summaryrefslogtreecommitdiff
path: root/pod/perlsec.pod
Commit message (Collapse)AuthorAgeFilesLines
* Remove documentation references to recent Configure taint changesPaul "LeoNerd" Evans2022-05-191-16/+0
|
* Doc changes to reflect that perl might not support taintNeil Bowers2022-04-201-0/+22
| | | | | | | | The central doc change is in perlsec.pod. This not only explains that you can build a perl that doesn't support taint, but shows how you can check whether your perl supports taint or not. The other doc changes are mainly to note that taint might not be supported, and to refer the reader to perlsec for more details.
* (perl #133230) . is no longer in @INC by defaultTony Cook2022-04-171-2/+2
|
* Fix typosSamanta Navarro2020-10-031-1/+1
| | | | | | | | | For: https://github.com/Perl/perl5/pull/18201 Committer: Samanta Navarro is now a Perl author. To keep 'make test_porting' happy: Increment $VERSION in several files. Regenerate uconfig.h via './perl -Ilib regen/uconfig_h.pl'.
* Document the security team's processes and practicesJohn Lightsey2020-09-101-18/+8
| | | | | | | | | | | Add a new perlsecpolicy POD file with detailed descriptions of the security team's vulnerability remediation workflow and the criteria used to distinguish security issues from other types of bugs. This also switches the team's public contact address to perl-security@perl.org, and updates the security contact information shown in github's issue interface.
* Update links to perlrun to link to specific itemsDan Book2020-01-281-5/+6
|
* Be clearer about taint's effect on @INC.Dave Cross2019-10-231-2/+3
|
* Fix taint mode @INC documentationDave Cross2019-10-231-2/+6
| | | | | Explain that -T no longer removes '.' from @INC because, since 5.26, '.' isn't in @INC to start with.
* Spelling corrections in pod/*.pod from Alexandr Savca.Alexandr Savca2018-04-191-2/+2
| | | | | | | | | Alexandr Savca is now a Perl AUTHOR. For: RT #133120 Committer: holding off on the corrections to pod/perlartistic.pod until clarification of change to license text.
* revise documentation about set-idZefram2017-12-111-20/+55
| | | | | | | | perlsec's section on set-id scripts was written confusingly, with several half-formed references to the long-ago-deleted suidperl, and with temporal references that are well out of date. Revise that section, and slightly expand the perldiag entry for the message about detecting a set-id script. Add another section to perlsec about sudo. Fixes [perl #74142].
* rip out quicksort and sort algorithm controlZefram2017-11-171-1/+1
| | | | [perl #119635]
* perlsec: convert C snippet from K&R C to C89Lukas Mai2016-10-141-3/+11
| | | | | | Also include required headers and report errors on failure. (Inspired by afoken's post at <http://perlmonks.org/?node_id=1173959>.)
* fix link to crosby paper on hash complexity attackDoug Bell2016-05-111-1/+1
|
* update security contact information.David Mitchell2016-04-081-5/+18
| | | | | | Point out that the security-reporting email address now creates an RT ticket. Also, consolidate this information purely within perlsec.pod, and make all the other places link to it with L<>.
* perlsec: Another typoFather Chrysostomos2014-08-311-1/+1
|
* perlsec: TypoFather Chrysostomos2014-08-311-1/+1
|
* perlsec: Consistent spaces after dotsFather Chrysostomos2014-08-311-19/+21
|
* [perl #121404] tied hashes are differentTony Cook2014-08-051-0/+3
|
* perlsec: NitKarl Williamson2014-02-191-2/+3
|
* Documentation corrections from Wallace Reis++.James E Keenan2013-06-231-1/+1
| | | | For RT #118593, 118595, 118597, 118599.
