[pve-devel] [PATCH 2/2] email_from: fix for "insecure dependency in piped open" when email_from is empty

Stanislav German-Evtushenko ginermail at gmail.com
Wed Sep 3 14:08:58 CEST 2014


On Wed, Sep 3, 2014 at 3:39 PM, Dietmar Maurer <dietmar at proxmox.com> wrote:

> Sorry, I don't really understand this patch?
>
> > diff --git a/PVE/API2/APT.pm b/PVE/API2/APT.pm index 92deeea..3327445
> > 100644
> > --- a/PVE/API2/APT.pm
> > +++ b/PVE/API2/APT.pm
> > @@ -341,7 +341,7 @@ __PACKAGE__->register_method({
> >               if ($mailto) {
> >                   my $hostname = `hostname -f` ||
> PVE::INotify::nodename();
> >                   chomp $hostname;
> > -                 my $mailfrom = $dcconf->{email_from} ||
> > "root\@$hostname";
> > +                 my $mailfrom = $dcconf->{email_from} || "root";
>
> Why did you change "root\@$hostname" to "root"?
>
> >
> >                   my $data = "Content-Type:
> text/plain;charset=\"UTF8\"\n";
> >                   $data .= "Content-Transfer-Encoding: 8bit\n"; diff
> --git
> > a/PVE/VZDump.pm b/PVE/VZDump.pm index 4295003..4a4d25c 100644
> > --- a/PVE/VZDump.pm
> > +++ b/PVE/VZDump.pm
> > @@ -280,7 +280,7 @@ my $sendmail = sub {
> >       $rcvrarg .= " '$r'";
> >      }
> >      my $dcconf = PVE::Cluster::cfs_read_file('datacenter.cfg');
> > -    my $mailfrom = $dcconf->{email_from} || "root\@$hostname";
> > +    my $mailfrom = $dcconf->{email_from} || "root";
>
> same question here?
>
> >
> >      open (MAIL,"|sendmail -B 8BITMIME -f $mailfrom $rcvrarg") ||
> >       die "unable to open 'sendmail' - $!";
> > --
> > 1.9.1
> >
> > _______________________________________________
> > pve-devel mailing list
> > pve-devel at pve.proxmox.com
> > http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
>
Perl considers this construction non-secure when running with "-T". It
assumes that $hostname variable can contain something dangerous to run in a
shell, for example, $hostname="; rm -rf /" and we get "Insecure dependency
in open while running with -T switch" message in:
open (MAIL,"|sendmail -B 8BITMIME -f $mailfrom $rcvrarg") || ...

More is here http://en.wikipedia.org/wiki/Taint_checking
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.proxmox.com/pipermail/pve-devel/attachments/20140903/a550d209/attachment.htm>


More information about the pve-devel mailing list