1 files changed, 16 insertions, 14 deletions

diff --git a/lib/libc/gen/wordexp.3 b/lib/libc/gen/wordexp.3
index 2fc20ef..dd4605f 100644
--- a/lib/libc/gen/wordexp.3
+++ b/lib/libc/gen/wordexp.3
@@ -25,7 +25,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd August 18, 2015
+.Dd September 30, 2015
 .Dt WORDEXP 3
 .Os
 .Sh NAME
@@ -108,8 +108,9 @@ function frees the memory allocated by
 .Sh IMPLEMENTATION NOTES
 The
 .Fn wordexp
-function is implemented by executing
-.Xr sh 1 .
+function is implemented using the undocumented
+.Ic freebsd_wordexp
+shell built-in command.
 .Sh RETURN VALUES
 The
 .Fn wordexp
@@ -191,18 +192,19 @@ and
 functions conform to
 .St -p1003.1-2001 .
 .Sh BUGS
-Do not pass untrusted user data to
-.Fn wordexp ,
-regardless of whether the
-.Dv WRDE_NOCMD
-flag is set.
-The
-.Fn wordexp
-function attempts to detect input that would cause commands to be
-executed before passing it to the shell
-but it does not use the same parser so it may be fooled.
-.Pp
 The current
 .Fn wordexp
 implementation does not recognize multibyte characters other than UTF-8, since
 the shell (which it invokes to perform expansions) does not.
+.Sh SECURITY CONSIDERATIONS
+Pathname generation may create output that is exponentially larger than the
+input size.
+.Pp
+Although this implementation detects command substitution reliably for
+.Dv WRDE_NOCMD ,
+the attack surface remains fairly large.
+Also, some other implementations
+(such as older versions of this one)
+may execute command substitutions even if
+.Dv WRDE_NOCMD
+is set.