Add a warning about the symbolic methods and

symbolic sub refs not being checked for taint.

p4raw-id: //depot/perl@15875

diff --git a/pod/perlsec.pod b/pod/perlsec.pod
index 53192cb..8616c64 100644 (file)
--- a/pod/perlsec.pod
+++ b/pod/perlsec.pod
@@ -54,6 +54,23 @@ mechanism.
 
 Arguments to C<print> and C<syswrite> are B<not> checked for taintedness.
 
+=item *
+
+Symbolic methods
+
+    $obj->$method(@args);
+
+and symbolic sub references
+
+    &{$foo}(@args);
+    $foo->(@args);
+
+are not checked for taintedness.  This requires extra carefulness
+unless you want external data to affect your control flow.  Unless
+you carefully limit what these symbolic values are, people are able
+to call functions B<outside> your Perl code, such as POSIX::system,
+in which case they are able to run arbitrary external code.
+
 =back
 
 The value of an expression containing tainted data will itself be