in reply to Taint mode trap from Perl 5.6 to 5.8

If you examine the Lite.pm line mentioned in the 2nd error, you'll notice that only $from is involved in exec, and that it must be the tainted variable in question.

MJD says "you can't just make shit up and expect the computer to know what you mean, retardo!"
I run a Win32 PPM repository for perl 5.6.x and 5.8.x -- I take requests (README).
** The third rule of perl club is a statement of fact: pod is sexy.

  • Comment on Re: Taint mode trap from Perl 5.6 to 5.8

Replies are listed 'Best First'.
Re^2: Taint mode trap from Perl 5.6 to 5.8
by Andre_br (Pilgrim) on Sep 16, 2005 at 02:14 UTC
    Hello PodMaster,

    I wish you were right, but this isnīt it yet. I checked them all and, for an extra check now, I replaced it with a typed value: 

               my $msg = MIME::Lite->new( 
   
                           To      => "$emailsite",
                           From    => "me\@host.com",
                           Subject => "Contato >> $assunto",
                           Type    => 'text/html',
                           Data    => "$html" );

           $msg->send();

    [download]
    And it still doesnīt work...

    I even replaced THEM ALL with typed values and didnīt work either!

[reply]
[d/l]
      Didn't work either is not an error message. I'm not convinced. Once you take care of %ENV, and you get Insecure dependency in exec while running with -T switch at /usr/share/perl5/MIME/Lite.pm line 2571., it's coming from this piece of code 
          my %p = @_;
    $p{Sendmail} ||= "/usr/lib/sendmail";

    ### Start with the command and basic args:
    my @cmd = ($p{Sendmail}, @{$p{BaseArgs} || ['-t', '-oi', '-oem']})
+;

    ### See if we are forcibly setting the sender:
    $p{SetSender} = 1 if defined($p{FromSender});

    ### Add the -f argument, unless we're explicitly told NOT to:
    unless (exists($p{SetSender}) and !$p{SetSender}) {
        my $from = $p{FromSender} || ($self->get('From'))[0];
        if ($from) {
        my ($from_addr) = extract_addrs($from);
        push @cmd, "-f$from_addr"       if $from_addr;
        }
    }

    ### Open the command in a taint-safe fashion:
    my $pid = open SENDMAIL, "|-";
    defined($pid) or die "open of pipe failed: $!\n";
    if (!$pid) {    ### child
        exec(@cmd) or die "can't exec $p{Sendmail}: $!\n";
        ### NOTREACHED
    }

      [download]
      From what you've shown only $from could be tainted. So either you're leaving something out, or your copy of MIME::Lite is different. In either case you should further examine the values of @cmd.

      MJD says "you can't just make shit up and expect the computer to know what you mean, retardo!"
      I run a Win32 PPM repository for perl 5.6.x and 5.8.x -- I take requests (README).
      ** The third rule of perl club is a statement of fact: pod is sexy.

[reply]
[d/l]
[select]
        Please take a look at this experience: 
                   my $msg = MIME::Lite->new( 
   
                           To      => "$emailsite",
                           From    => "$from",
                           Subject => "Contato >> $assunto",
                           Type    => 'text/html',
                           Data    => "$html" );

my $test = qq# $msg $emailsite $from $assunto $html #;                
+ 
          
if ( is_tainted($test) ) { die "tainted"; } else { die "not tainted"; 
+} # Dies "not tainted"

# $msg->send();

        [download]
        Ok, not tainted, shall work, right? No. When I go to the next step and uncomment the $msg->send(); line, the error remains! Without a single tainted variable! How comes!!!??

        Also, how can I check the @cmd if the module is in my host's public module repository?

        Thanks and sorry for the maddening problem

[reply]
[d/l]
[select]

In Section Seekers of Perl Wisdom