WEB HOSTING SUPPORT NETWORK
     
 

Perl users: Removal of the current directory from the module load path (removing '.' from @INC)

This article is to explain an upcoming change in the configuration of Perl. It may affect scripts which load modules from the current working directory (cwd).

General

Back in 2016, Debian developers announced that they will be gradually removing cwd (.) from the module load path (@INC), as this practice is potentially dangerous, and can allow running malicious code under certain circumstances. More information can be found in the Debian lists here.

Following this announcement, the inclusion of (.) in the load path has been made configurable in Debian Stretch - this is the current Debian version on our servers.

Current configuration

Our servers are currently configured in a way in which the previous behavior is kept - the working directory is still included in the module load path, as a final include with a lowest precedence.

The future change

With the next major Debian release, the option to leave '.' in the @INC array server-wide will be unavailable. This means that the only way to keep this behavior would be to set it in the user scripts. That's why we are warning our Perl users - to make sure that their scripts do not rely on the inclusion of the current directory in the module load path.

If you have Perl scripts on your site, and especially if they are custom-made, we advise you to revise them or consult their developers, to make sure that your scripts will not be affected by the removal of (.) from @INC.

Removing '.' from @INC now

If you would like to eliminate the possible security threat now, by removing '.' from @INC, you can do this using the following methods:

Method 1: Create in the private folder of your account an empty file named PERL_DISABLE_UNSAFE_INC (/home/$your_CP_username/private/PERL_DISABLE_UNSAFE_INC)

With this file in place, you can test whether your Perl scripts are compatible for the future change. Adding the file will disable the unsafe @INC for all scripts on the account.

Method 2: Use this line of code in the beginning of your Perl scripts:
BEGIN { pop @INC if $INC[-1] eq '.' }This line will disable the unsafe @INC for the particular script only.

Setting '.' as a primary include source

If you would like to load modules with priority from your current working directory, you can use this line in the beginning of your scripts:
use lib '.';With this line, your scripts will continue to load modules from the current directory even after the mentioned future configuration change.

Keeping the current behavior

If you would like to keep the behavior as it is now after the configuration change, you can use one the following methods:

Method 1: Create in the private folder of your account an empty file named PERL_USE_UNSAFE_INC (/home/$your_CP_username/private/PERL_USE_UNSAFE_INC)

With this file in place, all your Perl scripts will continue to load modules from the current directory, with lowest presedence. Note that this will be possible ONLY until the upgrade to Debian 10 Buster.

Method 2: Use this line of code in the beginning of your Perl script/s:BEGIN { push @INC, '.' }With this line, modules in the current directory will be loaded with the lowest precedence for the particular script. Note that this will be possible ONLY until the upgrade to Debian 10 Buster.

The deadline

Although we cannot specify an exact deadline, as we cannot state when the next major Debian upgrade would be, we advise our users to pay attention to this matter and make sure that their scripts are compatible. In February 2019, we plan to switch the default behavior of the Perl interpreter to exclude (.) from @INC. Please take steps before that to check whether your Perl scripts are compatible. If they are not, and you cannot fix them before that, use the PERL_USE_UNSAFE_INC setup to give you some more time, until the upgrade to Debian 10.