Perl users: Removal of the current directory from the module load path (removing '.' from @INC)

UPDATE as of December 2020: All our servers are currently running Debian Buster. To have the current/working directory as a module load path, you can use only Method 2 described below.


Dated: 15 February 2019

This article is to explain an upcoming change in the configuration of Perl. It may affect scripts which load modules from the current working directory (cwd).


Back in 2016, Debian developers announced that they will be gradually removing cwd (.) from the module load path (@INC), as this practice is potentially dangerous, and can allow running malicious code under certain circumstances. More information can be found in the Debian lists.

Following this announcement, the inclusion of (.) in the load path has been made configurable in Debian Stretch - this is the current Debian version on our servers.

With the next major Debian release, the option to leave '.' in the @INC array server-wide will become unavailable. This means that the only way to keep this behavior would be to set it in the user scripts. That's why we are warning our Perl users - to make sure that their scripts do not rely on the inclusion of the current directory in the module load path.

If you have Perl scripts on your site, and especially if they are custom-made, we advise you to revise them or consult their developers, to make sure that your scripts are not affected by the removal of (.) from @INC.

Current configuration

On February 9th 2019, the current working directory (.) was removed from the search path (@INC) on all servers.

Re-enabling the old behavior

If you would like to re-enable the behavior as it was before the configuration change, you can use one of the following methods:

Method 1: Create in the private folder of your account an empty file named PERL_USE_UNSAFE_INC (/home/$your_CP_username/private/PERL_USE_UNSAFE_INC)

With this file in place, all your Perl scripts will load modules from the current directory, with the lowest precedence. Note that this will be possible ONLY until the upgrade to Debian 10 Buster.

Method 2: Add this line at the beginning of your Perl script/s:
use lib '.';

This line adds the current directory to the beginning of Perl's search path  (@INC). Your scripts will continue to load modules from the current directory even after the upgrade to Debian 10 Buster.

The deadline

Although we cannot specify an exact deadline, as we cannot state when the next major Debian upgrade would be, we advise our users to pay attention to this matter and make sure that their scripts are compatible.