Insecure $ENV{} message out of step with perldiag

	Message-Id: <E0yooQA-0003za-00@taurus.cus.cam.ac.uk>

p4raw-id: //depot/perl@1236

diff --git a/pod/perldiag.pod b/pod/perldiag.pod
index 7d39630..d6d261b 100644 (file)
--- a/pod/perldiag.pod
+++ b/pod/perldiag.pod
@@ -1301,10 +1301,11 @@ for more information.
 script if C<$ENV{PATH}> contains a directory that is writable by the world.
 See L<perlsec>.
 
-=item Insecure PATH
+=item Insecure $ENV{%s} while running %s
 
 (F) You can't use system(), exec(), or a piped open in a setuid or
-setgid script if C<$ENV{PATH}> is derived from data supplied (or
+setgid script if any of C<$ENV{PATH}>, C<$ENV{IFS}>, C<$ENV{CDPATH}>,
+C<$ENV{ENV}> or C<$ENV{BASH_ENV}> are derived from data supplied (or
 potentially supplied) by the user.  The script must set the path to a
 known value, using trustworthy data.  See L<perlsec>.
 

diff --git a/pod/perlsec.pod b/pod/perlsec.pod
index 4a743c7..0b22acd 100644 (file)
--- a/pod/perlsec.pod
+++ b/pod/perlsec.pod
@@ -88,7 +88,7 @@ For example:
     @files = glob('*.c');      # Always insecure (uses csh)
 
 If you try to do something insecure, you will get a fatal error saying
-something like "Insecure dependency" or "Insecure PATH".  Note that you
+something like "Insecure dependency" or "Insecure $ENV{PATH}".  Note that you
 can still write an insecure B<system> or B<exec>, but only by explicitly
 doing something like the "considered secure" example above.