I've got a DLL which makes a call to SetDllDirectory() in its DllMain() function. The argument to SetDllDirectory() is the directory in which the DLL resides, as returned by the GetModuleFileName() function. The effect of this is that if the DLL is placed as c:/foo/bar.dll, then loading bar.dll will add c:/foo to the DLL search path of the calling process.
My question is: does this open up any form of security hole? Would it be safer to perform the SetDllDirectory() call in a function which had to be explicitly called by the process loading the library?