On Fri, Feb 08, 2002 at 12:02:11PM -0500, Joel Gwynn wrote:
> OK. I confess. I'm new to taint mode. I've got a form which emails users
> forgotten passwords. As per http://gunther.web66.com/FAQS/taintmode.html I'm
> using a regular expression to untaint the email variable before I send it to
> sendmail. It just doesn't send the email. It sends it if I don't use "-T".
> HELP!!!
does it give an error message? Does adding the following line earlier
in the script help?
$ENV{PATH} = ''; # clear the path, for taint mode
> my $m = '/usr/sbin/sendmail';
>
> # Untaint email address for sendmail
> if ($email =~ /(\w{1}[\w-.]*)\@([\w-.]+)/) {
> $email = "$1\@$2";
> } else {
> warn ("TAINTED DATA SENT BY $ENV{'REMOTE_ADDR'}: $email: $!");
> $email = ""; # successful match did not occur
> }
>
> open(MAIL,"|$m -t") || print "couldn't open $m $!";
> print MAIL "From: [EMAIL PROTECTED]\n";
> print MAIL "To: $email\n";
> print MAIL "Subject: Your password\n\n";
> print MAIL "my test message";
> close(MAIL);
--
Dan Boger
Linux MVP
brainbench.com
