doctor_moron has asked for the wisdom of the Perl Monks concerning the following question:

Hi Monks, I have an example script like this : 
#!/usr/bin/perl -wT 
use strict;
use CGI qw/:standard/;

$ENV{'PATH'}='';
my $q = new CGI;
my $_mail_from = $q->param("mailfrom");
my $msg = $q->param("msg");

my ($mail_from) = defined ($_mail_from) =~ /^(\w+\@\w+\.\w+)$/;

if($mail_from && $msg) {
  &send_message($mail_from,$msg);
  &display_thanks;
}
else { &display_form }

sub send_message {
  my ($message1, $message2) = @_;
  my $email = "zacko\@localhost";
  open (SENDMAIL, "|/usr/lib/sendmail -t -oi");
print SENDMAIL <<EOF;
From: $0
To: $email
Subject: Contact Us
$message1 $message2

EOF
  close(SENDMAIL) || die "cant close mail";
}

sub display_form {
  my ($message) = @_;
  print $q->header({-title=>"zacko"}),
  $q->start_html({title=>"Contact Us"}),
  $q->p($message),
  $q->p("Send your questions here"),
  start_form({action => "mail.pl",
              enctype => "application/x-www-form-urlencoded",
          method => "post"}),
  p("Your Mail Address",
      $q->input({maxlength=>"30",name=>"mailfrom",
               size=>"30", type=>"text"})),
  p($q->textarea(-name=>"msg",-override=>1, -rows=>10,-cols=>30)),
  p($q->input({type=>"submit",value=>"Send"})),
  p($q->input({type=>"reset"})),
  $q->end_form,
  $q->end_html;
}

sub display_thanks {
  print $q->header, $q->start_html,
  $q->p("Thanks for your mail"),
  $q->end_html;
}

[download]
And after im failed to translate all my questions about what i want to ask about this script to proper english, and after i read why is this tainted? but im afraid im just misinterpreted that node, maybe all i can ask here is ..

do you think this simple script is secure enough ?

i mean about $ENV{'PATH'} or about open (SENDMAIL, "|/usr/lib/sendmail -t -oi")

And about this following code : 

my ($mail_from) = defined ($_mail_from) =~ /^(\w+\@\w+\.\w+)$/;

[download]

i added "defined" before ($mail_from), without 'defined' i got the following warning "Use of uninitialized value in pattern match(m//) at mail.pl line 10, do you why i got this warning message ?

Sorry for my english, maybe i'll get clearer with your advices.

thank you

2006-05-17 Retitled by planetscape, as per Monastery guidelines

( keep:6 edit:22 reap:0 )

Original title: 'I am just not sure about this CGI script'

Replies are listed 'Best First'.
Re: Securing a CGI script
by dsheroh (Monsignor) on May 16, 2006 at 18:04 UTC
    The reason you're getting the warning is that you are attempting to match a pattern against a variable whose value is undef, because $_mail_from is not defined. The root cause is that param('mailfrom') is not defined, because the HTTP request which triggers the script doesn't have a mailfrom value specified.

    Your workaround to get rid of the warning does not appear to do what you intended. Based on some quick tests, it looks like it causes your pattern to be matched against the result of defined ($_mail_from), which is a true/false value and will never match the pattern.

    A better solution would be to add a line prior to that match which either returns an error if no from: address is provided ($show_error_message unless defined $_mail_from) or else to assign a default value if it doesn't have one ($_mail_from = 'nobody@nowhere.com' unless $_mail_from, or change line 7 to my $_mail_from = $q->param("mailfrom") || 'nobody@nowhere.com').

[reply]
[d/l]
[select]

Back to Seekers of Perl Wisdom