[rt-devel] [patch] insecure ENV

Addison, Mark Mark.Addison at itn.co.uk
Thu Jan 10 09:17:02 EST 2002


hi all,

i originally had this problem with RT 2.0.8_02, so i've upgraded to 2.0.11
and am still saw the same thing. 

due the the set up of the server using the default 'sendmail' doesn't work
so i changed to 'sendmailpipe' so i could specify the exact command to use. 
which gave the following errors in the apache error and rt logs when rt
tried to send a mail after actions performed via the web interface.

 Insecure $ENV{PATH} while running with -T switch at
/usr/local/rt2/lib/RT/Action/SendEmail.pm line 118, <GEN0> line 47.

line 118: open (MAIL, "|$RT::SendmailPath $RT::SendmailArguments") ||
return(0);

my initial fix/hack was to add

 local $ENV{PATH} = '';

as the line above, which got me up and running but does force u to use an
absolute $SendmailPath, and is a bit of a hack ;-)

after looking through the code i noticed that webmux.pl does set $ENV{path}
to a string, which should untaint it. it does however do this for the whole
mod_perl server, which is a bit rude as other apps may be expecting a
different ENV. also depending on what runs in what order at start-up for the
server RT could end up running with a different env. so i local'ed all these
vars, which fixes these probs and seems to have solved my taint probs :)

patch below, hope its ok, this is my 1st patch to an open source project :)

have fun,
grommit
"In the beginning, there was nothing, which exploded"

diff -c against rt-2-0-11
---------------------------------------------------

*** webmux.pl.orig      Thu Jan 10 14:05:11 2002
--- webmux.pl   Thu Jan 10 14:11:21 2002
***************
*** 2,14 ****
  # RT is (c) 1996-2000 Jesse Vincent (jesse at fsck.com);

  use strict;
- $ENV{'PATH'} = '/bin:/usr/bin';    # or whatever you need
- $ENV{'CDPATH'} = '' if defined $ENV{'CDPATH'};
- $ENV{'SHELL'} = '/bin/sh' if defined $ENV{'SHELL'};
- $ENV{'ENV'} = '' if defined $ENV{'ENV'};
- $ENV{'IFS'} = ''          if defined $ENV{'IFS'};


  # We really don't want apache to try to eat all vm
  # see
http://perl.apache.org/guide/control.html#Preventing_mod_perl_Processes_Fr

--- 2,18 ----
  # RT is (c) 1996-2000 Jesse Vincent (jesse at fsck.com);

  use strict;

+ # Secure the ENV
+ # Local so that we dont play with the ENV for any other apps, running in
the
+ # same mod_perl server and they dont play with ours.
+ local $ENV{'PATH'}   = '/bin:/usr/bin';    # or whatever you need
+ local $ENV{'CDPATH'} = '' if defined $ENV{'CDPATH'};
+ local $ENV{'SHELL'}  = '/bin/sh' if defined $ENV{'SHELL'};
+ local $ENV{'ENV'}    = '' if defined $ENV{'ENV'};
+ local $ENV{'IFS'}    = ''          if defined $ENV{'IFS'};

+
  # We really don't want apache to try to eat all vm
  # see
http://perl.apache.org/guide/control.html#Preventing_mod_perl_Processes_Fr

***************
*** 30,39 ****



! $VERSION="!!RT_VERSION!!";

! use lib "!!RT_LIB_PATH!!";
! use lib "!!RT_ETC_PATH!!";

  #This drags in  RT's config.pm
  use config;
--- 34,43 ----



! $VERSION="2.0.11";

! use lib "/usr/local/rt2/lib";
! use lib "/usr/local/rt2/etc";

  #This drags in  RT's config.pm
  use config;

---------------------------------------------------
ITN is endeavouring to ensure it receives mail electronically rather than by
manual post. Please send any correspondence by e-mail.

This email (and any attachments) is intended solely for the individual(s) to
whom addressed. It may contain confidential and/or legally privileged
information. Any statement or opinions therein are not necessarily those of
ITN unless specifically stated. Any unauthorised use, disclosure or copying
is prohibited. If you have received this email in error, please notify the
sender and delete it from your system. Security and reliability of the
e-mail and attachments are not guaranteed. You must take full responsibility
for virus checking.

Independent Television News Limited, 
Registered No. 548648 England,
VAT Reg. No: GB 756 2995 81, 
200 Gray's Inn Road, London WC1X 8XZ,
Telephone: 0207 833 3000.






More information about the Rt-devel mailing list