You need to clear out the $ENV{PATH} variable. That is the insecure
dependency because the system() call cannot tell whether the program it is
calling might have its behavior change if the PATH was set maliciously.
Of course, this genrally applies to SUID scripts and not CGI, but
taintmode operats the same way no matter what.
Add something like
$ENV{"PATH"} = undef;
before the system() call.
Later,
Gunther
On Sun, 3 Oct 1999, Stas Bekman wrote:
>
> one of your variables you pass to the system is tainted. refer to perlsec
> manpage for more info.
>
> perldoc perlsec
>
> > Greetings,
> >
> > Does anyone now what that server error suggests:
> >
> > Insecure $ENV{PATH} while running with -T switch at
> > /home/web/perl/contact.pl line 46.
> >
> >
> > Close to this line in this source file I have:
> >
> > open (SENDMAIL, "| /usr/sbin/sendmail -oi -t")
> > or unexpected("contact.pl: Can't open sendmail process: $!\n");
> >
> > print SENDMAIL "To:support\@findmax.com\n";
> > print SENDMAIL "From:".$input{'email'}."\n";
> > print SENDMAIL "Subject: [contact form]".$input{'subject'}."\n\n";
> > print SENDMAIL $input{'message'}."\n";
> >
> > close (SENDMAIL)
> > or intecept("contact.pl: Sendmail did not finish w/ success: $!");
> >
> >
> > Thank you!
> >
> >
> > __________________________________________________________
> > Petar Maymounkov Cell: (617) 283-2401
> > 166 Quincy Mail Center Home: (617) 493-3106
> > Cambridge, MA 02138 Page: [EMAIL PROTECTED]
> >
> >
>
>
>
> _______________________________________________________________________
> Stas Bekman mailto:[EMAIL PROTECTED] www.singlesheaven.com/stas
> Perl,CGI,Apache,Linux,Web,Java,PC at www.singlesheaven.com/stas/TULARC
> www.apache.org & www.perl.com == www.modperl.com || perl.apache.org
> single o-> + single o-+ = singlesheaven http://www.singlesheaven.com
>
