[rt-devel] Better handling of sendmail (Re: Bugfix for security patch on mod_perl)

paul.szabo at sydney.edu.au paul.szabo at sydney.edu.au
Tue May 29 18:19:39 EDT 2012

Dear Alex,

>> I feel that the invocation of sendmail in RT/Interface/Email.pm is
>> "wrong":
>>  - uses IPC::Open2 instead of plain open($mail,"| $path @args") though
>>    it never attempts to read STDOUT, loses STDERR without Open3
> Using either the two-argument form of open, or ``, makes the call
> vulnerable to shell injection in @args -- which is _precisely_ the
> vulnerability that this change is meant to protect against.

Sorry I missed the reason for the change: I never seen, never looked
for, any history of the code (no comments there to warn of dangers).

> In a future version, we intend to move to using the more robust
> IPC::Run3, when we will likely start explicitly logging STDOUT and
> STDERR errors using RT's logging infrastructure ...

Thanks, this seems under control, then.

>>  - uses pipe which can have consequences for invoker, including losing
>>    the exit status or output of subprocess
> Using IPC::Open2, the child exit status is available in $?, precisely
> the same as when using ``.  I am not aware of any failure modes
> involving loss of output ...

If the eval dies with $SIG{PIPE} then it does not examine $?.


Please let me know if you would want me to submit, or if you were
willing to consider, alternative patches avoiding shell metacharacter
issues in `$cmd`.

Cheers, Paul

Paul Szabo   psz at maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia

More information about the rt-devel mailing list