It seems quite reasonable one could provide an alternative ifport
and inject some fake (and potentially malevolent) subroutines:
module ifport
public
character(len=*), parameter :: msg = "hello"
end module
program main
use ifport ! oops, not the Intel one
implicit none
print *, msg
end program
$ ifort test_ifport.f90
$ ./a.out
hello
One can move the mock ifport
module into a separate file, but the search order for use
puts the source folder on the top:
When the compiler is looking for .mod and .smod files, directories are searched in this order:
- In the directory of the source file that contains the USE statement
- In the directories specified by compiler option module path
- In the current working directory
- In the directories specified by compiler options -Idir (Linux* and macOS) or /include (Windows*)
- In the directories specified with environment variables CPATH or INCLUDE
- In the standard system directories
Addendum: Security issues of Fortran have been discussed in this thread What about security issues in Fortran?
Looking into ISO/IEC/JTC 1/SC 22/WG 23 DOCUMENT REGISTER, the document N1319 on Fortran Vulnerability states in Section 4.4
The Fortran standard defines a set of intrinsic procedures and intrinsic modules, and allows a processor to extend this set with further procedures and modules. A program that uses an intrinsic procedure or module not defined by the standard is not standard-conforming. A program that uses an entity not defined by the standard from a module defined by the standard is not standard-conforming. Use of intrinsic procedures or modules not defined by the standard should be avoided. Processors are able to detect and report the use of intrinsic procedures or modules not defined by the standard.
I must say the paragraph is confusing…
- The first sentence implies intrinsic modules are defined by the standard.
- The second sentence says that using an intrinsic module not defined by the standard is not standard conforming, which would imply what NAG does goes against the standard.
- The third sentence seems reasonable, standard modules should not define anything extra.
- The fourth sentence recommends to avoid using non-standard intrinsic procedures or modules.
- And the last sentence states processors should be able to report when a non-standard intrinsic procedure or module is used.