document "perl_flags" and "-T"

doc/ChangeLog

@@ -11,9 +11,10 @@ FreeRADIUS 3.0.18 Tue 17 Apr 2018 14:00:00 EDT urgency=low
 	* Add sql_session_start policy (raddb/policy.d/accounting)
 	  This minimizes race conditions when using Simultaneous-Use
 	  Patch from Philippe Wooding (#2257).
-	* For rlm_perl, all variables are now tainted by default.
-	  This should only affect people who are using variables
-	  in insecure ways.
+	* For rlm_perl, all variables are now tainted by default.  See
+	  raddb/mods-available/perl, and the "perl_flags" configuration
+	  item.  This change should only affect people who are using
+	  variables in insecure ways.
 
 	Bug fixes
 	* The session-state list is no longer cleaned in the

raddb/mods-available/perl

@@ -13,6 +13,17 @@ perl {
 	#
 	filename = ${modconfdir}/${.:instance}/example.pl
 
+	#
+	#  Options which are passed to the Perl interpreter.
+	#  These are (mostly) the same options as are passed
+	#  to the "perl" command line.
+	#
+	#  The most useful flag is "-T".  This sets tainting on.  And
+	#  as of 3.0.18, makes it impossible to leverage bad
+	#  User-Names into local command execution.
+	#
+	perl_flags = "-T"
+
 	#
 	#  The following hashes are given to the module and
 	#  filled with value-pairs (Attribute names and values)