Docs: more info on taint

author: Jeremy Harris <jgh146exb@wizmail.org> 2020-06-05 10:37:57 +0100
committer: Jeremy Harris <jgh146exb@wizmail.org> 2020-06-05 10:37:57 +0100
commit: 46fa6b8a21e141c73c95300537d7e71d545d6e25 (patch)
tree: 5c9c34722fbbc05465f1bab83ad9f00045e8d44b /doc
parent: 0e0e1716286028c369f93a28412839c657e6b47c (diff)
1 files changed, 12 insertions, 0 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 5915a3af3..ccfa4424a 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -9453,10 +9453,22 @@ the data type.  ACL rules always expand strings.  A couple of expansion
 conditions do not expand some of the brace-delimited branches, for security
 reasons,
 .cindex "tainted data" expansion
+.cindex "tainted data" definition
 .cindex expansion "tainted data"
 and expansion of data deriving from the sender (&"tainted data"&)
 is not permitted.
 
+.new
+Common ways of obtaining untainted equivalents of variables with
+tainted values
+.cindex "tainted data" "de-tainting"
+come down to using the tainted value as a lookup key in a trusted database.
+This database could be the filestem structure,
+or the password file,
+or accessed via a DBMS.
+Specific methods are indexed under &"de-tainting"&.
+.wen
+
 
 
 .section "Literal text in expanded strings" "SECTlittext"
author	Jeremy Harris <jgh146exb@wizmail.org>	2020-06-05 10:37:57 +0100
committer	Jeremy Harris <jgh146exb@wizmail.org>	2020-06-05 10:37:57 +0100
commit	46fa6b8a21e141c73c95300537d7e71d545d6e25 (patch)
tree	5c9c34722fbbc05465f1bab83ad9f00045e8d44b /doc
parent	0e0e1716286028c369f93a28412839c657e6b47c (diff)