Ticket #1589 (new bug)
Move . to the end of the library search path
Description
Here's a snippet of strace output after I accidentally ran parrot-nqp in a directory with a Regex.pbc file:
stat64("./Regex.pbc", {st_mode=S_IFREG|0644, st_size=100432, ...}) = 0 open("./Regex.pbc", O_RDONLY|O_LARGEFILE) = 3 stat64("./P6object.pbc", 0xbf9ee9bc) = -1 ENOENT (No such file or directory) stat64("./P6object.pir", 0xbf9ee9bc) = -1 ENOENT (No such file or directory) stat64("./P6object.pasm", 0xbf9ee9bc) = -1 ENOENT (No such file or directory) stat64("./P6object.pbc", 0xbf9ee9bc) = -1 ENOENT (No such file or directory) stat64("/usr/local/./P6object.pbc", 0xbf9ee9bc) = -1 ENOENT (No such file or directory) stat64("/usr/local/./P6object.pir", 0xbf9ee9bc) = -1 ENOENT (No such file or directory) stat64("/usr/local/./P6object.pasm", 0xbf9ee9bc) = -1 ENOENT (No such file or directory) stat64("/usr/local/./P6object.pbc", 0xbf9ee9bc) = -1 ENOENT (No such file or directory) stat64("/usr/local/lib/parrot/2.3.0-devel/library/P6object.pbc", {st_mode=S_IFREG|0644, st_size=18448, ...}) = 0 stat64("/usr/local/lib/parrot/2.3.0-devel/library/P6object.pbc", {st_mode=S_IFREG|0644, st_size=18448, ...}) = 0 stat64("/usr/local/lib/parrot/2.3.0-devel/library/P6object.pbc", {st_mode=S_IFREG|0644, st_size=18448, ...}) = 0 stat64("/usr/local/lib/parrot/2.3.0-devel/library/P6object.pbc", {st_mode=S_IFREG|0644, st_size=18448, ...}) = 0 open("/usr/local/lib/parrot/2.3.0-devel/library/P6object.pbc", O_RDONLY|O_LARGEFILE) = 3
Parrot has taken Regex.pbc in the current directory before even checking for it in the standard libraries. The same behavior occurs with all other Parrot-based programs which use installed libraries. This provides an attack vector against Parrot users:
- Wait for Perl6-on-Parrot to hit the big time.
- Distribute a shady tarball containing a malicious P6Regex.pbc inside it.
- The victim unpacks the tarball and attempts to analyze the contents.
- The user runs his Perl 6 based editor.
- Rakudo loads Perl6.pbc from the current directory. My code is now running.
It's probably best to follow Perl 5's example here:
$ perl -V ... @INC: /usr/local/lib/perl5/site_perl/5.12.0/i686-linux-thread-multi /usr/local/lib/perl5/site_perl/5.12.0 /usr/local/lib/perl5/5.12.0/i686-linux-thread-multi /usr/local/lib/perl5/5.12.0 .
With the current directory at the end, installed programs which use only installed libraries will never be tricked into running code in the current directory. Hopefully it is not too common for installed programs to reference nonexistant libraries.