Beefy Boxes and Bandwidth Generously Provided by pair Networks
Come for the quick hacks, stay for the epiphanies.
 
PerlMonks  

Re^2: Taint mode trap from Perl 5.6 to 5.8

by Andre_br (Pilgrim)
on Sep 16, 2005 at 02:14 UTC ( [id://492501]=note: print w/replies, xml ) Need Help??


in reply to Re: Taint mode trap from Perl 5.6 to 5.8
in thread Taint mode trap from Perl 5.6 to 5.8

Hello PodMaster,

I wish you were right, but this isnīt it yet. I checked them all and, for an extra check now, I replaced it with a typed value: 

           my $msg = MIME::Lite->new( 
   
                           To      => "$emailsite",
                           From    => "me\@host.com",
                           Subject => "Contato >> $assunto",
                           Type    => 'text/html',
                           Data    => "$html" );

           $msg->send();

[download]
And it still doesnīt work...

I even replaced THEM ALL with typed values and didnīt work either!

Replies are listed 'Best First'.
Re^3: Taint mode trap from Perl 5.6 to 5.8
by PodMaster (Abbot) on Sep 16, 2005 at 02:36 UTC
    Didn't work either is not an error message. I'm not convinced. Once you take care of %ENV, and you get Insecure dependency in exec while running with -T switch at /usr/share/perl5/MIME/Lite.pm line 2571., it's coming from this piece of code 
        my %p = @_;
    $p{Sendmail} ||= "/usr/lib/sendmail";

    ### Start with the command and basic args:
    my @cmd = ($p{Sendmail}, @{$p{BaseArgs} || ['-t', '-oi', '-oem']})
+;

    ### See if we are forcibly setting the sender:
    $p{SetSender} = 1 if defined($p{FromSender});

    ### Add the -f argument, unless we're explicitly told NOT to:
    unless (exists($p{SetSender}) and !$p{SetSender}) {
        my $from = $p{FromSender} || ($self->get('From'))[0];
        if ($from) {
        my ($from_addr) = extract_addrs($from);
        push @cmd, "-f$from_addr"       if $from_addr;
        }
    }

    ### Open the command in a taint-safe fashion:
    my $pid = open SENDMAIL, "|-";
    defined($pid) or die "open of pipe failed: $!\n";
    if (!$pid) {    ### child
        exec(@cmd) or die "can't exec $p{Sendmail}: $!\n";
        ### NOTREACHED
    }

    [download]
    From what you've shown only $from could be tainted. So either you're leaving something out, or your copy of MIME::Lite is different. In either case you should further examine the values of @cmd.

    MJD says "you can't just make shit up and expect the computer to know what you mean, retardo!"
    I run a Win32 PPM repository for perl 5.6.x and 5.8.x -- I take requests (README).
    ** The third rule of perl club is a statement of fact: pod is sexy.

[reply]
[d/l]
[select]
      Please take a look at this experience: 
                 my $msg = MIME::Lite->new( 
   
                           To      => "$emailsite",
                           From    => "$from",
                           Subject => "Contato >> $assunto",
                           Type    => 'text/html',
                           Data    => "$html" );

my $test = qq# $msg $emailsite $from $assunto $html #;                
+ 
          
if ( is_tainted($test) ) { die "tainted"; } else { die "not tainted"; 
+} # Dies "not tainted"

# $msg->send();

      [download]
      Ok, not tainted, shall work, right? No. When I go to the next step and uncomment the $msg->send(); line, the error remains! Without a single tainted variable! How comes!!!??

      Also, how can I check the @cmd if the module is in my host's public module repository?

      Thanks and sorry for the maddening problem

[reply]
[d/l]
[select]
        I don't trust your is_tainted function. Try using the standard one instead: 
        my $msg = MIME::Lite->new(    
                           To      => "$emailsite",
                           From    => "$from",
                           Subject => "Contato >> $assunto",
                           Type    => 'text/html',
                           Data    => "$html" );

use Scalar::Util qw(tainted); # This module is included in perl 5.8
my %test = ('$msg' => $msg, '$emailsite' => $emailsite,
            '$from' => $from, '$assunto' => $assunto, '$html' => $html
+);

my ($k, $v);
while (($k, $v) = each %test)
{
  if (tainted($v)) {print STDERR "$k is TAINTED\n";}
  else {print STDERR "$k is not tainted\n";}
}

$msg->send();

        [download]
        By the way, where did you get your is_tainted function? It's not the standard one suggested in perlsec
        --
        @/=map{[/./g]}qw/.h_nJ Xapou cets krht ele_ r_ra/;
map{y/X_/\n /;print}map{pop@$_}@/for@/

        [download]
[reply]
[d/l]
[select]

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://492501]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others having an uproarious good time at the Monastery: (3)
As of 2024-04-20 01:49 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found