|
OK. I confess. I'm new to taint mode. I've
got a form which emails users forgotten passwords. As per http://gunther.web66.com/FAQS/taintmode.html I'm
using a regular expression to untaint the email variable before I send it to
sendmail. It just doesn't send the email. It sends it if I don't use
"-T". HELP!!!
my $m = '/usr/sbin/sendmail';
# Untaint email address for sendmail
if ($email =~ /(\w{1}[\w-.]*)\@([\w-.]+)/) { $email = "$1\@$2"; } else { warn ("TAINTED DATA SENT BY $ENV{'REMOTE_ADDR'}: $email: $!"); $email = ""; # successful match did not occur } open(MAIL,"|$m -t") || print "couldn't open $m $!"; print MAIL "From: [EMAIL PROTECTED]\n"; print MAIL "To: $email\n"; print MAIL "Subject: Your password\n\n"; print MAIL "my test message"; close(MAIL); |
