summaryrefslogtreecommitdiff
path: root/pod/perlsec.pod
diff options
context:
space:
mode:
Diffstat (limited to 'pod/perlsec.pod')
-rw-r--r--pod/perlsec.pod17
1 files changed, 8 insertions, 9 deletions
diff --git a/pod/perlsec.pod b/pod/perlsec.pod
index facddedfbf..2b6972701f 100644
--- a/pod/perlsec.pod
+++ b/pod/perlsec.pod
@@ -1,4 +1,3 @@
-
=head1 NAME
perlsec - Perl security
@@ -17,7 +16,7 @@ Perl automatically enables a set of special security checks, called I<taint
mode>, when it detects its program running with differing real and effective
user or group IDs. The setuid bit in Unix permissions is mode 04000, the
setgid bit mode 02000; either or both may be set. You can also enable taint
-mode explicitly by using the the B<-T> command line flag. This flag is
+mode explicitly by using the B<-T> command line flag. This flag is
I<strongly> suggested for server programs and any program run on behalf of
someone else, such as a CGI script.
@@ -33,7 +32,7 @@ You may not use data derived from outside your program to affect something
else outside your program--at least, not by accident. All command-line
arguments, environment variables, and file input are marked as "tainted".
Tainted data may not be used directly or indirectly in any command that
-invokes a subshell, nor in any command that modifies files, directories,
+invokes a sub-shell, nor in any command that modifies files, directories,
or processes. Any variable set within an expression that has previously
referenced a tainted value itself becomes tainted, even if it is logically
impossible for the tainted value to influence the variable. Because
@@ -102,9 +101,9 @@ taintedness. Instead, the slightly more efficient and conservative
approach is used that if any tainted value has been accessed within the
same expression, the whole expression is considered tainted.
-But testing for taintedness only gets you so far. Sometimes you just have
+But testing for taintedness gets you only so far. Sometimes you have just
to clear your data's taintedness. The only way to bypass the tainting
-mechanism is by referencing subpatterns from a regular expression match.
+mechanism is by referencing sub-patterns from a regular expression match.
Perl presumes that if you reference a substring using $1, $2, etc., that
you knew what you were doing when you wrote the pattern. That means using
a bit of thought--don't just blindly untaint anything, or you defeat the
@@ -123,7 +122,7 @@ or a dot.
die "Bad data in $data"; # log this somewhere
}
-This is fairly secure since C</\w+/> doesn't normally match shell
+This is fairly secure because C</\w+/> doesn't normally match shell
metacharacters, nor are dot, dash, or at going to mean something special
to the shell. Use of C</.+/> would have been insecure in theory because
it lets everything through, but Perl doesn't check for that. The lesson
@@ -156,7 +155,7 @@ prevent stupid mistakes, not to remove the need for thought.
Perl does not call the shell to expand wild cards when you pass B<system>
and B<exec> explicit parameter lists instead of strings with possible shell
wildcards in them. Unfortunately, the B<open>, B<glob>, and
-backtick functions provide no such alternate calling convention, so more
+back-tick functions provide no such alternate calling convention, so more
subterfuge will be required.
Perl provides a reasonably safe way to open a file or pipe from a setuid
@@ -168,11 +167,11 @@ environment variables, umasks, current working directories, back to the
originals or known safe values. Then the child process, which no longer
has any special permissions, does the B<open> or other system call.
Finally, the child passes the data it managed to access back to the
-parent. Since the file or pipe was opened in the child while running
+parent. Because the file or pipe was opened in the child while running
under less privilege than the parent, it's not apt to be tricked into
doing something it shouldn't.
-Here's a way to do backticks reasonably safely. Notice how the B<exec> is
+Here's a way to do back-ticks reasonably safely. Notice how the B<exec> is
not called with a string that the shell could expand. This is by far the
best way to call something that might be subjected to shell escapes: just
never call the shell at all. By the time we get to the B<exec>, tainting
View Lorry Controller Status