On Fri, Feb 08, 2002 at 12:02:11PM -0500, Joel Gwynn wrote: > As per http://gunther.web66.com/FAQS/taintmode.html I'm using a regular > expression to untaint the email variable before I send it to sendmail. > It just doesn't send the email. It sends it if I don't use "-T". > HELP!!!
I can't be absolutely sure without seeing perl's error message, (which is probably in the error log) but I'm assuming the problem is that the PATH environment variable isn't being set from within your program, and so the inherited, tainted one is the one perl sees when it tries to exec sendmail. Take a look at the seciont "How do I fix system() calls in taint mode?", in the "CGI/Perl Taint Mode FAQ" document you mentioned or "Cleaning Up Your Path" in the perlsec man page. In the context of the CGI protocol, it might be hard to see why the PATH environment variable is dangerous, since it can't be set by the user. Perl is designed to be used for a wide variety of purposes, though, and for some of them the user is in control of the environment. -- "How will I remember this day?" -- Samantha Langmead, age 4 1/2.
