Hi Monks, I have an example script like this : 
#!/usr/bin/perl -wT 
use strict;
use CGI qw/:standard/;

$ENV{'PATH'}='';
my $q = new CGI;
my $_mail_from = $q->param("mailfrom");
my $msg = $q->param("msg");

my ($mail_from) = defined ($_mail_from) =~ /^(\w+\@\w+\.\w+)$/;

if($mail_from && $msg) {
  &send_message($mail_from,$msg);
  &display_thanks;
}
else { &display_form }

sub send_message {
  my ($message1, $message2) = @_;
  my $email = "zacko\@localhost";
  open (SENDMAIL, "|/usr/lib/sendmail -t -oi");
print SENDMAIL <<EOF;
From: $0
To: $email
Subject: Contact Us
$message1 $message2

EOF
  close(SENDMAIL) || die "cant close mail";
}

sub display_form {
  my ($message) = @_;
  print $q->header({-title=>"zacko"}),
  $q->start_html({title=>"Contact Us"}),
  $q->p($message),
  $q->p("Send your questions here"),
  start_form({action => "mail.pl",
              enctype => "application/x-www-form-urlencoded",
          method => "post"}),
  p("Your Mail Address",
      $q->input({maxlength=>"30",name=>"mailfrom",
               size=>"30", type=>"text"})),
  p($q->textarea(-name=>"msg",-override=>1, -rows=>10,-cols=>30)),
  p($q->input({type=>"submit",value=>"Send"})),
  p($q->input({type=>"reset"})),
  $q->end_form,
  $q->end_html;
}

sub display_thanks {
  print $q->header, $q->start_html,
  $q->p("Thanks for your mail"),
  $q->end_html;
}

[download]
And after im failed to translate all my questions about what i want to ask about this script to proper english, and after i read why is this tainted? but im afraid im just misinterpreted that node, maybe all i can ask here is ..

do you think this simple script is secure enough ?

i mean about $ENV{'PATH'} or about open (SENDMAIL, "|/usr/lib/sendmail -t -oi")

And about this following code : 

my ($mail_from) = defined ($_mail_from) =~ /^(\w+\@\w+\.\w+)$/;

[download]

i added "defined" before ($mail_from), without 'defined' i got the following warning "Use of uninitialized value in pattern match(m//) at mail.pl line 10, do you why i got this warning message ?

Sorry for my english, maybe i'll get clearer with your advices.

thank you

2006-05-17 Retitled by planetscape, as per Monastery guidelines

( keep:6 edit:22 reap:0 )

Original title: 'I am just not sure about this CGI script'

In reply to Securing a CGI script by doctor_moron

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.