.

I am attaching the patches which will provide this option. I have
updated no documentation yet. I can provide that if I can get some
agreement for this to merge for 5.25.0 (I assume I've missed the 5.24
deadline for something like this?)

You can also find the commits here on github if you prefer to see them
there: https://github.com/toddr/perl/compare/blead...toddr:pop_INC?diff=unified&expand=1&name=pop_INC

Once this merges, it will provide an opportunity for me to begin
providing patches to authors so that PERL_USE_UNSAFE_INC is for the
most part unneeded.

[Please do not change anything below this line]
-----------------------------------------------------------------
---
Flags:
    category=core
    severity=medium
---
Site configuration information for perl 5.22.1:

Configured by cPanel at Wed Mar  2 15:47:40 CST 2016.

Summary of my perl5 (revision 5 version 22 subversion 1) configuration:

  Platform:
    osname=linux, osvers=2.6.32-431.29.2.el6.i686, archname=i386-linux-64int
    uname='linux rpmb-32-centos-65.dev.cpanel.net
2.6.32-431.29.2.el6.i686 #1 smp tue sep 9 20:14:52 utc 2014 i686 i686
i386 gnulinux '
    config_args='-des -Dusedevel -Darchname=i386-linux-64int
-Dcc=/usr/bin/gcc -Dcpp=/usr/bin/cpp -DDEBUGGING=none -Doptimize=-Os
-Dusemymalloc=n -Duseshrplib -Duselargefiles=yes -Duseposix=true
-Dhint=recommended -Duseperlio=yes -Dccflags=-DPERL_DISABLE_PMC
-I/usr/local/cpanel/3rdparty/perl/522/include
-L/usr/local/cpanel/3rdparty/perl/522/lib
-I/usr/local/cpanel/3rdparty/include -L/usr/local/cpanel/3rdparty/lib
-Dcppflags=-I/usr/local/cpanel/3rdparty/perl/522/include
-L/usr/local/cpanel/3rdparty/perl/522/lib
-I/usr/local/cpanel/3rdparty/include -L/usr/local/cpanel/3rdparty/lib
-Dldflags=-Wl,-rpath -Wl,/usr/local/cpanel/3rdparty/perl/522/lib
-L/usr/local/cpanel/3rdparty/perl/522/lib
-L/usr/local/cpanel/3rdparty/lib
-Dprefix=/usr/local/cpanel/3rdparty/perl/522
-Dsiteprefix=/opt/cpanel/perl5/522 -Dsitebin=/opt/cpanel/perl5/522/bin
-Dsitelib=/opt/cpanel/perl5/522/site_lib -Dusevendorprefix=true
-Dvendorbin=/usr/local/cpanel/3rdparty/perl/522/bin
-Dvendorprefix=/usr/local/cpanel/3rdparty/perl/522/lib/perl5
-Dvendorlib=/usr/local/cpanel/3rdparty/perl/522/lib/perl5/cpanel_lib
-Dprivlib=/usr/local/cpanel/3rdparty/perl/522/lib/perl5/5.22.1
-Dman1dir=none -Dman3dir=none
-Dscriptdir=/usr/local/cpanel/3rdparty/perl/522/bin
-Dscriptdirexp=/usr/local/cpanel/3rdparty/perl/522/bin
-Dsiteman1dir=none -Dsiteman3dir=none -Dinstallman1dir=none
-Dversiononly=no -Dinstallusrbinperl=no -Dcf_by=cPanel
-Dmyhostname=localhost -Dperladmin=root@localhost
-Dcf_email=support@cpanel.net
-Di_dbm=/usr/local/cpanel/3rdparty/include
-Di_gdbm=/usr/local/cpanel/3rdparty/include
-Di_ndbm=/usr/local/cpanel/3rdparty/include -DDB_File=true -Ud_dosuid
-Uuserelocatableinc -Umad -Uusethreads -Uusemultiplicity -Uusesocks
-Uuselongdouble -Aldflags=-L/usr/local/cpanel/3rdparty/perl/522/lib
-L/usr/local/cpanel/3rdparty/lib -L/usr/lib -L/lib -lgdbm
-Dlocincpth=/usr/local/cpanel/3rdparty/perl/522/include
/usr/local/cpanel/3rdparty/include /usr/local/include  -Duse64bitint
-Uuse64bitall -Acflags=-fPIC -DPIC -m32
-I/usr/local/cpanel/3rdparty/perl/522/include
-I/usr/local/cpanel/3rdparty/include
-Dlibpth=/usr/local/cpanel/3rdparty/perl/522/lib
/usr/local/cpanel/3rdparty/lib /usr/local/lib /lib /usr/lib '
    hint=recommended, useposix=true, d_sigaction=define
    useithreads=undef, usemultiplicity=undef
    use64bitint=define, use64bitall=undef, uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='/usr/bin/gcc', ccflags ='-DPERL_DISABLE_PMC
-I/usr/local/cpanel/3rdparty/perl/522/include
-L/usr/local/cpanel/3rdparty/perl/522/lib
-I/usr/local/cpanel/3rdparty/include -L/usr/local/cpanel/3rdparty/lib
-fwrapv -fno-strict-aliasing -pipe -fstack-protector
-I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64
-D_FORTIFY_SOURCE=2',
    optimize='-Os',
    cppflags='-I/usr/local/cpanel/3rdparty/perl/522/include
-L/usr/local/cpanel/3rdparty/perl/522/lib
-I/usr/local/cpanel/3rdparty/include -L/usr/local/cpanel/3rdparty/lib
-DPERL_DISABLE_PMC -I/usr/local/cpanel/3rdparty/perl/522/include
-L/usr/local/cpanel/3rdparty/perl/522/lib
-I/usr/local/cpanel/3rdparty/include -L/usr/local/cpanel/3rdparty/lib
-fwrapv -fno-strict-aliasing -pipe -fstack-protector
-I/usr/local/include'
    ccversion='', gccversion='4.4.7 20120313 (Red Hat 4.4.7-4)', gccosandvers=''
    intsize=4, longsize=4, ptrsize=4, doublesize=8,
byteorder=12345678, doublekind=3
    d_longlong=define, longlongsize=8, d_longdbl=define,
longdblsize=12, longdblkind=3
    ivtype='long long', ivsize=8, nvtype='double', nvsize=8,
Off_t='off_t', lseeksize=8
    alignbytes=4, prototype=define
  Linker and Libraries:
    ld='/usr/bin/gcc', ldflags ='-Wl,-rpath
-Wl,/usr/local/cpanel/3rdparty/perl/522/lib
-L/usr/local/cpanel/3rdparty/perl/522/lib
-L/usr/local/cpanel/3rdparty/lib
-L/usr/local/cpanel/3rdparty/perl/522/lib
-L/usr/local/cpanel/3rdparty/lib -L/usr/lib -L/lib -lgdbm
-fstack-protector -L/usr/local/lib'
    libpth=/usr/local/cpanel/3rdparty/perl/522/lib
/usr/local/cpanel/3rdparty/lib /usr/local/lib /lib /usr/lib
/usr/local/lib /usr/lib
    libs=-lpthread -lnsl -lgdbm -ldb -ldl -lm -lcrypt -lutil -lc
    perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
    libc=libc-2.12.so, so=so, useshrplib=true, libperl=libperl.so
    gnulibc_version='2.12'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E
-Wl,-rpath,/usr/local/cpanel/3rdparty/perl/522/lib/perl5/5.22.1/i386-linux-64int/CORE'
    cccdlflags='-fPIC', lddlflags='-shared -Os
-L/usr/local/cpanel/3rdparty/perl/522/lib
-L/usr/local/cpanel/3rdparty/lib -L/usr/lib -L/lib -L/usr/local/lib
-fstack-protector'

