Beefy Boxes and Bandwidth Generously Provided by pair Networks
The stupid question is the question not asked
 
PerlMonks  

Taint mode trap from Perl 5.6 to 5.8

by Andre_br (Pilgrim)
on Sep 16, 2005 at 01:32 UTC ( [id://492489]=perlquestion: print w/replies, xml ) Need Help??

Andre_br has asked for the wisdom of the Perl Monks concerning the following question:

Hello my friends,

My hostīs server was recently upgraded to Debian Sarge and, with it, to Perl 5.8 as well. I was very happy untill I realized all my email-generating scripts stopped working right away, with the following error each time I tried to send out an email: 

Software error:
Insecure $ENV{PATH} while running with -T switch at
/usr/share/perl5/MIME/Lite.pm line 2571.
1
Content-type: text/html
Software error:
error closing /usr/lib/sendmail:  (exit 65280)
1

[download]
The script is basically a contact.cgi, with this code for the emailing: 
use MIME::Lite;
MIME::Lite->send("sendmail");

# ... variables definition here

my $msg = MIME::Lite->new( 
   
                           To      => "$emailsite",
                           From    => "$from",
                           Subject => "Contato >> $assunto",
                           Type    => 'text/html',
                           Data    => "$html" );

$msg->send(); # This call triggers the error. If I comment it out ther
+eīs no error message. But thereīs no email too...

[download]

Sure, itīs a taint mode issue, and I heard Perl got more rigid about taintedness from 5.6 to 5.8. But the strange thing is that none of the following steps seem to do any help:

1) Checking for taintedness of all the variables that go into the MIME::Lite->new() method. None of them is tainted. By the way, i used this code to check each one of them: 

if ( is_tainted($variable) ) { die "tainted"; } else { die "not tainte
+d"; }

sub is_tainted {
   return ! eval { 
      join('',@_), kill 0; 
      1;     
   };
}

[download]
2) Checking for taintedness the $msg variable. Not tainted.
2) Setting the $ENV{'PATH'} from inside the script, with $ENV{'PATH'} = "/usr/local/bin:/usr/bin:/bin"; This one also doesnīt solve, but just changes the problem. The message becomes: 
Software error:
Insecure dependency in exec while running with -T switch at /usr/share
+/perl5/MIME/Lite.pm line 2571.
1 
Content-type: text/html 
Software error:
error closing /usr/lib/sendmail:  (exit 65280)
1

[download]

Any ideas? Iīm clueless here.

Thanks

Andre_br
UPDATE: I also tried the delete @ENV{qw(IFS CDPATH ENV BASH_ENV)}; described in the perlsec, but still got the same error.

UPDATE2: I also checked my host's directories /usr/local/bin:/usr/bin:/bin and they are also not-world-writtable, as perlsecs recomends.

Replies are listed 'Best First'.
Re: Taint mode trap from Perl 5.6 to 5.8
by PodMaster (Abbot) on Sep 16, 2005 at 02:06 UTC
    If you examine the Lite.pm line mentioned in the 2nd error, you'll notice that only $from is involved in exec, and that it must be the tainted variable in question.

    MJD says "you can't just make shit up and expect the computer to know what you mean, retardo!"
    I run a Win32 PPM repository for perl 5.6.x and 5.8.x -- I take requests (README).
    ** The third rule of perl club is a statement of fact: pod is sexy.

[reply]
      Hello PodMaster,

      I wish you were right, but this isnīt it yet. I checked them all and, for an extra check now, I replaced it with a typed value: 

                 my $msg = MIME::Lite->new( 
   
                           To      => "$emailsite",
                           From    => "me\@host.com",
                           Subject => "Contato >> $assunto",
                           Type    => 'text/html',
                           Data    => "$html" );

           $msg->send();

      [download]
      And it still doesnīt work...

      I even replaced THEM ALL with typed values and didnīt work either!

[reply]
[d/l]
        Didn't work either is not an error message. I'm not convinced. Once you take care of %ENV, and you get Insecure dependency in exec while running with -T switch at /usr/share/perl5/MIME/Lite.pm line 2571., it's coming from this piece of code 
            my %p = @_;
    $p{Sendmail} ||= "/usr/lib/sendmail";

    ### Start with the command and basic args:
    my @cmd = ($p{Sendmail}, @{$p{BaseArgs} || ['-t', '-oi', '-oem']})
+;

    ### See if we are forcibly setting the sender:
    $p{SetSender} = 1 if defined($p{FromSender});

    ### Add the -f argument, unless we're explicitly told NOT to:
    unless (exists($p{SetSender}) and !$p{SetSender}) {
        my $from = $p{FromSender} || ($self->get('From'))[0];
        if ($from) {
        my ($from_addr) = extract_addrs($from);
        push @cmd, "-f$from_addr"       if $from_addr;
        }
    }

    ### Open the command in a taint-safe fashion:
    my $pid = open SENDMAIL, "|-";
    defined($pid) or die "open of pipe failed: $!\n";
    if (!$pid) {    ### child
        exec(@cmd) or die "can't exec $p{Sendmail}: $!\n";
        ### NOTREACHED
    }

        [download]
        From what you've shown only $from could be tainted. So either you're leaving something out, or your copy of MIME::Lite is different. In either case you should further examine the values of @cmd.

        MJD says "you can't just make shit up and expect the computer to know what you mean, retardo!"
        I run a Win32 PPM repository for perl 5.6.x and 5.8.x -- I take requests (README).
        ** The third rule of perl club is a statement of fact: pod is sexy.

[reply]
[d/l]
[select]

Back to Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: perlquestion [id://492489]
Approved by Zaxo
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others cooling their heels in the Monastery: (3)
As of 2024-04-25 21:42 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found