For Programmers: Free Programming Magazines  


Home > Archive > PERL Beginners > November 2005 > Mail::Send and Taint









You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

 

Author Mail::Send and Taint
Tom Allison

2005-11-19, 9:56 pm

I think I just got burned on Mail::Send.
I've been using it for months/years with no problem, but now I'm writing
a web app and Taint won't let me use Mail::Send

Insecure $ENV{PATH} while running with -T switch at
/usr/share/perl5/Mail/Mailer/sendmail.pm line 16.

What got me is that I call this from code that is already running it
under the apache config: PerlTaintCheck On.
So how can the $ENV{PATH} be insecure if it passes on all the other
calls in my code?
I'm assuming that the problem is something like this:
Mail::Send calls for the 'sendmail' alias which is in
/usr/sbin/sendmail
This is not part of my $ENV{PATH} but I didn't set it anywhere, I'm
assuming that this was set somewhere, but I'm not setting it that I can
see, nor can I set it to work.

Options?
Ideas?
Tom Allison

2005-11-20, 9:56 pm

Tom Allison wrote:
> I think I just got burned on Mail::Send.
> I've been using it for months/years with no problem, but now I'm writing
> a web app and Taint won't let me use Mail::Send
>
> Insecure $ENV{PATH} while running with -T switch at
> /usr/share/perl5/Mail/Mailer/sendmail.pm line 16.


The answer is: Don't use Mail::Send in a secure environment because it's
trying to send email via local 'sendmail' type applications.
It might be possible to use this with an SMTP type network connection
but I couldn't find any documentation to that effect.

Mail::Mailer with an SMTP connection works fine.
Sponsored Links







Also available: Server administration forum archive | Web Design forum archive | Software forum archive | Hardware reviews archive

Copyright 2008 codecomments.com