Security of Sendmail and -T error

bradcathey has asked for the wisdom of the Perl Monks concerning the following question:

My palms got a little sweaty as I read the replies to the node concerning security risks with Matt's Scripts. I have never used those, but it got me wondering about my own use of sendmail. I have been using the examples from the Mouse book CGI Programming with Perl (even after all their dire warnings about using it at) with decent results (people are getting the e-mails!). I'm still trying to get my head around the security issues and want some XP'ed monks to take a look and tell me if I'm overlooking anything. The Validate.pm (doing the untainting) is on my scratchpad (thanks to chromatic for his help on this module and calling it).

So, 1) Is this secure? 2) Why is it when I add -T to the shebang, I get a Can't locate Validate.pm in @INC error (works fine without it)?

#!/usr/bin/perl 

print "Content-type: text/plain\n\n";

use strict;
use warnings;
use Validate;
use CGI qw(:standard);

my @errors;

my $sendto     = Validate->alphanum (param('sendto'));
push @errors, "Missing or invalid addressee\n" unless $sendto;

my $email    = Validate->email (param('email'));
push @errors, "Missing or invalid e-mail address\n" unless $email;

# similar untainting for all other user input here, then...

if (@errors) { &printerrors; exit; }
    
#-----------send email ---------

    $sendto .= "\@somewebsite.org";

    open(MAIL,"| /usr/lib/sendmail -t") or die "Could not open sendmai
+l: $!";
        print MAIL "From: $name\n";
        print MAIL "To: $sendto\n";
        print MAIL "Subject: $subject\n\n";
        print MAIL "E-mail: $email\n\n";
        print MAIL "Message: $message\n\n";
        print MAIL "\n\n";
    close MAIL or die "Could not close sendmail: $!";

print "Thanks for your message.";    
exit;

sub printerrors {
    for (@errors) { print $_."\n" }
}

__END__
[download]

Thank you all!

—Brad
"A little yeast leavens the whole dough."

Comment on Security of Sendmail and -T error Select or Download Code

Replies are listed 'Best First'.
Re: Security of Sendmail and -T error by shenme (Priest) on Dec 14, 2003 at 04:32 UTC
Regarding your point 2, could this passage from perlrun be a clue? PERL5LIB .... If PERL5LIB is not defined, PERLLIB is used. .... When running taint checks (either because the program was running setuid or setgid, or the -T switch was used), neither variable is used. The program should instead say: use lib "/my/directory";	[reply]
Re: Security of Sendmail and -T error by grinder (Bishop) on Dec 14, 2003 at 11:57 UTC
The best way to avoid security problems with `sendmail` is to avoid using it (at least directly). Postfix is a drop-in replacement for sendmail, which would allow you to get rid of it altogether. There are a number of Perl modules available to send e-mail, from the very simple (Net::SMTP, to the effective (Mail::Sendmail), to the fully-equipped (MIME-Tools). I tend to favour using `Mail::Sendmail`, which, despite its name, does not require the sendmail program (it just needs the hostname of a local MTA, which defaults to `localhost`), and is also pure Perl.	[reply]
Re: Re: Security of Sendmail and -T error by bradcathey (Prior) on Dec 14, 2003 at 14:10 UTC
Thanks grinder for the practical suggestions, I will look into those other modules. I'm still curious why sendmail is so frowned upon, but for now I'll take the advice I'm seeing here as ample. Update: I checked on `mail::sendmail` and my primary web hosts have it installed. The documentation on CPAN seems simple enough, so I'm off and running with a new way (hopefully more secure way) to send mail. Thanks again. UPDATE 2: Actually have `Mail::Sendmail` now working on a live site and it's way cool. Less typing and the From address is better. —Brad "A little yeast leavens the whole dough."	[reply] [d/l] [select]
Re: Security of Sendmail and -T error by liz (Monsignor) on Dec 14, 2003 at 13:04 UTC
You indicate: `# similar untainting for all other user input here, then...` [download] and: `print MAIL "Subject: $subject\n\n";` [download] so it's not clear what kind of checks you're doing on the subject. Depending on those checks, this script may be an open mail relay or not. For example, suppose the subject is set to: `$subject = "Nice subject\nBcc: john@doe.com, jane@doe.com... ";` [download] the mail you send becomes in fact: `From: $name To: $sendto Subject: Nice subject Bcc: john@doe.com, jane@doe.com... Message: $message` [download] and you've just become a spammer. So, make sure you filter newlines from $subject as well! Liz	[reply] [d/l] [select]
Re: Re: Security of Sendmail and -T error by bradcathey (Prior) on Dec 14, 2003 at 14:12 UTC
Great tip, liz, thanks! And to your point, I was only filtering out punctuation and not newlines. —Brad "A little yeast leavens the whole dough."	[reply]
Re: Security of Sendmail and -T error by skazat (Chaplain) on Dec 14, 2003 at 06:58 UTC
You may want to look into Dada::FormValidator for a more thorough validation suite. It really is sweet. It don't believe it'll untaint for you, but that's easy enough. You may also want to use the CGI.pm module to generate the Content-Type line: `print header('text/plain');` [download] -justin simoni !skazat!	[reply] [d/l]
Re: Re: Security of Sendmail and -T error by Thelonius (Priest) on Dec 14, 2003 at 13:37 UTC
You may want to look into Dada::FormValidator for a more thorough validation suite. It really is sweet. I love that typo. Can you imagine what a Dada validator would check for: Every product of disgust that is capable of becoming a negation of the family is dada; DADA; acquaintance with all the means hitherto rejected by the sexual prudishness of easy compromise and good manners: DADA; abolition of logic, dance of those who are incapable of creation: DADA; every hierarchy and social equation established for values by our valets: DADA; every object, all objects, feelings and obscurities, every apparition and the precise shock of parallel lines, are means for the battle of: DADA; the abolition of memory: DADA; the abolition of archaeology: DADA the abolition of prophets: DADA; the abolition of the future: DADA; the absolute and indiscutable belief in every god that is an immediate product of spontaneity: DADA; the elegant and unprejudiced leap from on harmony to another sphere; the trajectory of a word, a cry, thrown into the air like an acoustic disc; to respect all individualities in their folly of the moment, whether serious, fearful, timid, ardent, vigorous, decided or enthusiastic; to strip one's church of every useless and unwieldy accessory; to spew out like a luminous cascade any offensive or loving thought, or to cherish it - with the lively satisfaction that it's all precisely the same thing - with the same intensity in the bush, which is free of insects for the blue-blooded, and gilded with the bodies of archangels, with one's soul. Liberty: DADA DADA DADA; - the roar of contorted pains, the interweaving of contraries and all contradictions, freaks and irrelevancies: LIFE. From the Dada Manifesto	[reply]
Re: Security of Sendmail and -T error by Abigail-II (Bishop) on Dec 14, 2003 at 11:31 UTC
Is this secure? Considering you use sendmail, the trackrecord of sendmail would suggest 'no'. Abigail	[reply]