Bug 692602: revise SAFER section in the man page

patch courtesy of Jonathan Nieder ( jrnieder@gmail.com ).

CLUSTER_UNTESTED

1 files changed, 35 insertions, 2 deletions

diff --git a/gs/man/gs.1 b/gs/man/gs.1
index 423abbcc3..9cb92c473 100644
--- a/gs/man/gs.1
+++ b/gs/man/gs.1
@@ -277,8 +277,7 @@ X Windows). This may be needed if the platform fonts look undesirably
 different from the scalable fonts.
 .TP
 .B \-dSAFER
-Disables the "deletefile" and "renamefile" operators and the ability to
-open files in any mode other than read-only.  This strongly recommended for
+Restricts file operations the script can perform.  Strongly recommended for
 spoolers, conversion scripts or other sensitive environments where a badly 
 written or malicious PostScript program code must be prevented from changing
 important files.
@@ -294,6 +293,40 @@ Selects an alternate initial output device, as described above.
 .BI \-sOutputFile= filename
 Selects an alternate output file (or pipe) for the initial output
 device, as described above.
+.SH "SAFER MODE"
+.PP
+The
+.B \-dSAFER
+option disables the "deletefile" and "renamefile" operators and prohibits
+opening piped commands ("%pipe%\fIcmd\fR"). Only "%stdout" and "%stderr" can be
+opened for writing. It also disables reading from files, except for "%stdin",
+files given as a command line argument, and files contained in paths given by
+LIBPATH and FONTPATH or specified by the system params /FontResourceDir and
+/GenericResourceDir.
+.PP
+This mode also sets the .LockSafetyParams parameter of the initial output device
+to protect against programs that attempt to write to files using the OutputFile
+device parameter. Since the device parameters specified on the command line,
+including OutputFile, are set prior to SAFER mode, use of "-sOutputFile=..." on
+the command line is unrestricted.
+.PP
+SAFER mode prevents changing the /GenericResourceDir, /FontResourceDir,
+/SystemParamsPassword, and /StartJobPassword.
+.PP
+While SAFER mode is not the default, it is the default for many wrapper jobs
+and may be the default in a subsequent release of Ghostscript.  Thus jobs or
+programs that need to open files or set restricted parameters should pass the
+.B \-dNOSAFER
+command line option or its synonym
+.BR \-dDELAYSAFER .
+.PP
+When running with
+.B \-dNOSAFER
+it is possible to perform a "save" followed by ".setsafe", execute a file or
+procedure in SAFER mode, and then use "restore" to return to NOSAFER mode.  In
+order to prevent the save object from being restored by the foreign file or
+procedure, the ".runandhide" operator should be used to hide the save object
+from the restricted procedure.
 .SH FILES
 .PP
 The locations of many Ghostscript run-time files are compiled into the