Erik Rieselbach wrote: > Hi, > > Can anyone explain to me why I would get a perl error in one web browser but > not in any others?
This depends on on alot of factors, few of which you are sharing.Generally, perl errors should not come through to the browser. IIS does pass error messages through by default. That is a server-side question, though. *The browser and Perl code have nothing directly, to do with each other* Tthe browser may be returning information to the server in a way that causes these errors > > > All I¹m doing is taking an email address from a form, feeding it to a > validation sub that untaints it, then using it with the f option to > sendmail. It works fine in Mozilla browsers on both Mac and PC, as well as > in Safari on the Mac, but Internet Explorer on either platform gives > ³Insecure dependency in piped open while running with -T switch² at the line > where I open a pipe to sendmail. It is possible that your server can not negotiate a secure protocol with IE. You are using user-provided data as a parameter to a shell command, also. Unless Perl recognizes your validate_email_address as a sufficient filter, it may assume that this data could contain malicious code. from perldoc perlsec: You may not use data derived from outside your program to affect something else outside your program--at least, not by accident. All command line arguments, environment variables, locale information (see perllocale), results of certain system calls (readdir(), readlink(), the variable of shmread(), the messages returned by msgrcv(), the password, gcos and shell fields returned by the getpwxxx() calls), and all file input are marked as "tainted". Tainted data may not be used directly or indirectly in any command that invokes a sub-shell, nor in any command that modifies files, directories, or processes, with the following exceptions: > > > ... > my $user_email = validate_email_address( param( "Email" ) ); > ... > open MAIL, "| /usr/lib/sendmail -t -i -f '$user_email' " or die "Could not > open sendmail: $!"; Use Perl. There are a number of modules which do not require external programs to send mail. > > > The validate_email_address sub comes straight from ³CGI Programming with > Perl² chapter 9. It¹s too long to include here but its final line is > > return $addr_to_check =~ /^$address$/ox ? $addr_to_check : ""; > > Any ideas on why this might be happening would be greatly appreciated. I'm more puzzled on why you are not getting this error when the client browser is Mozilla. Perl's taint function does not evaluate your validation function to see whether it is sufficient to prevent [EMAIL PROTECTED] rm * >From being passed through to the command line. It just knows that you should be alerted to the potential. Joseph -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] <http://learn.perl.org/> <http://learn.perl.org/first-response>
