(perl #132147) add security warnings to the *DBM_File modules

4 files changed, 54 insertions, 0 deletions

diff --git a/ext/GDBM_File/GDBM_File.pm b/ext/GDBM_File/GDBM_File.pm
index a33b8b59b1..fe34470bd3 100644
--- a/ext/GDBM_File/GDBM_File.pm
+++ b/ext/GDBM_File/GDBM_File.pm
@@ -31,6 +31,18 @@ C<ftp.gnu.org>, but you are strongly urged to use one of the many
 mirrors.  You can obtain a list of mirror sites from
 L<http://www.gnu.org/order/ftp.html>.
 
+=head1 SECURITY AND PORTABILITY
+
+B<Do not accept GDBM files from untrusted sources.>
+
+GDBM files are not portable across platforms.
+
+The GDBM documentation doesn't imply that files from untrusted sources
+can be safely used with C<libgdbm>.
+
+A maliciously crafted file might cause perl to crash or even expose a
+security vulnerability.
+
 =head1 BUGS
 
 The available functions and the gdbm/perl interface need to be documented.
diff --git a/ext/NDBM_File/NDBM_File.pm b/ext/NDBM_File/NDBM_File.pm
index fc250ec840..97c3917c92 100644
--- a/ext/NDBM_File/NDBM_File.pm
+++ b/ext/NDBM_File/NDBM_File.pm
@@ -104,6 +104,23 @@ This warning is emitted when you try to store a key or a value that
 is too long.  It means that the change was not recorded in the
 database.  See BUGS AND WARNINGS below.
 
+=head1 SECURITY AND PORTABILITY
+
+B<Do not accept NDBM files from untrusted sources.>
+
+On modern Linux systems these are typically GDBM files, which are not
+portable across platforms.
+
+The GDBM documentation doesn't imply that files from untrusted sources
+can be safely used with C<libgdbm>.
+
+Systems that don't use GDBM compatibilty for ndbm support will be
+using a platform specific library, possibly inherited from BSD
+systems, where it may or may not be safe to use an untrusted file.
+
+A maliciously crafted file might cause perl to crash or even expose a
+security vulnerability.
+
 =head1 BUGS AND WARNINGS
 
 There are a number of limits on the size of the data that you can
diff --git a/ext/ODBM_File/ODBM_File.pm b/ext/ODBM_File/ODBM_File.pm
index 99799bc520..6d89a229f6 100644
--- a/ext/ODBM_File/ODBM_File.pm
+++ b/ext/ODBM_File/ODBM_File.pm
@@ -101,6 +101,23 @@ This warning is emitted when you try to store a key or a value that
 is too long.  It means that the change was not recorded in the
 database.  See BUGS AND WARNINGS below.
 
+=head1 SECURITY AND PORTABILITY
+
+B<Do not accept ODBM files from untrusted sources.>
+
+On modern Linux systems these are typically GDBM files, which are not
+portable across platforms.
+
+The GDBM documentation doesn't imply that files from untrusted sources
+can be safely used with C<libgdbm>.
+
+Systems that don't use GDBM compatibilty for old dbm support will be
+using a platform specific library, possibly inherited from BSD
+systems, where it may or may not be safe to use an untrusted file.
+
+A maliciously crafted file might cause perl to crash or even expose a
+security vulnerability.
+
 =head1 BUGS AND WARNINGS
 
 There are a number of limits on the size of the data that you can
diff --git a/ext/SDBM_File/SDBM_File.pm b/ext/SDBM_File/SDBM_File.pm
index 5df9085760..7be9263417 100644
--- a/ext/SDBM_File/SDBM_File.pm
+++ b/ext/SDBM_File/SDBM_File.pm
@@ -119,6 +119,14 @@ This warning is emitted when you try to store a key or a value that
 is too long.  It means that the change was not recorded in the
 database.  See BUGS AND WARNINGS below.
 
+=head1 SECURITY WARNING
+
+B<Do not accept SDBM files from untrusted sources!>
+
+The sdbm file format was designed for speed and convenience, not for
+portability or security.  A maliciously crafted file might cause perl to
+crash or even expose a security vulnerability.
+
 =head1 BUGS AND WARNINGS
 
 There are a number of limits on the size of the data that you can