> > > Hi everybody,
> > >
> > > I'm having trouble with setting the path to my sendmail program when
> > using the -T switch. It's a simple script that creates a
> > from, asks for an email adresse and sends an answer after the
> > form was submitted. I keep getting the following error
> > message although I've set the $ENV{'PATH'} in the script. Can
> > anyone help?
> > >
> > > Error message:
> > > Insecure directory in $ENV{PATH} while running with -T switch at
> > /usr/local/httpd/cgi-bin/subscribe.pl line 45.
> > >
> > > Here is a part of the code
> > > ________snippet______
> > >
> > > #!/usr/bin/perl -wT
> > > #Pull in modules, create form etc.
> > >
> > >
> > > sub send_mail {
> > > my $a = shift;
> > > $a = check($a); #sub that check's the email adress
> > > print ("Thank your for ordering our Newsletter.");
> > > $ENV{'PATH'} = "|/usr/sbin/sendmail -oi -t -odq";
> > > open(SENDMAIL, "$ENV{'PATH'}") or die "Can't fork for sendmail:
> > $!\n"; print SENDMAIL <<"FILE";
> > > From: JUVE Newsline <[EMAIL PROTECTED]>
> > > To: <$a>
> > > .
> > > .etc
> > >
> > > }
> > > _____Snippet______
> >
> > You haven't shown us where you are untainting $ENV{'PATH'}...
> > I assume you have read perldoc taint ??
> I'm not explicitly untainting $ENV{'PATH'}. As far as I understood
> Programming Perl setting the path is enough, but apparently it is not. I
> thought only data has to be untained?
>
Ah, I see what you are doing now. I am a little surprised that it is
complaining though I don't know the exact methods it uses. Setting
$ENV{'PATH'} as you have done seems very awkward to me, there is no
reason to assign the path (and arguments) of your sendmail call to the
global %ENV hash. Does it work if you assign it to a plain scalar? If
you must have it in %ENV I would suggest choosing a key that is not a
default and commonly used one...
> >
> > How about not shelling out to sendmail in the above manner at
> > all, and instead use a module to send your messages? There
> > are many available and unless you are a Sendmail pro you
> > shouldn't bother with it directly.
>
> I would love to use Mail::Mailer or MimeLite but we are having a bit of
> trouble with our ISP and it's always a bit of a hassle to get CPAN
> Modules installed.
>
Yeh sometimes that is a problem. I assume you know that modules don't
have to be installed into a root owned directory? In cases where you
don't have shell access this won't help much, always something I check
for when deciding amongst ISPs...
http://danconia.org
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
<http://learn.perl.org/> <http://learn.perl.org/first-response>
