Remove "." from @INC

[obetz]

Hi Phil,

in Perl 5.26, '.' was removed for security reasons and I think ExifTool should also remove '.' from @INC.

Code Select Expand

@INC = grep(!/\./, @INC); should strip off "." in the list, but please double check this since I'm no Perl monk.

Oliver

[Phil Harvey]

Hi Oliver,

I don't want to do this since it may impact some people.  Plus, I already explicitly add "./lib" if running the script from the current directory, which I suppose is an equivalent security problem.

- Phil

[obetz]

First, I need to add some information to my original posting:

In the pp version (IOW exiftool.exe for Windows), '.' is not part of @INC. The pp bootstrap seems to strip it already (and add garbage, see https://exiftool.org/forum/index.php/topic,10144.msg52838.html#msg52838)

Sorry, I didn't check this when I opened this thread.

I don't want to do this since it may impact some people.  Plus, I already explicitly add "./lib" if running the script from the current directory

The reason to add $exeDir/lib is clear to me in non-pp versions, since script + libraries can be considered as a unit.

In the pp-version, the code $exeDir = ($0 =~ /(.*)[\\\/]/) ? $1 : '.'; won't ever return '.' because pp makes $0 always a full path to the exe (not the script!).

So back to non-Windows environments: The current directory '.' can be anywhere, not related to the location of the script. I can't imagine any adverse effect to strip '.'

But it's not important to change anything since '.' is at the end of @INC and usually the libs are found earlier and users running Perl 5.26 or later won't have it in @INC, anyway.

Oliver