Re^3: Taint mode trap from Perl 5.6 to 5.8

Didn't work either is not an error message. I'm not convinced. Once you take care of %ENV, and you get Insecure dependency in exec while running with -T switch at /usr/share/perl5/MIME/Lite.pm line 2571., it's coming from this piece of code

    my %p = @_;
    $p{Sendmail} ||= "/usr/lib/sendmail";

    ### Start with the command and basic args:
    my @cmd = ($p{Sendmail}, @{$p{BaseArgs} || ['-t', '-oi', '-oem']})
+;

    ### See if we are forcibly setting the sender:
    $p{SetSender} = 1 if defined($p{FromSender});

    ### Add the -f argument, unless we're explicitly told NOT to:
    unless (exists($p{SetSender}) and !$p{SetSender}) {
        my $from = $p{FromSender} || ($self->get('From'))[0];
        if ($from) {
        my ($from_addr) = extract_addrs($from);
        push @cmd, "-f$from_addr"       if $from_addr;
        }
    }

    ### Open the command in a taint-safe fashion:
    my $pid = open SENDMAIL, "|-";
    defined($pid) or die "open of pipe failed: $!\n";
    if (!$pid) {    ### child
        exec(@cmd) or die "can't exec $p{Sendmail}: $!\n";
        ### NOTREACHED
    }
[download]

From what you've shown only $from could be tainted. So either you're leaving something out, or your copy of MIME::Lite is different. In either case you should further examine the values of @cmd.

MJD says "you can't just make shit up and expect the computer to know what you mean, retardo!"
I run a Win32 PPM repository for perl 5.6.x and 5.8.x -- I take requests (README).
** The third rule of perl club is a statement of fact: pod is sexy.

Comment on Re^3: Taint mode trap from Perl 5.6 to 5.8 Select or Download Code

Replies are listed 'Best First'.
Re^4: Taint mode trap from Perl 5.6 to 5.8 - going mad! by Andre_br (Pilgrim) on Sep 16, 2005 at 02:48 UTC
Please take a look at this experience: `my $msg = MIME::Lite->new( To => "$emailsite", From => "$from", Subject => "Contato >> $assunto", Type => 'text/html', Data => "$html" ); my $test = qq# $msg $emailsite $from $assunto $html #; + if ( is_tainted($test) ) { die "tainted"; } else { die "not tainted"; +} # Dies "not tainted" # $msg->send();` [download] Ok, not tainted, shall work, right? No. When I go to the next step and uncomment the `$msg->send();` line, the error remains! Without a single tainted variable! How comes!!!?? Also, how can I check the @cmd if the module is in my host's public module repository? Thanks and sorry for the maddening problem	[reply] [d/l] [select]
Re^5: Taint mode trap from Perl 5.6 to 5.8 - going mad! by fizbin (Chaplain) on Sep 16, 2005 at 12:04 UTC
I don't trust your `is_tainted` function. Try using the standard one instead: `my $msg = MIME::Lite->new( To => "$emailsite", From => "$from", Subject => "Contato >> $assunto", Type => 'text/html', Data => "$html" ); use Scalar::Util qw(tainted); # This module is included in perl 5.8 my %test = ('$msg' => $msg, '$emailsite' => $emailsite, '$from' => $from, '$assunto' => $assunto, '$html' => $html +); my ($k, $v); while (($k, $v) = each %test) { if (tainted($v)) {print STDERR "$k is TAINTED\n";} else {print STDERR "$k is not tainted\n";} } $msg->send();` [download] By the way, where did you get your `is_tainted` function? It's not the standard one suggested in `perlsec` -- `@/=map{[/./g]}qw/.h_nJ Xapou cets krht ele_ r_ra/; map{y/X_/\n /;print}map{pop@$_}@/for@/` [download]	[reply] [d/l] [select]
Re^6: Taint mode trap from Perl 5.6 to 5.8 - going mad! by Anonymous Monk on Sep 16, 2005 at 19:10 UTC
http://search.cpan.org/dist/perl-5.6.1/pod/perlfaq7.pod#How_can_I_tell_if_a_variable_is_tainted?	[reply]

MJD says "you can't just make shit up and expect the computer to know what you mean, retardo!"
I run a Win32 PPM repository for perl 5.6.x and 5.8.x -- I take requests (README).
** The third rule of perl club is a statement of fact: pod is sexy.