Beefy Boxes and Bandwidth Generously Provided by pair Networks
go ahead... be a heretic
 
PerlMonks  

security trick that doesn't work: system() with arguments problem

by tercoz (Acolyte)
on May 02, 2012 at 08:45 UTC ( #968395=perlquestion: print w/ replies, xml ) Need Help??
tercoz has asked for the wisdom of the Perl Monks concerning the following question:

Good day!

I want to securely send mail. So I invoke system next way:

system( '/var/www/cgi-bin/sendEmail', '-f', $email_from, '-t','$email_to', '-u','123', '-m','123', '-o','message-content-type=html' );

And of course it doesnt work.

But if I write this

system("/var/www/cgi-bin/sendEmail -f $email_from -t $email_to -u 123 +-m 123 -o message-content-type=html" );

Everything is okay.

What the problem may be?

Comment on security trick that doesn't work: system() with arguments problem
Select or Download Code
Re: security trick that doesn't work: system() with arguments problem
by Corion (Pope) on May 02, 2012 at 08:52 UTC

    You should be using MIME::Lite instead, or maybe Mail::Sender or one of the other mail sending modules. Especially having a "mail sending program" available under /var/www/cgi-bin seems highly problematic as that program will likely be accessible from the outside by crafting a HTTP access.

    In your invocation, you have

    '-t','$email_to',

    ... but single quotes do not interpolate. You want to leave out the single quotes. But see above for the use of MIME::Lite instead.

      WAIT! ^ MIME::Lite is not recommended by its current maintainer. There are a number of alternatives, like Email::MIME or MIME::Entity and Email::Sender, which you should probably use instead. MIME::Lite continues to accrue weird bug reports, and it is not receiving a large amount of refactoring due to the availability of better alternatives. Please consider using something else.

      This message is on the cpan page of MIME::Lite

      Should I use it?

        It works quite well for me, and does so since at least 7 years, so I don't see the reason why it shouldn't be recommended. I don't think that the Email namespace is inherently bad either, but I haven't used any of the modules so I can't recommend any specific module.

      It is faster for a programmer who is familiar with shell tools to use system (45 seconds) than to spend an hour or 2 to install and read the POD and write up and test examples on a cpan library. The location of sendmail is a security problem here tho.
Re: security trick that doesn't work: system() with arguments problem
by JavaFan (Canon) on May 02, 2012 at 09:33 UTC
    What the problem may be?
    Overly quoting. Drop the single quotes around $email_to.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://968395]
Approved by GrandFather
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others surveying the Monastery: (3)
As of 2015-07-05 07:51 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    The top three priorities of my open tasks are (in descending order of likelihood to be worked on) ...









    Results (60 votes), past polls