Skip Menu |

This queue is for tickets about the Module-Find CPAN distribution.

Report information
The Basics
Id: 127657
Status: resolved
Priority: 0/
Queue: Module-Find

Owner: Nobody in particular
Requestors: ether [...]

Bug Information
Severity: Important
Broken in: (no value)
Fixed in: 0.15

Subject: security risk: wrong module can be loaded when using @ModuleDirs
Download (untitled) / with headers
text/plain 331b
@ModuleDirs only adjusts what directories are searched in, not what directories the module is loaded from... so if you search in one directory but the same module name exists in @INC, the 'eval "require $m"' will load the wrong file. This is a potential security risk. @INC should be localized to @ModuleDirs first, if it is set.
Download (untitled) / with headers
text/plain 200b
Thank you for reporting this. This is indeed a potential security risk (and a functional bug) when using setmoduledirs to set an array of directories that does not include @INC. I've fixed it in 0.15.

This service is sponsored and maintained by Best Practical Solutions and runs on infrastructure.

Please report any issues with to