* Quick fixes to Yves' hash randomization documentationSteffen Mueller2013-05-081-20/+25
|
* Make it possible to disable and control hash key traversal randomizationYves Orton2013-05-071-43/+65
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Adds support for PERL_PERTURB_KEYS environment variable, which in turn allows one to control the level of randomization applied to keys() and friends. When PERL_PERTURB_KEYS is 0 we will not randomize key order at all. The chance that keys() changes due to an insert will be the same as in previous perls, basically only when the bucket size is changed. When PERL_PERTURB_KEYS is 1 we will randomize keys in a non repeatedable way. The chance that keys() changes due to an insert will be very high. This is the most secure and default mode. When PERL_PERTURB_KEYS is 2 we will randomize keys in a repeatedable way. Repititive runs of the same program should produce the same output every time. The chance that keys changes due to an insert will be very high. This patch also makes PERL_HASH_SEED imply a non-default PERL_PERTURB_KEYS setting. Setting PERL_HASH_SEED=0 (exactly one 0) implies PERL_PERTURB_KEYS=0 (hash key randomization disabled), settng PERL_HASH_SEED to any other value, implies PERL_PERTURB_KEYS=2 (deterministic/repeatable hash key randomization). Specifying PERL_PERTURB_KEYS explicitly to a different level overrides this behavior. Includes changes to allow one to compile out various aspects of the patch. One can compile such that PERL_PERTURB_KEYS is not respected, or can compile without hash key traversal randomization at all. Note that support for these modes is incomplete, and currently a few tests will fail. Also includes a new subroutine in Hash::Util::hash_traversal_mask() which can be used to ensure a given hash produces a predictable key order (assuming the same hash seed is in effect). This sub acts as a getter and a setter. NOTE - this patch lacks tests, but I lack tuits to get them done quickly, so I am pushing this with the hope that others can add them afterwards.
* pod/perlsec.pod: fix typo and tweak wordingAaron Crane2013-04-111-4/+4
|
* improve hash related documentation in perlfunc and perlsec to reflect new ↵Yves Orton2013-03-291-0/+16
| | | | hash randomization logic
* Fix syntax: useless use of constant in void contextAlan Haggai Alavi2013-02-031-1/+1
|
* perlsec: #109408Brian Fraser2012-06-271-4/+2
|
* perlsec: Fix example to localize $@.Karl Williamson2011-12-141-0/+1
| | | | Not doing this can cause hard-to-find bugs.
* Don't encourage using Safe in perlsecRafael Garcia-Suarez2010-03-181-3/+8
|
* Add security contact information to perlsecDavid Golden2009-07-261-0/+12
| | | | | | | | | This patch inserts a short paragraph with security contact information near the top of the "Perl Security" documentation page. This would seem a likely place someone would look for such information (rather than INSTALL or perldelta where it lives today). I've put it at the top, not the bottom to make it easier to find.
* suidperl goes.Nicholas Clark2009-01-231-8/+1
|
* changes to perlsec.pod and call for removal of quicksortJohn P. Linderman2008-04-091-7/+6
| | | | | | From: "John P. Linderman" <jpl@research.att.com> Message-Id: <200804091232.m39CWVkY33722822@raptor.research.att.com> p4raw-id: //depot/perl@33664
* Update the hash documentation to reflect the changes between 5.8.1 andNicholas Clark2007-12-211-7/+10
| | | | | 5.8.2, that disabled the automatic randomisation of all hashes. p4raw-id: //depot/perl@32688
