Using user-variables in external commands? 
Author Message
 Using user-variables in external commands?

Hi all,

I know that I have to escape chars if
I use something like that:

system("sendmail $recipient");

because someone can do {*filter*} things with
that, but how is it if I use the following:

open(MAIL,"| sendmail");
print <<MAIL;
To: $recipient

$body
end
close(MAIL);

Can someone here also do {*filter*} things?
And how can I savely send mails by
allowing _all_ characters?

Thank you for your help, Mike!

-----------------------------------------------------------
Posted with AnonNews at http://www.*-*-*.com/



Tue, 29 Oct 2002 03:00:00 GMT  
 Using user-variables in external commands?


Quote:
>I know that I have to escape chars if
>I use something like that:

>system("sendmail $recipient");

>because someone can do {*filter*} things with
>that, but how is it if I use the following:

>open(MAIL,"| sendmail");
>print <<MAIL;
>To: $recipient

>$body
>end
>close(MAIL);

>Can someone here also do {*filter*} things?
>And how can I savely send mails by
>allowing _all_ characters?

My sendmail wouldn't like to be called that way, your "print"
statement is going to STDOUT rather than MAIL, and your
here-document never ends.  However, there is still *some* sense
in your questions.  The answers:

1.  Yes.  Someone can still do {*filter*} things:

        $recipient =<<EOWORM;

Subject: ILOVEYOU
Content-Type: multipart/mixed;
        boundary="----=_NextPart_000_00E9_01BFB5D9.02FA44F0"
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4

This is a multi-part message in MIME format.

------=_NextPart_000_00E9_01BFB5D9.02FA44F0
Content-Type: text/plain;
        charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

kindly check the attached LOVELETTER coming from me.
------=_NextPart_000_00E9_01BFB5D9.02FA44F0
Content-Type: application/octet-stream;
        name="LOVE-LETTER-FOR-YOU.TXT.vbs"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
        filename="LOVE-LETTER-FOR-YOU.TXT.vbs"

rem  barok -loveletter(vbe) <i hate go to school>

Group  
/  =
Manila,Philippines
On Error Resume Next
...
EOWORM

2.  You can't send mail safely by allowing all characters.

Hope This Helps,

Michael



Wed, 30 Oct 2002 03:00:00 GMT  
 Using user-variables in external commands?
: I know that I have to escape chars if
: I use something like that:
:
: system("sendmail $recipient");
:
: because someone can do {*filter*} things with
: that, but how is it if I use the following:

Specifically, the {*filter*} things they can do involve passing additional
commands to the shell in $recipient.

: open(MAIL,"| sendmail");
: print <<MAIL;
: To: $recipient
:
: $body
: end
: close(MAIL);
:
: Can someone here also do {*filter*} things?

In this case, the shell never sees $recipient, so you're safe as long as
there are no security holes in sendmail itself.



Wed, 30 Oct 2002 03:00:00 GMT  
 Using user-variables in external commands?

Quote:

>I know that I have to escape chars if
>I use something like that:

>system("sendmail $recipient");

>because someone can do {*filter*} things with
>that, but how is it if I use the following:

>open(MAIL,"| sendmail");
>print <<MAIL;
>To: $recipient
>Can someone here also do {*filter*} things?

Yes, suppose they set $recipient to:


which contains an embedded newline.  They could add as many extra
headers to the message as they wanted, or even change the message
body.

Quote:
>And how can I savely send mails by
>allowing _all_ characters?

You can't.  In any case there's no reason why you should want to allow
all characters - there's only a limited set of characters that can
appear in an SMTP address.

I would suggest you find a module on CPAN to validate SMTP addresses
for you, and run $recipient and any similar strings through that.
Even if security were not a concern, it would still make your program
a lot more robust and stop it from doing stupid things if fed the
wrong input.  You should always do at least a basic sanity check on
anything the user gives you.

Also find out what the -T (taint) switch does, and use it.

--
Ed Avis



Thu, 31 Oct 2002 03:00:00 GMT  
 Using user-variables in external commands?

Quote:

> I would suggest you find a module on CPAN to validate SMTP addresses for you,

RTFM: perlfaq9 --

     How do I check a valid mail address?

     You can't, at least, not in real time.  Bummer, eh?

Better advice to the original question is, IMHO, to use a module which --
platform-portably -- encapsulates the sending of email messages, rather
than attempting to invoke sendmail directly.  There are two excellent
choices: Net::SMTP and Mail::Sendmail.

--
John Porter

A pound of cure is worth a megaton of homeopathy.



Fri, 01 Nov 2002 03:00:00 GMT  
 
 [ 6 post ] 

 Relevant Pages 

1. Summary: How to keep DB changes from being lost .. includes code.

2. TDateTime Problem w/Access thru ODBC

3. Storing Sets and Enums in a Table ???..can this be done?

4. Using user-variables in external commands? II

5. Using user-variables in external commands?

6. Using user-variables in external commands? II

7. piping a variable to an external command

8. using double quote for long argument when calling external commands

9. Using Perl OPEN to Execute External Command Line Programs

10. YUV Color Space.

11. Ms-sql tablenames

12. Variable not used in system command

 

 
Powered by phpBB® Forum Software