http://qs321.pair.com?node_id=11136996

Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

Hi Monks,

Can you please tell me How and where should I add PERL_USE_UNSAFE_INC=1; while compiling Perl version 5.34?

I am aware that the current directory (.) has been removed from @INC because of some security concerns but in my scenario I will have to change a lot of scripts in the application, hence I need to have a dot(.) back in the @INC.

Any help would be appreacited!

Thank you

Replies are listed 'Best First'.
Re: How and where to pass PERL_USE_UNSAFE_INC=1; to Perl while compilation.
by Fletch (Bishop) on Sep 24, 2021 at 17:38 UTC

    I think you'd pass it as an argument to configure ./Configure ... -DPERL_USE_UNSAFE_INC=1 ... (but I'm not sure and if it's wrong somebody should correct). Another option rather than recompiling perl might be to explicitly add to the search path with something like PERL5LIB=.:$PERL5LIB in the relevant shell environment.

    The cake is a lie.
    The cake is a lie.
    The cake is a lie.

      I think you'd pass it as an argument to configure ...

      In perl5260delta.pod we find:
      "PERL_USE_UNSAFE_INC" There is a new environment variable recognised by the perl interpreter. If this variable has the value 1 when the perl interpreter starts up, then "." will be automatically appended + to @INC (except under tainting). This allows you restore the old perl interpreter behaviour on +a case-by-case basis. But note that this is intended to be a tem +porary crutch, and this feature will likely be removed in some future + perl version. It is currently set by the "cpan" utility and "Test::Harness" to ease installation of CPAN modules which hav +e not been updated to handle the lack of dot. Once again, don't use +this unless you are sure that this will not reintroduce any securit +y concerns.
      From that, I gather that you don't actually configure perl to have "." in @INC, but you instead set the environment variable PERL_USE_UNSAFE_INC to 1 in order obtain the "unsafe" @INC.

      OTOH, we have in perlrun.pod:
      PERL_USE_UNSAFE_INC If perl has been configured to not have the current directory in @INC by default, this variable can be set + to "1" to reinstate it. It's primarily intended for use w +hile building and testing modules that have not been update +d to deal with "." not being in @INC and should not be set +in the environment for day-to-day use.
      And this suggests that it is possible to configure perl such that @INC is "unsafe" by default.
      I, too, would guess that would be done as Fletch proposed.

      But I couldn't locate any definitive documentation on the matter.

      UPDATE: I've just received word from the p5p list that the correct configure arg to use is -Udefault_inc_excludes_dot and that this is documented in the INSTALL file (which is located in the top level directory of the perl source distro).

      Cheers,
      Rob
Re: How and where to pass PERL_USE_UNSAFE_INC=1; to Perl while compilation.
by ikegami (Patriarch) on Sep 26, 2021 at 16:34 UTC

    Your scripts are buggy, and I'm not talking about the potential security problem. They use the current work directory as a proxy for the script's directory, but that often fails.

    Just write a Perl one-liner to add the following to your buggy scripts to fix them:

    use FindBin qw( $RealBin ); use lib $RealBin;
      Thank you for the reply.

      That is how it was working in the application since years with perl version 5.24.

      I understand using FindBin is definitely better option than having current directory (.) but it seems to work for us.

      also finding all these files and updating is quite a task for us.

      Regards

        That is how it was working in the application since years with perl version 5.24.

        Doesn't mean it wasn't buggy; it just means you always set the CWD to be the script's directory before starting it up. You literally had to take an extra step to work around the bug.

        also finding all these files and updating is quite a task for us.

        find -name '*.pl' -exec perl -i~ -pe'$_ = "use FindBin qw( \$RealBin ) +; use lib \$RealBin;\n$_" if $. ==2' {} \;
Re: How and where to pass PERL_USE_UNSAFE_INC=1; to Perl while compilation.
by Anonymous Monk on Sep 25, 2021 at 04:19 UTC
    Hi Monks, Thank you for the reply.
    I did try to add SET PERL_USE_UNSAFE_INC=1; in the batch being used to install the application but it didn't work.
    Batch file has path for perl.exe set, can I add it in the batch file itself to set it up? So that other perl scripts in the batch files would get the required files while installing the application.
    Thank you.
      I did try to add SET PERL_USE_UNSAFE_INC=1;

      Oh ... I wasn't expecting that you're on Windows.

      It's the ";" at the end of you're "SET" command that's screwing things up:
      C:\>set PERL_USE_UNSAFE_INC=1; C:\>perl -le "print for @INC;" C:/perl-5.34.0/site/lib/MSWin32-x64-multi-thread C:/perl-5.34.0/site/lib C:/perl-5.34.0/lib/MSWin32-x64-multi-thread C:/perl-5.34.0/lib C:\>set PERL_USE_UNSAFE_INC=1 C:\>perl -le "print for @INC;" C:/perl-5.34.0/site/lib/MSWin32-x64-multi-thread C:/perl-5.34.0/site/lib C:/perl-5.34.0/lib/MSWin32-x64-multi-thread C:/perl-5.34.0/lib . C:\>
      Cheers,
      Rob
        HI Rob, Thank you for pointing this out and trying it, it worked !!!

        To have persistent env variable created i just used setx later on instead of set.

        Regards