Subject: | security risk: wrong module can be loaded when using @ModuleDirs |
@ModuleDirs only adjusts what directories are searched in, not what directories the module is loaded from... so if you search in one directory but the same module name exists in @INC, the 'eval "require $m"' will load the wrong file. This is a potential security risk.
@INC should be localized to @ModuleDirs first, if it is set.