RE: Secure Form Script?
From: Beth Skwarecki (beth_at_cz-na.com)
Date: 05/19/04
- Previous message: Jim: "Re: iptables firewall script for debian-woody, 2.4.24"
- Maybe in reply to: Victor Daniel a.k.a the MacNut: "Secure Form Script?"
- Next in thread: Glynn Clements: "RE: Secure Form Script?"
- Reply: Glynn Clements: "RE: Secure Form Script?"
- Reply: Paolo Campanella: "RE: Secure Form Script?"
- Reply: Tim Greer: "RE: Secure Form Script?"
- Reply: Tim Tompkins: "Re: Secure Form Script?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 19 May 2004 12:36:50 -0400 To: focus-linux@securityfocus.com
It's silly to be piping things to sendmail this way in perl. There are
two reasons why:
1) To expand a bit on Bryce Porter's comments, it's much safer to use
system()'s built-in argument handling than to attempt to sanitize
arguments yourself before putting them all together on a command that
the shell gets to execute:
system LIST
system PROGRAM LIST
Does exactly the same thing as "exec LIST", except
that a fork is done first, and the parent process
waits for the child process to complete. Note
that argument processing varies depending on the
number of arguments. If there is more than one
argument in LIST, or if LIST is an array with more
than one value, starts the program given by the
first element of the list with arguments given by
the rest of the list.
In other words, the first argument to system() is the command, but
subsequent arguments are given to the command as its argv, *NOT* just
stuffed onto the command line. This way, a "; rm -rf /" won't be
executed as its own command, but just passed as an argument to the
program (which may then ignore it, give an error, etc, as it pleases)
2) HOWEVER, it's silly to be using sendmail at all, in most cases. This
is what the perl module Mail::Sendmail is for. You give it a hash with
all the headers you want to send, and it sends directly (it is *not* a
wrapper around the sendmail binary; it works on all platforms, even
when sendmail is not installed):
use Mail::Sendmail;
my %mail = (
To => 'you@example.com',
From => 'me@example.com',
Subject => 'this is a test',
X-Silly-Header => 'asdfasdf',
Message => 'This is the body of my message blah blah blah'
);
sendmail %mail or die $Mail::Sendmail::error;
CPAN is your friend. :)
http://search.cpan.org/~mivkovic/Mail-Sendmail-0.79/Sendmail.pm
-beth
- Previous message: Jim: "Re: iptables firewall script for debian-woody, 2.4.24"
- Maybe in reply to: Victor Daniel a.k.a the MacNut: "Secure Form Script?"
- Next in thread: Glynn Clements: "RE: Secure Form Script?"
- Reply: Glynn Clements: "RE: Secure Form Script?"
- Reply: Paolo Campanella: "RE: Secure Form Script?"
- Reply: Tim Greer: "RE: Secure Form Script?"
- Reply: Tim Tompkins: "Re: Secure Form Script?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
