At 10:56 AM 07/30/2001, Mel Matsuoka wrote:
>At 01:39 PM 07/30/2001 -0700, [EMAIL PROTECTED] wrote:
>>> "Stephen P. Potter" <[EMAIL PROTECTED]> said:
>>
>>> |
>>> | open (MAIL, "|/usr/sbin/sendmail $email")
>>> |
>>> | to which you should by the way add
>>> |
>>> | or die "sendmail: $!\n";
>>>
>>> This probably does not do what you think it does. It is almost always
>>> worthless to check the status of a pipe. The only time the pipe will fail
>
>Not to mention the fact that that open() call is a bigass security
>vulnerability waiting to be exploited. What if the user-supplied value of
>$email was something like ";rm -rf ." ? Not good.
>
>You should really be using sendmail with the -t flag to avoid shell
>exploits like this.
And i should really read the mailing list at home before I respond to them
at work :P
Sorry for the redundant security spanking...
mel
--
mel matsuoka Hawaiian Image Productions
Chief Executive Alphageek (vox)1.808.531.5474
[EMAIL PROTECTED] (fax)1.808.526.4040
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
