ropey has asked for the wisdom of the Perl Monks concerning the following question:

Fellow monks, I'm probably being a numbnuts, but I seem to be having an odd problem with MIME::Lite. I'm trying to send a email generated from a HTML form. However it runs fine on command line, however within a CGI it won't allow me to send 'insecure' data. I tried 'untainting' the inputs with a regex but to no avail, I'm getting the message 

[Mon Mar  4 16:30:03 2002] [error] [Mon Mar  4 16:30:03 2002] null: In
+secure $ENV{PATH} while running with -T switch at /usr/local/lib/perl
+5/site_perl/5.6.1/MIME/Lite.pm line 2550.

[download]
I have tried it with cgi inputs and now just hardcoding. 

sub send_preview {    
    my($query, $session) = @_;
    print STDERR "sending preview $ENV{PATH}\n";
    my $msg = new MIME::Lite 
                From    =>'bar@foo.com',
                To      =>'bar@foo.com',                
                Subject =>'None',
                Type    =>'TEXT';  
                
    $msg->attr("content-type"         => "text/html");
    $msg->send;
    print $query->header;
    print "SENT\n";
    
}

[download]
Even this way getting the same message any ideas ??? I apologise if I am being dumb.... Thanks

Replies are listed 'Best First'.
Re: MIME::Lite and taint
by gellyfish (Monsignor) on Mar 04, 2002 at 17:04 UTC

    First you probably want to read the perlsec manpage and then you will want to sanitize your environment with something like: 

    delete @ENV{qw(IFS CDPATH ENV BASH_ENV)};

$ENV{PATH} = '/bin:/usr/bin';

    [download]

    /J\

[reply]
[d/l]
Re: MIME::Lite and taint
by gav^ (Curate) on Mar 04, 2002 at 17:05 UTC

    Update: See gellyfish's post.

    You also might want to consider sending the message using SMTP so you don't have to exec anything: 

    $msg->send('smtp', 'localhost', Timeout => 60);

    [download]
    Hope this helps...

    gav^

[reply]
[d/l]

Back to Seekers of Perl Wisdom