[pve-devel] [PATCH 2/2] email_from: fix for "insecure dependency in piped open" when email_from is empty

Stanislav German-Evtushenko ginermail at gmail.com
Wed Sep 3 16:01:59 CEST 2014


On Wed, Sep 3, 2014 at 5:45 PM, Dietmar Maurer <dietmar at proxmox.com> wrote:

> > Perl considers this construction non-secure when running with "-T". It
> assumes
> > that $hostname variable can contain something dangerous to run in a
> shell, for
> > example, $hostname="; rm -rf /" and we get "Insecure dependency in open
> > while running with -T switch" message in:
> > open (MAIL,"|sendmail -B 8BITMIME -f $mailfrom $rcvrarg") || ...
> >
> > More is here http://en.wikipedia.org/wiki/Taint_checking
>
> Sure, but your fix is wrong. You need to 'untaint' $hostname instead.
> Search the web for "perl untaint" ...
>

If was just the same before my patch in VZDump.pm and worked perfectly:
print MAIL "FROM: vzdump backup tool <root>\n";

And this still works with my patch because sendmail adds hostname
automatically. If you think this is not right I can update with untaint.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.proxmox.com/pipermail/pve-devel/attachments/20140903/50866123/attachment.htm>


More information about the pve-devel mailing list