No such thing as a small change | |
PerlMonks |
comment on |
( [id://3333]=superdoc: print w/replies, xml ) | Need Help?? |
Since the problem is with MIME::Lite using $ENV{PATH}, if Corion's advice of switching to SMTP instead of sendmail doesn't work for you, I believe you should be able to untaint $ENV{PATH} before MIME::Lite uses it.
perlsec has a whole section on Cleaning Up Your Path
My experiments say yes. $ENV{PATH} = '/bin:/usr/bin:/usr/sbin'; delete @ENV{qw(IFS CDPATH ENV BASH_ENV)}; works for me to untaint the use of $ENV{PATH} before MIME::Lite tries to call sendmail. (That example assumes you trust /bin:/usr/bin:/usr/sbin, which I cannot decide for you.) To be on a system that has sendmail, I had to use perl v5.8.5, which isn't exactly cutting edge, so things may have changed since then... but in my experiments, I could untaint the PATH before MIME::Lite uses it. In reply to Re: Insecure CPAN module in taint mode
by pryrt
|
|