Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

(crossposted on Stackoverflow http://stackoverflow.com/questions/35301657/dancerpluginemail-module-is-data-tainted)

When using the Dancer::Plugin::Email module,should you check the user input for malicious data or is the input automatically tainted etc?

Although Dancer specific, does in the general case that the server runs as root and the untrusted user input passes a system("rm -rf *") or something along those lines that is then fed to the sendmail executable pose a risk and opens the can of worms?

Is that why it is recommended to run the webserver as a limited privilege user?

  • Comment on Dancer::Plugin::Email module - Is data tainted?

Replies are listed 'Best First'.
Re: Dancer::Plugin::Email module - Is data tainted?
by Anonymous Monk on Feb 10, 2016 at 08:11 UTC

    When using the Dancer::Plugin::Email module,should you check the user input for malicious data or is the input automatically tainted etc?

    What happens when you try some malicious data?

    I don't think its likely that Email::Sender is vulnerable to shell interpolation

    Although Dancer specific, does in the general case that the server runs as root and the untrusted user input passes a system("rm -rf *") or something along those lines that is then fed to the sendmail executable pose a risk and opens the can of worms?

    Maybe, it depends on the code

    Is that why it is recommended to run the webserver as a limited privilege user?

    Yes

[reply]

Back to Seekers of Perl Wisdom