Gunnar Hjalmarsson wrote:
> Adam Jimerson wrote:
>> Gunnar Hjalmarsson wrote:
>>> Adam Jimerson wrote:
>>>> Do I need to specify anything for the $ENV{PATH} or do I just leave it
>>>> blank
>>>
>>> It depends. You have to take into consideration whether your program
>>> relies on any of the paths. If not, it's fine to leave it blank.
>>
>> The only time I call something that is not a Perl function in my program,
>> which if I understand this correctly is why I have to set $ENV{PATH}, is
>> when I call /usr/bin/mail, but when I set $ENV{PATH} to blank or to
>> /usr/bin I get this error "Insecure dependency in piped open while
>> running with -T
>> switch at /srv/www/cgi-bin/contact line 87." That line is where I open
>> the mail command for writing which I have done so like this
>>
>> open(MAIL, "|/usr/bin/mail -s \"User, $name, has left a message\"
>> vendion")
>> || die "Can't send mail: $!";
>>
>> Now without the -T switch this sends the message to my local mbox on my
>> system, its just something about it that the switch just does not like.
>
> There is only one suspected variable to consider, i.e. $name, which is
> probably tainted. Untaint it, and you are done. ( You remember where to
> find out how, right? ;-) )
>
According to perlsec I need to use it as a key in a hash or reference a
substring. The example given is
,----[ ]
if ($data =~ /^([...@\w.]+)$/) {
$data = $1; # $data now untainted
} else {
die "Bad data in '$data'"; # log this somewhere
}
`----
When I tried it, using the same search string, all I need is to check for
alphanumeric characters to cover the name, email address and a message. Is
there something wrong with the above search string? I know it says it
doesn't work if use locale is in effect but I don't have that in my program.
--
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
http://learn.perl.org/
