in reply to Re: Taint Mode Doesn't Like SENDMAIL Pipe
in thread Taint Mode Doesn't Like SENDMAIL Pipe

The problem, as explained here, is that $ENV{'PATH'} is untrusted, and not only does Perl mistrust it (hence use the explicit path for sendmail), Perl assumes that sendmail just might try to execute things using the untrusted path with which Perl spawns it, which could be a very bad thing (especially considering sendmail is usually suid root). You must provide a safe $ENV{'PATH'} or you still have potentially tainted data.

--isotope
http://www.skylab.org/~isotope/
  • Comment on Re: Re: Taint Mode Doesn't Like SENDMAIL Pipe

In Section Seekers of Perl Wisdom