Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

Hi,

my code: 
my $send_path = "/usr/sbin/sendmail -oi -t";
if ($send_path =~ /(.*)/) { $send_path = $1; }

[download]


How come I receive a Insecure $ENV{PATH} while running with -T switch error still?

My above code untaints the sendmail path, but i still receive this error with my script. Am I doing something wrong? I must be huh? Any help will be welcomed! Thanks.

Replies are listed 'Best First'.
Re: Insecure $ENV{PATH} while running with -T switch
by quester (Vicar) on Nov 03, 2006 at 02:29 UTC
    Perl doesn't know that sendmail isn't going to use its $PATH variable to spawn a subprocess. For this reason any call to system() or qx() or `command...` will balk if $ENV{PATH} is tainted, and it will always be tainted when Perl first starts. The solution is to just add the line 
    $ENV{PATH} = "/bin";

    [download]
    at the start of any script that runs with -T. You can add more directories to the path such as /usr/bin at your discretion, but the directories had best not be writable by malicious users.
[reply]
[d/l]
Re: Insecure $ENV{PATH} while running with -T switch
by ikegami (Patriarch) on Nov 03, 2006 at 03:57 UTC

    You really should be using a mail module, such as MIME::Lite.

    But if you can't (and I don't see why you couldn't), you should replace
    system("/usr/sbin/sendmail -oi -t");
    with
    system("/usr/sbin/sendmail", "-oi", "-t");
    The first passes the command to a shell which then parses and interprets it, while the latter calls sendmail directly. That makes it safer, and allows you to check the return code of sendmail (as opposed to the return code of the shell that calls sendmail).

    ( To answer your question, since the command you're executing is parsed and interpreted by the shell, Perl has no idea if the PATH will be used or not. Even if it did know (and when it does know) the PATH won't be used, it probably gives the same error since there's no harm in erring on the side of caution in this situation. )

[reply]
[d/l]
[select]
Re: Insecure $ENV{PATH} while running with -T switch
by hesco (Deacon) on Nov 03, 2006 at 08:03 UTC
    To expand for a moment on what quester and Ikegami have said above, . . .

    Your $send_path assignment defines the path to an executable, not your environmental PATH variable. To do that follow quester's advice.

    Any executable run from inside a perl script can in turn run any other executable in the PATH of the user which owns the process.

    By using taint and then limiting the path to those where you need not fear any damage might be done, you make it safe for an anonymous browser to invoke an executable beyond the cgi script offered on your web server. And taint is there to warn you if you stray from the path.

    Hope that adds some clarity

    -- Hugh

    if( $lal && $lol ) { $life++; }
[reply]

Back to Seekers of Perl Wisdom