Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
CVE-2016-1238: avoid loading VMS::Feature from the default . (#276)
ExtUtils::Command attempts to load VMS::Feature on VMS, ignoring errors when loading it. If VMS has such a thing as a global, world-writable directory, like /tmp on POSIX systems, and VMS::Feature is not installed, and a user runs a program that loads ExtUtils::Command with such a directory as the current directory, an attacker can create VMS/Feature.pm in that directory to run code as the original user. This removes the default . from the end of @inc to prevent that.
- Loading branch information