Re^2: Checking mail command for success

Note that you're subject to attacks by passing unescaped text to the shell.

Sorry, but could you explain this in more detail?

thanks!

Comment on Re^2: Checking mail command for success

Replies are listed 'Best First'.
Re^3: Checking mail command for success by ikegami (Patriarch) on Apr 23, 2009 at 19:37 UTC
"`John Doe <john@example.org>`" (minus the quotes) is a valid email address, but you'll have problems if `$recipients` contains that. And of course, there's the malicious who might find a way of getting "`\| rm -rf /`" (minus the quotes) into `$host` or `$recipients`. The multiple argument form of various commands gets around that problem. `use IPC::Open3 qw( ); open(my $mailer_fh, '\|-', '/bin/mail', '-s', $hostn, $recipients) or die("Cannot execute mail command: $!\n"); open(my $msg_fh, '<', $disk_changes) or die("Cannot execute message file: $!\n"); print $mailer_fh $_ while <$msg_fh>; close($mailer_fh) or die("Error sending mail message: $!\n"); $? == 0 or die("Error sending mail message: $?\n");` [download]	[reply] [d/l] [select]

Replies are listed 'Best First'.

Re^3: Checking mail command for success
by ikegami (Patriarch) on Apr 23, 2009 at 19:37 UTC

"John Doe <john@example.org>" (minus the quotes) is a valid email address, but you'll have problems if $recipients contains that.

And of course, there's the malicious who might find a way of getting "| rm -rf /" (minus the quotes) into $host or $recipients.

The multiple argument form of various commands gets around that problem.

use IPC::Open3 qw( );

open(my $mailer_fh, '|-', '/bin/mail', '-s', $hostn, $recipients)
   or die("Cannot execute mail command: $!\n");

open(my $msg_fh, '<', $disk_changes)
   or die("Cannot execute message file: $!\n");

print $mailer_fh $_ while <$msg_fh>;

close($mailer_fh)
   or die("Error sending mail message: $!\n");

$? == 0
   or die("Error sending mail message: $?\n");
[download]

[reply]
[d/l]
[select]