* [perl #40293] perlsec talks erroneously about "Non-Finite Automaton" premchai21@yahoo.com2006-09-071-3/+3
| | | | | | From: premchai21@yahoo.com (via RT) <perlbug-followup@perl.org> Message-ID: <rt-3.5.HEAD-31258-1157609470-1994.40293-75-0@perl.org> p4raw-id: //depot/perl@28800
* Re: New perltrap?Rick Delaney2006-08-011-1/+5
| | | | | Message-ID: <20060801124336.GM21381@localhost.localdomain> p4raw-id: //depot/perl@28644
* Pod nit mentioned in Debian bug #358455.Steve Peters2006-03-301-1/+1
| | | p4raw-id: //depot/perl@27635
* Small addition to perlsec by Stas Bekman.Rafael Garcia-Suarez2004-12-061-0/+5
| | | p4raw-id: //depot/perl@23619
* Document that $ENV{PATH} may not contain relative directories under -TRafael Garcia-Suarez2004-09-221-10/+10
| | | p4raw-id: //depot/perl@23332
* PATCH: Taintedness and ternary conditionalAndy Lester2004-09-011-15/+31
| | | | | | | | | Message-Id: <20040827044447.GA5268@petdance.com> add tests and documentation to the effect that ($tainted ? $a : $b) doesn't necessarily return a tainted value. Also tidy the markup in perldoc.pod p4raw-id: //depot/perl@23253
* [perl #24651] Taint bug with multiple backticks in ref consturctorsMike Guy2003-12-211-6/+9
| | | | | Message-Id: <E1AXOFT-0007DE-7q@draco.cus.cam.ac.uk> p4raw-id: //depot/perl@21942
* [patch pod/perlsec.pod] (was Re: why PERL5LIB is ignored when -T is in effect)Stas Bekman2003-11-281-0/+20
| | | | | Message-ID: <3FC7CF51.7060804@stason.org> p4raw-id: //depot/perl@21799
* We now return to your normally scheduled hash randomisation.Jarkko Hietaniemi2003-07-271-8/+12
| | | p4raw-id: //depot/perl@20242
* Retract the statements.Jarkko Hietaniemi2003-07-111-12/+8
| | | p4raw-id: //depot/perl@20137
* Some warnings about the (im)proper uses of the hash randomisation.Jarkko Hietaniemi2003-06-271-0/+13
| | | p4raw-id: //depot/perl@19866
* Bite the bullet and apply the hash randomisation patch.Jarkko Hietaniemi2003-06-261-0/+56
| | | | | [perl #22371] Algorimic Complexity Attack on Perl 5.6.1, 5.8.0 p4raw-id: //depot/perl@19854
* Integrate from the maint-5.8/ branch :Rafael Garcia-Suarez2002-12-101-1/+1
| | | | | | | | | | | | | | | | changes 18219, 18236, 18242-3, 18247-8, 18253-5, 18257, 18273-6 p4raw-id: //depot/perl@18280 p4raw-branched: from //depot/maint-5.8/perl@18279 'branch in' t/op/lc_user.t p4raw-integrated: from //depot/maint-5.8/perl@18279 'copy in' lib/File/Copy.pm (@17645..) lib/utf8_heavy.pl pod/perlsec.pod (@18080..) hints/irix_6.sh (@18173..) t/uni/tr_utf8.t (@18197..) pod/perlunicode.pod (@18242..) t/op/pat.t (@18248..) t/op/split.t (@18274..) 'edit in' pod/perlguts.pod (@18242..) 'merge in' pp.c (@18126..) MANIFEST (@18234..) p4raw-integrated: from //depot/maint-5.8/perl@18254 'merge in' pod/perldiag.pod (@18234..)
* Re: [PATCH] Re: taint newsRick Delaney2002-08-121-16/+5
| | | | | | Message-ID: <m3heibs0vp.fsf@cs839290-a.mtth.phub.net.cable.rogers.com> missed patch fragment from Change #17676 p4raw-id: //depot/perl@17720
* Discuss the magic of \w in security terms.Jarkko Hietaniemi2002-04-121-0/+7
| | | p4raw-id: //depot/perl@15876
* Add a warning about the symbolic methods andJarkko Hietaniemi2002-04-121-0/+17
| | | | | symbolic sub refs not being checked for taint. p4raw-id: //depot/perl@15875
* small doc update to promote '-no_match_vars' of 'use English'Jeffrey Friedl2002-03-041-1/+1
| | | | | Message-Id: <200203042014.g24KEjP08407@ventrue.corp.yahoo.com> p4raw-id: //depot/perl@15021
* Re: taint newsRick Delaney2002-02-241-7/+12
| | | | | Message-ID: <m3d6yuvnwr.fsf@cs839290-a.mtth.phub.net.cable.rogers.com> p4raw-id: //depot/perl@14853
View Lorry Controller Status