From 59697efbfe58a2a9c2cc2aba11eca2acb64b27a8 Mon Sep 17 00:00:00 2001
From: Tony Cook <tony@develop-help.com>
Date: Thu, 28 Jul 2016 14:18:12 +1000
Subject: [PATCH] CVE-2016-1238: avoid loading optional modules from default .

App::Prove (and hence prove) attempts to load plugins under both
the App::Prove::Plugin namespace and under the base namespace.

If a plugin is only available under the base namespace, and a user runs
prove from a world-writable directory such as /tmp, an attacker can
App/Prove/Plugin/PluginName.pm to run code as the user running prove.
---
 bin/prove | 1 +
 1 file changed, 1 insertion(+)

diff --git a/bin/prove b/bin/prove
index 6637cc4..d71b238 100755
--- a/bin/prove
+++ b/bin/prove
@@ -1,5 +1,6 @@
 #!/usr/bin/perl -w
 
+BEGIN { pop @INC if $INC[-1] eq '.' }
 use strict;
 use warnings;
 use App::Prove;
-- 
2.1.4