in reply to Second hack at Secure Mailer

The only thing that gets me is the starting point, namely this template file. The fact that you're getting the name of the file directly from the CGI QUERY_STRING, even with all the various s/// operators in there, can still *possibly* leave you open for the "; rm -rf /" attacks. You may have that fixed, but for some reason that concerns me.

Here's my suggestion: Since this appears to be selecting a template file from a limited number of choices, how about creating a hash that maps a template keyword to the actual filename that you use, so that the open call will only see a filename that *you* specify and doesn't at all come from the CGI query. The only major check you'll need is to add a default option if the template keyword parameter is not in your hash, but this is trivial. eg:

my %template_hash = ( default => "www/default.tmp", detailed => "www/detail.tmp", brief => "www/brief.tmp" ); # $temp still gotten as before, could also be cgi->param my $template_file = ( defined $template_hash{ $temp } ) ? $template_hash{ $temp } : $template_hash{ 'default' }; # Continue on as above.