Now that recent versions of Perl have removed "." from @INC, I'm curious about best practices for module file location. Until now, the *.pm files associated with each application on our web site were in the same directory as the scripts. This, I gather, creates a security vulnerability.
We don't have write access to the remaining directories in @INC.
We could just leave the pm files where they are, and add use lib ".";
to all our existing scripts, but wouldn't this just preserve the security vulnerability?
Any suggestions on how our Perl scripts and their associated modules can be best organized in the light of this new development?
No, placing modules in the same directory as the script isn't a security vulnerability. Assuming the current work directory (.
) is the script's directory is a bug and a security vulnerability.
.
was never guaranteed to be the directory in which the script is located. (In fact, time and time again, people have found .
to be /
in CGI scripts.) Just keep using what you should already be using:
use FindBin qw( $RealBin );
use lib $RealBin;
An alternative to FindBin is:
#!/usr/bin/env perl
use strict;
use warnings;
use File::Basename qw( dirname );
use File::Spec::Functions qw( rel2abs );
use lib rel2abs( dirname(__FILE__) );
print "$_\n" for @INC;
As @ikegami points out, if you want to be able to invoke the script via symlinks, you'll need:
use Cwd qw( abs_path );
use lib dirname(abs_path($0));