in reply to Mail::Mailer and difficulty with -T taint mode

An error message, interesting ... from `perldoc perldiag':
Insecure $ENV{%s} while running %s

(F) You can't use system(), exec(), or a piped open in a setuid or setgid script if any of $ENV{PATH}, $ENV{IFS}, $ENV{CDPATH}, $ENV{ENV} or $ENV{BASH_ENV} are derived from data supplied (or potentially supplied) by the user. The script must set the path to a known value, using trustworthy data. See perlsec.

Does that help?

MJD says "you can't just make shit up and expect the computer to know what you mean, retardo!"
I run a Win32 PPM repository for perl 5.6.x and 5.8.x -- I take requests (README).
** The third rule of perl club is a statement of fact: pod is sexy.

  • Comment on Re: Mail::Mailer and difficulty with -T taint mode

Replies are listed 'Best First'.
Re: Re: Mail::Mailer and difficulty with -T taint mode
by davido (Cardinal) on Oct 12, 2003 at 10:58 UTC
    That is helpful, but it seems then, that it is telling me there is NO way to successfully pass a user-supplied From address to Mail::Mailer, if that module uses system, exec, or a piped open. I say this because in untainting an email address supplied by the user, you risk wrecking valid addresses since just about any character may exist within a valid address. I used Mail::Mailer because of its proported feature of avoiding the shell, in the interest of security. I don't believe that Mail::Mailer uses a piped open, as it is the module's goal to keep the message being sent far away from the shell. But the exec one seems a little tricky to get around.

    I could supply a hard-wired From, and then pass the user's supplied From through the body of the message, but even that must pass through Mail::Mailer.

    Surely I am just not seeing the simple solution. ;)


    Dave


    "If I had my life to do over again, I'd be a plumber." -- Albert Einstein
[reply]

      Some quick tests indicate that if Mail::Mailer really were using exec in a safe way, perl wouldn't care about $ENV{PATH}. 

      [sgifford@sghome sgifford]$ perl -T -e"exec('echo', 'OK')"
Insecure $ENV{PATH} while running with -T switch at -e line 1.
[sgifford@sghome sgifford]$ perl -T -e"exec('/bin/echo OK')"
Insecure $ENV{PATH} while running with -T switch at -e line 1.
[sgifford@sghome sgifford]$ perl -T -e"exec('/bin/echo', 'OK')"
OK

      [download]

      What mailer are you using with Mail::Mailer, and what version? Can you find the relevant code that you think should be secure but Perl doesn't agree? Why is it a problem to untaint the from address to guarantee that it doesn't contain anything strange?

[reply]
[d/l]
[select]
      but it seems then, that it is telling me there is NO way to successfully pass a user-supplied From address to Mail::Mailer,
      So what you're saying is that you're using taint mode without knowing how it works? All of the values in %ENV are tainted. If you don't know what that means, or how to get around it, read perlsec (it's a link you know).

      MJD says "you can't just make shit up and expect the computer to know what you mean, retardo!"
      I run a Win32 PPM repository for perl 5.6.x and 5.8.x -- I take requests (README).
      ** The third rule of perl club is a statement of fact: pod is sexy.

[reply]

      Mail::Mailer does use a piped open. From my version of Mail::Mailer (in MailTools 1.60) about line 226:

          # Fork and start a mailer
    (defined($exe) && open($self,"|-")) # (snip)

      [download]

      I don't know enough about packages to know if this is a potentially harmful open call, but I can understand how the taint checking is complaining about the path.

[reply]
[d/l]

In Section Seekers of Perl Wisdom