[pve-devel] [PATCH 2/2] email_from: fix for "insecure dependency in piped open" when email_from is empty
Dietmar Maurer
dietmar at proxmox.com
Wed Sep 3 15:45:14 CEST 2014
> Perl considers this construction non-secure when running with "-T". It assumes
> that $hostname variable can contain something dangerous to run in a shell, for
> example, $hostname="; rm -rf /" and we get "Insecure dependency in open
> while running with -T switch" message in:
> open (MAIL,"|sendmail -B 8BITMIME -f $mailfrom $rcvrarg") || ...
>
> More is here http://en.wikipedia.org/wiki/Taint_checking
Sure, but your fix is wrong. You need to 'untaint' $hostname instead.
Search the web for "perl untaint" ...
More information about the pve-devel
mailing list