Add security notice to DBD::Proxy and DBI::ProxyServer re Storable RT#90475

Author: timbunce

Changes

@@ -14,6 +14,9 @@ DBI::Changes - List of significant changes to the DBI
         driver_prefix is not fulfilled (RT#93204) [Jens Rehsack]
     Fixed redundant sprintf argument warning RT#97062 [Reini Urban]
 
+    Added security notice to DBD::Proxy and DBI::ProxyServer because they
+        use Storable which is insecure. Thanks to [email protected] RT#90475
+
 =head2 Changes in DBI 1.631 - 20th Jan 2014
 
 NOTE: This release changes the handle passed to Callbacks from being an 'inner'

lib/DBD/Proxy.pm

@@ -973,6 +973,13 @@ The workaround is storing the modified local copy back to the server:
   $dbh->{"csv_tables"} = $tables;
 
 
+=head1 SECURITY WARNING
+
+L<RPC::PlClient> used underneath is not secure due to serializing and
+deserializing data with L<Storable> module. Use the proxy driver only in
+trusted environment.
+
+
 =head1 AUTHOR AND COPYRIGHT
 
 This module is Copyright (c) 1997, 1998

lib/DBI/ProxyServer.pm

@@ -867,6 +867,13 @@ Don't try to put parameters into the sql-query like this:
 =back
 
 
+=head1 SECURITY WARNING
+
+L<RPC::PlServer> used underneath is not secure due to serializing and
+deserializing data with L<Storable> module. Use the proxy driver only in
+trusted environment.
+
+
 =head1 AUTHOR
 
     Copyright (c) 1997    Jochen Wiedmann