How to locate Perl modules in the same directory as the script

3
votes

Now that recent versions of Perl have removed "." from @INC, I'm curious about best practices for module file location. Until now, the *.pm files associated with each application on our web site were in the same directory as the scripts. This, I gather, creates a security vulnerability.

We don't have write access to the remaining directories in @INC.

We could just leave the pm files where they are, and add use lib "."; to all our existing scripts, but wouldn't this just preserve the security vulnerability?

Any suggestions on how our Perl scripts and their associated modules can be best organized in the light of this new development?

2
perlmodulecgi
. is not where the script is located, that's $FindBin::Bin. . is from where the script was called.choroba
@choroba, Using $FindBin::RealBin instead of $FindBin::Bin given free support for symlinks to your executable.ikegami
@Quentin, Nonsense! First of all, If you use Plack, you might still be using CGI or Fast CGI, so it's not an alternative to CGI at all! And secondly, unless you're saying Plack adds the handler's file's path to @INC -- and I doubt you are -- it wouldn't help at all! For all we know, the OP is using Plack, so your comment is not constructive or useful at all.ikegami

2 Answers

2
votes

No, placing modules in the same directory as the script isn't a security vulnerability. Assuming the current work directory (.) is the script's directory is a bug and a security vulnerability.

. was never guaranteed to be the directory in which the script is located. (In fact, time and time again, people have found . to be / in CGI scripts.) Just keep using what you should already be using:

 use FindBin qw( $RealBin );
 use lib $RealBin;
1
votes

An alternative to FindBin is:

#!/usr/bin/env perl

use strict;
use warnings;

use File::Basename qw( dirname );
use File::Spec::Functions qw( rel2abs );

use lib rel2abs( dirname(__FILE__) );

print "$_\n" for @INC;

As @ikegami points out, if you want to be able to invoke the script via symlinks, you'll need:

use Cwd qw( abs_path );
use lib dirname(abs_path($0));