Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

Dear Monks,

I wonder if anyone can explain what would cause a perl CGI script to fail when accessed in certain web browsers and succeed in others.

All I’m doing is taking an email address from a form, feeding it to a validation sub that untaints it, then using it with the –f option to sendmail. It works fine in Mozilla browsers on both Mac and PC, as well as in Safari on the Mac, but Internet Explorer on either platform gives “Insecure dependency in piped open while running with -T switch” at the line where I open a pipe to sendmail. (I'm using CGI::Carp qw(fatalsToBrowser).)

The relevant bits are

...
my $user_email = validate_email_address( param( "Email" ) );
...
open MAIL, "| /usr/lib/sendmail -t -i  -f '$user_email' " 
   or die "Could not open sendmail: $!";

[download]

The validate_email_address sub comes straight from CGI Programming with Perl, chapter 9. It’s too long to include here but its final line is

return $addr_to_check =~ /^$address$/ox ? $addr_to_check : "";

This is on a company intranet, running Perl 5.004_04. Server is iPlanet-WebServer-Enterprise/6.0.

Any suggestions on how to tackle this would be greatly welcomed!

Replies are listed 'Best First'.
Re: Browser-specific perl error??
by mattriff (Chaplain) on Mar 12, 2004 at 16:13 UTC
    Concentrating on the error itself: when it occurs, the variable $user_email hasn't been untainted. That's the only reason you'd get that error in reference to that line.

    Are you sure that the subroutine you're using always untaints the data? The error suggests that this can't be true, so I wouldn't be sure. :) Nothing in that last line that you've included would untaint the data, for instance.

    The browser issue could turn out to be a red herring. In any event, I think you'll get further by ignoring that and concentrating on the validate_email_address() subroutine.

    - Matt Riffle
      VP Technology, pair Networks, Inc.
      (although, I speak only for myself; code is untested unless otherwise stated)
[reply]
      Concentrating on the error itself: when it occurs, the variable $user_email hasn't been untainted. That's the only reason you'd get that error in reference to that line.
      Perl checks more than taintedness of the argument to pipe open. It also checks whether a bunch of environment variables are either not set, or untainted. See man perlsec for details.

      Abigail

[reply]
        I would look at the enviroment variables as these are quite possibly being effected by the web server. If one of these is set strangely only when using IE that would explain things.

        It might be worth while doing a raw data capture on the network interface (ethreal or equivalent) to see the actual TCP data stream rather than looking at the post web server filtered version of the data.

        Hope it helps.
        UnderMine

[reply]
Re: Browser-specific perl error??
by Happy-the-monk (Canon) on Mar 12, 2004 at 16:04 UTC

    Since perl is running on the server, not client, I can't explain why it should fail with one browser and succeed with the other.

    What could make a difference there is the data the different browsers send to the script. That might lead to the funny experience. Check the data contained in   param( "Email" )   for funny characters.

    Sören

[reply]

Back to Seekers of Perl Wisdom