http://qs321.pair.com?node_id=11134722


in reply to Insecure CPAN module in taint mode

Since the problem is with MIME::Lite using $ENV{PATH}, if Corion's advice of switching to SMTP instead of sendmail doesn't work for you, I believe you should be able to untaint $ENV{PATH} before MIME::Lite uses it.

perlsec has a whole section on Cleaning Up Your Path

My experiments say yes. $ENV{PATH} = '/bin:/usr/bin:/usr/sbin'; delete @ENV{qw(IFS CDPATH ENV BASH_ENV)}; works for me to untaint the use of $ENV{PATH} before MIME::Lite tries to call sendmail. (That example assumes you trust /bin:/usr/bin:/usr/sbin, which I cannot decide for you.) To be on a system that has sendmail, I had to use perl v5.8.5, which isn't exactly cutting edge, so things may have changed since then... but in my experiments, I could untaint the PATH before MIME::Lite uses it.