[rt-devel] Better handling of sendmail (Re: Bugfix for security patch on mod_perl)

Alex Vandiver alexmv at bestpractical.com
Wed May 30 14:48:00 EDT 2012

On Wed, 2012-05-30 at 08:19 +1000, paul.szabo at sydney.edu.au wrote:
> Sorry I missed the reason for the change: I never seen, never looked
> for, any history of the code (no comments there to warn of dangers).

Apologies if I was overly grumpy; but I consider the perils of two-arg
open, system, and backticks with unchecked user-supplied arguments to be
generally well-known.  I'm happy to accept patches to the comments in
the area which you think would clarify the issue.

> > Using IPC::Open2, the child exit status is available in $?, precisely
> > the same as when using ``.  I am not aware of any failure modes
> > involving loss of output ...
> If the eval dies with $SIG{PIPE} then it does not examine $?.

If the eval dies with SIGPIPE, $? may not be valid.  $? is only set by
wait() or system(), neither of which are guaranteed to have happened if
we receive SIGPIPE.  See also the IPC::Open2 documentation which notes
that exec failures are simply reported by way of SIGPIPE -- while this
is non-optimal, it will be remedied in 4.0-trunk by use of IPC::Run3.

> Please let me know if you would want me to submit, or if you were
> willing to consider, alternative patches avoiding shell metacharacter
> issues in `$cmd`.

Using `$cmd` is fundamentally insecure, as it brings the shell into the
mix; attempting to escape shell metacharacters to stay one step ahead of
the game is pointless.  I see no compelling reason to move away from
tools that were designed to solve this problem securely, to ones which
require jumping through more hoops.
 - Alex

More information about the rt-devel mailing list