I've been working on a script that will send email using the Mail::Mailer module. I've come across a problem that I can't figure out due to my inexperience with Mail::Mailer, and with taint checking in general. First, here's the error message I'm getting:

Insecure $ENV{PATH} while running with -T switch at /usr/local/share/perl/5.8.0/Mail/Mailer/sendmail.pm line 16.

And now a snippet or two from my script: 

#!/usr/bin/perl -T

use strict;
use warnings;
use CGI qw( -unique_headers );
use CGI::Carp qw( fatalsToBrowser );
use Mail::Mailer;

# Much stuff... ;)

sub send_message {
    my (    $recipient_addr, 
            $sender_name, 
            $sender_email, 
            $subject,
            $message )         = @_;
    my $mail = new Mail::Mailer;
    $mail->open( {
        To        => $recipient_addr,
        From      => $sender_email,
        Subject   => "[Mailer Response] " . $subject
    } );
    print $mail $message;
    close $mail;
}

[download]

It is my understanding that Mail::Mailer does not send anything through the shell. For example, if it chooses sendmail as the method of sending an email message, it uses the fork and exec technique to avoid passing arguments through the shell.

I am taking the message itself, the sender's address ("From"), the sender's name, and the subject line pretty much directly from the outside world (a CGI generated form). The recipient's address is hardwired into the script, and therefore, shouldn't be a security issue. The user input is coming in through the $q->param() method of CGI.pm.

The two biggest obstacles I see are (1) untainting a user-supplied 'from' email address, given that almost any ASCII character is permissible within what constitutes a valid address. ...and (2), just about any ASCII character is valid within a message body. Because of these two issues, I chose to use Mail::Mailer because what I've read about it indicates that it avoids the shell, thus passing parameters to the sending-agent safely.

My experience with untainting web-based input is quite limited; it is basically what I've gleaned from the POD for taint mode, and the Mouse book (2nd Edition). But what I've read about Mail::Mailer leads me to believe that though the user-input may not necessarily be valid, it's not getting anywhere near the shell, and thus not a serious security risk. What could I have missed?

So why the taint error? And what can / should I do to safely untaint a user-supplied "from" address (if that's even the issue)? Should I be looking at another module?

Thanks for any suggestions.


Dave


"If I had my life to do over again, I'd be a plumber." -- Albert Einstein

In reply to Mail::Mailer and difficulty with -T taint mode by davido

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.