[rt-devel] Better handling of sendmail (Re: Bugfix for security patch on mod_perl)
paul.szabo at sydney.edu.au
paul.szabo at sydney.edu.au
Tue May 29 18:19:39 EDT 2012
Dear Alex,
>> I feel that the invocation of sendmail in RT/Interface/Email.pm is
>> "wrong":
>> - uses IPC::Open2 instead of plain open($mail,"| $path @args") though
>> it never attempts to read STDOUT, loses STDERR without Open3
>
> Using either the two-argument form of open, or ``, makes the call
> vulnerable to shell injection in @args -- which is _precisely_ the
> vulnerability that this change is meant to protect against.
Sorry I missed the reason for the change: I never seen, never looked
for, any history of the code (no comments there to warn of dangers).
> In a future version, we intend to move to using the more robust
> IPC::Run3, when we will likely start explicitly logging STDOUT and
> STDERR errors using RT's logging infrastructure ...
Thanks, this seems under control, then.
>> - uses pipe which can have consequences for invoker, including losing
>> the exit status or output of subprocess
>
> Using IPC::Open2, the child exit status is available in $?, precisely
> the same as when using ``. I am not aware of any failure modes
> involving loss of output ...
If the eval dies with $SIG{PIPE} then it does not examine $?.
---
Please let me know if you would want me to submit, or if you were
willing to consider, alternative patches avoiding shell metacharacter
issues in `$cmd`.
Cheers, Paul
Paul Szabo psz at maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
More information about the rt-devel
mailing list