Document why syslog($priority, "%s", $message) is a good idea

if the code might be running with older versions of Sys::Syslog. p4raw-id: //depot/perl@26277
author: Gisle Aas <gisle@activestate.com> 2005-12-06 14:45:30 +0000
committer: Gisle Aas <gisle@activestate.com> 2005-12-06 14:45:30 +0000
commit: 9903e4c84e85816608d5d27aaf47be642c39ddcd (patch)
tree: 8dba89badf87cb25f979f7ba7387f82d80b3bad0 /ext/Sys
parent: fb1ee0ec5828ec8a55002a46636da2e885a4fc4c (diff)
download: perl-9903e4c84e85816608d5d27aaf47be642c39ddcd.tar.gz
1 files changed, 8 insertions, 0 deletions
diff --git a/ext/Sys/Syslog/Syslog.pm b/ext/Sys/Syslog/Syslog.pm
index d06ac17de6..56cf18ad84 100644
--- a/ext/Sys/Syslog/Syslog.pm
+++ b/ext/Sys/Syslog/Syslog.pm
@@ -77,6 +77,14 @@ If you didn't use openlog() before using syslog(), syslog will try to
 guess the I<$ident> by extracting the shortest prefix of I<$format>
 that ends in a ":".
 
+Note that Sys::Syslog version v0.07 and older passed the $message as
+the formatting string to sprintf() even when no formatting arguments
+where provided.  If the code calling syslog() might execute with older
+versions of this module, make sure to call the function as
+syslog($priority, "%s", $message) instead of syslog($priority,
+$message).  This protects against hostile formatting sequences that
+might show up if $message contains tainted data.
+
 =item setlogmask $mask_priority
 
 Sets log mask I<$mask_priority> and returns the old mask.
author	Gisle Aas <gisle@activestate.com>	2005-12-06 14:45:30 +0000
committer	Gisle Aas <gisle@activestate.com>	2005-12-06 14:45:30 +0000
commit	9903e4c84e85816608d5d27aaf47be642c39ddcd (patch)
tree	8dba89badf87cb25f979f7ba7387f82d80b3bad0 /ext/Sys
parent	fb1ee0ec5828ec8a55002a46636da2e885a4fc4c (diff)
download	perl-9903e4c84e85816608d5d27aaf47be642c39ddcd.tar.gz