diff options
| author | M. J. T. Guy <mjtg@cus.cam.ac.uk> | 1998-06-24 14:13:02 +0100 |
|---|---|---|
| committer | Gurusamy Sarathy <gsar@cpan.org> | 1998-06-28 19:18:29 +0000 |
| commit | 62f468fcc5ab60fb5a3476c4f51edf76066f5db7 (patch) | |
| tree | a76a004fbe880fbb21e74437c789e34240b77fea /pod | |
| parent | d09ae4e65fd5bf88945016a3fc05dfaedbf59acc (diff) | |
| download | perl-62f468fcc5ab60fb5a3476c4f51edf76066f5db7.tar.gz | |
Insecure $ENV{} message out of step with perldiag
Message-Id: <E0yooQA-0003za-00@taurus.cus.cam.ac.uk>
p4raw-id: //depot/perl@1236
Diffstat (limited to 'pod')
| -rw-r--r-- | pod/perldiag.pod | 5 | ||||
| -rw-r--r-- | pod/perlsec.pod | 2 |
2 files changed, 4 insertions, 3 deletions
diff --git a/pod/perldiag.pod b/pod/perldiag.pod index 7d39630240..d6d261bb44 100644 --- a/pod/perldiag.pod +++ b/pod/perldiag.pod @@ -1301,10 +1301,11 @@ for more information. script if C<$ENV{PATH}> contains a directory that is writable by the world. See L<perlsec>. -=item Insecure PATH +=item Insecure $ENV{%s} while running %s (F) You can't use system(), exec(), or a piped open in a setuid or -setgid script if C<$ENV{PATH}> is derived from data supplied (or +setgid script if any of C<$ENV{PATH}>, C<$ENV{IFS}>, C<$ENV{CDPATH}>, +C<$ENV{ENV}> or C<$ENV{BASH_ENV}> are derived from data supplied (or potentially supplied) by the user. The script must set the path to a known value, using trustworthy data. See L<perlsec>. diff --git a/pod/perlsec.pod b/pod/perlsec.pod index 4a743c7430..0b22acd9cd 100644 --- a/pod/perlsec.pod +++ b/pod/perlsec.pod @@ -88,7 +88,7 @@ For example: @files = glob('*.c'); # Always insecure (uses csh) If you try to do something insecure, you will get a fatal error saying -something like "Insecure dependency" or "Insecure PATH". Note that you +something like "Insecure dependency" or "Insecure $ENV{PATH}". Note that you can still write an insecure B<system> or B<exec>, but only by explicitly doing something like the "considered secure" example above. |