Skip Menu |

This queue is for tickets about the Module-Find CPAN distribution.

Report information
The Basics
Id: 127657
Status: resolved
Priority: 0/
Queue: Module-Find

People
Owner: Nobody in particular
Requestors: ether [...] cpan.org
Cc:
AdminCc:

Bug Information
Severity: Important
Broken in: (no value)
Fixed in: 0.15



Subject: security risk: wrong module can be loaded when using @ModuleDirs
@ModuleDirs only adjusts what directories are searched in, not what directories the module is loaded from... so if you search in one directory but the same module name exists in @INC, the 'eval "require $m"' will load the wrong file. This is a potential security risk. @INC should be localized to @ModuleDirs first, if it is set.
Thank you for reporting this. This is indeed a potential security risk (and a functional bug) when using setmoduledirs to set an array of directories that does not include @INC. I've fixed it in 0.15.