From: Gisle Aas <gisle@activestate.com>
Date: Tue, 6 Dec 2005 14:45:30 +0000 (+0000)
Subject: Document why syslog($priority, "%s", $message) is a good idea
X-Git-Url: http://git.shadowcat.co.uk/gitweb/gitweb.cgi?a=commitdiff_plain;h=9903e4c84e85816608d5d27aaf47be642c39ddcd;p=p5sagit%2Fp5-mst-13.2.git

Document why syslog($priority, "%s", $message) is a good idea
if the code might be running with older versions of Sys::Syslog.

p4raw-id: //depot/perl@26277
---

diff --git a/ext/Sys/Syslog/Syslog.pm b/ext/Sys/Syslog/Syslog.pm
index d06ac17..56cf18a 100644
--- a/ext/Sys/Syslog/Syslog.pm
+++ b/ext/Sys/Syslog/Syslog.pm
@@ -77,6 +77,14 @@ If you didn't use openlog() before using syslog(), syslog will try to
 guess the I<$ident> by extracting the shortest prefix of I<$format>
 that ends in a ":".
 
+Note that Sys::Syslog version v0.07 and older passed the $message as
+the formatting string to sprintf() even when no formatting arguments
+where provided.  If the code calling syslog() might execute with older
+versions of this module, make sure to call the function as
+syslog($priority, "%s", $message) instead of syslog($priority,
+$message).  This protects against hostile formatting sequences that
+might show up if $message contains tainted data.
+
 =item setlogmask $mask_priority
 
 Sets log mask I<$mask_priority> and returns the old mask.