Beefy Boxes and Bandwidth Generously Provided by pair Networks
good chemistry is complicated,
and a little bit messy -LW
 
PerlMonks  

security trick that doesn't work: system() with arguments problem

by tercoz (Acolyte)
on May 02, 2012 at 08:45 UTC ( #968395=perlquestion: print w/ replies, xml ) Need Help??
tercoz has asked for the wisdom of the Perl Monks concerning the following question:

Good day!

I want to securely send mail. So I invoke system next way:

system( '/var/www/cgi-bin/sendEmail', '-f', $email_from, '-t','$email_to', '-u','123', '-m','123', '-o','message-content-type=html' );

And of course it doesnt work.

But if I write this

system("/var/www/cgi-bin/sendEmail -f $email_from -t $email_to -u 123 +-m 123 -o message-content-type=html" );

Everything is okay.

What the problem may be?

Comment on security trick that doesn't work: system() with arguments problem
Select or Download Code
Re: security trick that doesn't work: system() with arguments problem
by Corion (Pope) on May 02, 2012 at 08:52 UTC

    You should be using MIME::Lite instead, or maybe Mail::Sender or one of the other mail sending modules. Especially having a "mail sending program" available under /var/www/cgi-bin seems highly problematic as that program will likely be accessible from the outside by crafting a HTTP access.

    In your invocation, you have

    '-t','$email_to',

    ... but single quotes do not interpolate. You want to leave out the single quotes. But see above for the use of MIME::Lite instead.

      WAIT! ^ MIME::Lite is not recommended by its current maintainer. There are a number of alternatives, like Email::MIME or MIME::Entity and Email::Sender, which you should probably use instead. MIME::Lite continues to accrue weird bug reports, and it is not receiving a large amount of refactoring due to the availability of better alternatives. Please consider using something else.

      This message is on the cpan page of MIME::Lite

      Should I use it?

        It works quite well for me, and does so since at least 7 years, so I don't see the reason why it shouldn't be recommended. I don't think that the Email namespace is inherently bad either, but I haven't used any of the modules so I can't recommend any specific module.

      It is faster for a programmer who is familiar with shell tools to use system (45 seconds) than to spend an hour or 2 to install and read the POD and write up and test examples on a cpan library. The location of sendmail is a security problem here tho.
Re: security trick that doesn't work: system() with arguments problem
by JavaFan (Canon) on May 02, 2012 at 09:33 UTC
    What the problem may be?
    Overly quoting. Drop the single quotes around $email_to.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://968395]
Approved by GrandFather
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others cooling their heels in the Monastery: (6)
As of 2014-07-26 19:16 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    My favorite superfluous repetitious redundant duplicative phrase is:









    Results (178 votes), past polls