Beefy Boxes and Bandwidth Generously Provided by pair Networks
XP is just a number
 
PerlMonks  

Re: Insecure CPAN module in taint mode

by Corion (Patriarch)
on Jul 06, 2021 at 19:20 UTC ( #11134720=note: print w/replies, xml ) Need Help??


in reply to Insecure CPAN module in taint mode

Depending on your mail setup, you might want to simply skip that part that invokes the sendmail executable and use a direct SMTP connection:

return $mail->send('smtp');

In your code you don't show how you set $ENV{PATH} to a fixed value - I would start with that...

Replies are listed 'Best First'.
Re^2: Insecure CPAN module in taint mode
by Bod (Curate) on Jul 06, 2021 at 19:49 UTC
    In your code you don't show how you set $ENV{PATH} to a fixed value - I would start with that...

    That's because I don't!
    Nowhere in my code have I set $ENV{PATH} so it is either part of the server configuration or it is set by another module. These are the ones I am using:

    use DBI; use DBD::mysql; use Exporter; use Template; use MIME::Lite;

    Update:
    Printing $ENV{PATH} gives /usr/local/bin:/usr/bin:/bin

      PATH_(variable), Env.

      marto@Marto-Desktop:~$ echo $PATH /home/marto/perl5/perlbrew/bin:/home/marto/perl5/perlbrew/perls/perl-5 +.32.1/bin:/home/marto/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/ +sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin:/home/ +marto/.local/bin:/home/marto/.local/bin:/snap/bin/openjdk/bin marto@Marto-Desktop:~$ ./path.pl /home/marto/perl5/perlbrew/bin:/home/marto/perl5/perlbrew/perls/perl-5 +.32.1/bin:/home/marto/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/ +sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin:/home/ +marto/.local/bin:/home/marto/.local/bin:/snap/bin/openjdk/bin marto@Marto-Desktop:~$ cat path.pl #!/usr/bin/perl print "$ENV{PATH}\n";
      In your code you don't show how you set $ENV{PATH} to a fixed value - I would start with that...

      That's because I don't!

      That means you haven't thoroughly read perlsec or Re: When not to use taint mode. (Yes, the latter contains a relevant update. It was added a few minutes after posting, three weeks ago.)

      Alexander

      --
      Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)
Re^2: Insecure CPAN module in taint mode
by Bod (Curate) on Jul 06, 2021 at 22:14 UTC
    Depending on your mail setup, you might want to simply skip that part that invokes the sendmail executable and use a direct SMTP connection

    I think the underlaying send mechanism is SMTP. I only suspect this because I once sent quite a bit of mail through MIME::Lite and got an capacity error sent from the SMTP server. But I don't know for sure.

    Setting MIME::Lite to use SMTP with $mime->send('smtp'); was still giving the same tainting error.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://11134720]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others making s'mores by the fire in the courtyard of the Monastery: (5)
As of 2022-05-25 17:22 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    Do you prefer to work remotely?



    Results (90 votes). Check out past polls.

    Notices?