#Get the user's email, this is fine
use CGI;
$q = new CGI unless @ARGV;
$email = $ARGV[0] || $q->param("email");

#Open sendmail to send the mail, this is not fine
open(MAIL, "|/usr/lib/sendmail $email");
print MAIL $mailMessage;
[download]

Congratulations, this would send an email to bob containing all the names of the files you no longer have.

UPDATE: Obviously -T (taint) is your friend.

--
perl -p -e "s/(?:\w);([st])/'\$1/mg"

FYI: There's a poll on this @ http://use.perl.org

UPDATE: there are of course others. I prefer Mail::Sendmail as it's rather robust, the only real issue I've had with it is that it requires fully qualified email addresses.

--
perl -p -e "s/(?:\w);([st])/'\$1/mg"

Of course it depends on how much mail you are talking about here, but for very simple things I pipe my output to mail. For instance, I sometimes have to send a test email to people, to allay their fears of email trouble. The message is always the same, but the address changes, so I wrote up a little script to speed up the 'test message' task. The meat of it is very simple, and looks like this:

eval{
open (MAIL, "|/bin/mail $address -s $mail_subject");
print MAIL "$standard_message \n";
$comment and print MAIL "$comment \n";
close MAIL;
};
$@ and die "A local error occurred while attempting to send the messag
+e: $@\n";
[download]

Now for me, I assume this is "secure enough" in that the script is for my own use. I have hard-coded the path to /bin/mail, so unless someone on my system has access to modify the mail executable, I should have no trouble there; and I know I'm never going to pass it an evil value for $mail_subject like 'cat /etc/passwd | head -20' ...
If I was writing a script for the public to use, I would want to do a lot of checking on those variables to make _sure_ they were safe looking and normal before I passed them to open() ... I would want to think about what would happen if someone tried to pass me some Unicode, or hex escape codes, or abuse the script to send anonymous mail, and so on and so forth.

You can run perl in taint mode (-T) to catch insecure situations where others might potentially pass your script evil values and try to get it to misbehave. You can read all about taint in perlsec. Eventually it comes down to writing a regexp to 'launder' your input of any nastygrams someone might try and pass off.

NOOOOO!

/bin/mail is insecure! If $comment can be coerced by the user to contain a tilde at the beginning of the line, you've just handed them a shell!

Bad. Bad.

And don't get me started on $address containing shell-significant characters, which it will if you permit the address to be specified by the user, and you must permit those characters.

In short: Just Say No to /bin/mail for security!

-- Randal L. Schwartz, Perl hacker

As already suggested, there is a good selection of modules on CPAN for handling email.

You should consider limiting access to the script and, if possible, the potential recipients of the emails that this script can send email to - especially if it's publically accessable.

If your script takes arguments for the recipient and the message content, and doesn't do any sort of checking, it could be used to spam people - and it would all appear to come from your email account.

If you plan on using the script to allow people to email you from your website for example, hardcode your email address as the recipient in the script - there's no need for the script to send to anyone else.

As far as I'm concerned, this is one time where flexibility shouldn't be at the top of your list.
Figure out exactly what the script has to do, and ensure it can do no more.

Hope that helps,

Baz.

--
perl -p -e "s/(?:\w);([st])/'\$1/mg"