Locally applied patches:
    cPanel patches
    cPanel INC path changes
    Remove . from @INC

---
@INC for perl 5.22.1:
    /usr/local/cpanel
    /usr/local/cpanel/3rdparty/perl/522/lib/perl5/cpanel_lib/i386-linux-64int
    /usr/local/cpanel/3rdparty/perl/522/lib/perl5/cpanel_lib
    /usr/local/cpanel/3rdparty/perl/522/lib/perl5/5.22.1/i386-linux-64int
    /usr/local/cpanel/3rdparty/perl/522/lib/perl5/5.22.1
    /opt/cpanel/perl5/522/site_lib/i386-linux-64int
    /opt/cpanel/perl5/522/site_lib

---
Environment for perl 5.22.1:
    HOME=/root
    LANG=en_US.UTF-8
    LANGUAGE (unset)
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/usr/local/cpanel/bin:/usr/local/cpanel/3rdparty/bin:/usr/local/cpanel/3rdparty/perl/522/bin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/opt/cpanel/perl5/522/bin
    PERL_BADLANG (unset)
    SHELL=/bin/zsh

Thread Previous | Thread Next

[perl #127810] Provide -Dfortify_inc Configure option to remove .from @INC by Todd Rinaldo via RT
[perl #127810] Provide -Dfortify_inc Configure option to remove .from @INC by Tony Cook via RT
[perl #127810] Provide -Dfortify_inc Configure option to remove .from @INC by Todd Rinaldo via RT
[perl #127810] Provide -Dfortify_inc Configure option to remove .from @INC by Todd Rinaldo

Re: [perl #127810] Provide -Dfortify_inc Configure option to remove. from @INC by Dave Mitchell

[perl #127810] Provide -Dfortify_inc Configure option to remove .from @INC by Todd Rinaldo via RT
[perl #127810] Provide -Dfortify_inc Configure option to remove .from @INC by Father Chrysostomos via RT

nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About