Re: Insecure CPAN module in taint mode

in reply to Insecure CPAN module in taint mode

Depending on your mail setup, you might want to simply skip that part that invokes the sendmail executable and use a direct SMTP connection:

return $mail->send('smtp');
[download]

In your code you don't show how you set $ENV{PATH} to a fixed value - I would start with that...

Comment on Re: Insecure CPAN module in taint mode Select or Download Code

Replies are listed 'Best First'.
Re^2: Insecure CPAN module in taint mode by Bod (Parson) on Jul 06, 2021 at 19:49 UTC
In your code you don't show how you set `$ENV{PATH}` to a fixed value - I would start with that... That's because I don't! Nowhere in my code have I set `$ENV{PATH}` so it is either part of the server configuration or it is set by another module. These are the ones I am using: `use DBI; use DBD::mysql; use Exporter; use Template; use MIME::Lite;` [download] Update: Printing `$ENV{PATH}` gives `/usr/local/bin:/usr/bin:/bin`	[reply] [d/l] [select]
Re^3: Insecure CPAN module in taint mode by marto (Cardinal) on Jul 06, 2021 at 20:07 UTC
PATH_(variable), Env. marto@Marto-Desktop:~$ echo $PATH /home/marto/perl5/perlbrew/bin:/home/marto/perl5/perlbrew/perls/perl-5 +.32.1/bin:/home/marto/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/ +sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin:/home/ +marto/.local/bin:/home/marto/.local/bin:/snap/bin/openjdk/bin marto@Marto-Desktop:~$ ./path.pl /home/marto/perl5/perlbrew/bin:/home/marto/perl5/perlbrew/perls/perl-5 +.32.1/bin:/home/marto/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/ +sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin:/home/ +marto/.local/bin:/home/marto/.local/bin:/snap/bin/openjdk/bin marto@Marto-Desktop:~$ cat path.pl #!/usr/bin/perl print "$ENV{PATH}\n"; [download]	[reply] [d/l]
Re^4: Insecure CPAN module in taint mode by Bod (Parson) on Jul 06, 2021 at 21:35 UTC
Got it... Thanks marto	[reply]
Re^3: Insecure CPAN module in taint mode by afoken (Chancellor) on Jul 06, 2021 at 21:31 UTC
In your code you don't show how you set $ENV{PATH} to a fixed value - I would start with that... That's because I don't! That means you haven't thoroughly read perlsec or Re: When not to use taint mode. (Yes, the latter contains a relevant update. It was added a few minutes after posting, three weeks ago.) Alexander -- Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)	[reply]
Re^2: Insecure CPAN module in taint mode by Bod (Parson) on Jul 06, 2021 at 22:14 UTC
Depending on your mail setup, you might want to simply skip that part that invokes the sendmail executable and use a direct SMTP connection I think the underlaying send mechanism is SMTP. I only suspect this because I once sent quite a bit of mail through MIME::Lite and got an capacity error sent from the SMTP server. But I don't know for sure. Setting MIME::Lite to use SMTP with `$mime->send('smtp');` was still giving the same tainting error.	[reply] [d/l]

In Section Seekers of Perl Wisdom