[rt-devel] Better handling of sendmail (Re: Bugfix for security patch on mod_perl)
Alex Vandiver
alexmv at bestpractical.com
Wed May 30 14:48:00 EDT 2012
On Wed, 2012-05-30 at 08:19 +1000, paul.szabo at sydney.edu.au wrote:
> Sorry I missed the reason for the change: I never seen, never looked
> for, any history of the code (no comments there to warn of dangers).
Apologies if I was overly grumpy; but I consider the perils of two-arg
open, system, and backticks with unchecked user-supplied arguments to be
generally well-known. I'm happy to accept patches to the comments in
the area which you think would clarify the issue.
> > Using IPC::Open2, the child exit status is available in $?, precisely
> > the same as when using ``. I am not aware of any failure modes
> > involving loss of output ...
>
> If the eval dies with $SIG{PIPE} then it does not examine $?.
If the eval dies with SIGPIPE, $? may not be valid. $? is only set by
wait() or system(), neither of which are guaranteed to have happened if
we receive SIGPIPE. See also the IPC::Open2 documentation which notes
that exec failures are simply reported by way of SIGPIPE -- while this
is non-optimal, it will be remedied in 4.0-trunk by use of IPC::Run3.
> Please let me know if you would want me to submit, or if you were
> willing to consider, alternative patches avoiding shell metacharacter
> issues in `$cmd`.
Using `$cmd` is fundamentally insecure, as it brings the shell into the
mix; attempting to escape shell metacharacters to stay one step ahead of
the game is pointless. I see no compelling reason to move away from
tools that were designed to solve this problem securely, to ones which
require jumping through more hoops.
- Alex
More information about the rt-devel
mailing list