<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Wed, Sep 3, 2014 at 3:39 PM, Dietmar Maurer <span dir="ltr"><<a href="mailto:dietmar@proxmox.com" target="_blank">dietmar@proxmox.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Sorry, I don't really understand this patch?<br>
<div class=""><br>
> diff --git a/PVE/API2/APT.pm b/PVE/API2/APT.pm index 92deeea..3327445<br>
> 100644<br>
> --- a/PVE/API2/APT.pm<br>
> +++ b/PVE/API2/APT.pm<br>
> @@ -341,7 +341,7 @@ __PACKAGE__->register_method({<br>
> if ($mailto) {<br>
> my $hostname = `hostname -f` || PVE::INotify::nodename();<br>
> chomp $hostname;<br>
> - my $mailfrom = $dcconf->{email_from} ||<br>
> "root\@$hostname";<br>
> + my $mailfrom = $dcconf->{email_from} || "root";<br>
<br>
</div>Why did you change "root\@$hostname" to "root"?<br>
<div class=""><br>
><br>
> my $data = "Content-Type: text/plain;charset=\"UTF8\"\n";<br>
> $data .= "Content-Transfer-Encoding: 8bit\n"; diff --git<br>
> a/PVE/VZDump.pm b/PVE/VZDump.pm index 4295003..4a4d25c 100644<br>
> --- a/PVE/VZDump.pm<br>
> +++ b/PVE/VZDump.pm<br>
> @@ -280,7 +280,7 @@ my $sendmail = sub {<br>
> $rcvrarg .= " '$r'";<br>
> }<br>
> my $dcconf = PVE::Cluster::cfs_read_file('datacenter.cfg');<br>
> - my $mailfrom = $dcconf->{email_from} || "root\@$hostname";<br>
> + my $mailfrom = $dcconf->{email_from} || "root";<br>
<br>
</div>same question here?<br>
<div class=""><br>
><br>
> open (MAIL,"|sendmail -B 8BITMIME -f $mailfrom $rcvrarg") ||<br>
> die "unable to open 'sendmail' - $!";<br>
> --<br>
> 1.9.1<br>
><br>
</div>> _______________________________________________<br>
> pve-devel mailing list<br>
> <a href="mailto:pve-devel@pve.proxmox.com">pve-devel@pve.proxmox.com</a><br>
> <a href="http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel" target="_blank">http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel</a><br>
<br>
</blockquote><div><br>Perl considers this construction non-secure when running with "-T". It assumes that $hostname variable can contain something dangerous to run in a shell, for example, $hostname="; rm -rf /" and we get "Insecure dependency in open while running with -T switch" message in:<br>
open (MAIL,"|sendmail -B 8BITMIME -f $mailfrom $rcvrarg") || ...<br></div><div><br>More is here <a href="http://en.wikipedia.org/wiki/Taint_checking">http://en.wikipedia.org/wiki/Taint_checking</a></div></div></div>
</div>