[rt-users] ENV taint errors with sendmailpipe

[Addison, Mark]

hi,

i've been setting up RT (with RT 2.0.8_02 and qmail on a Solaris Box) all
seem well, with web ui working, but i initially didn't get any mail sent
from the Scrips set up to do so. after some reading and failures i got to a
config.pm with;

 # {{{ Outgoing mail configuration
 $MailCommand = 'sendmailpipe';
 $SendmailArguments="-oi -t";
 $SendmailPath = "/var/qmail/bin/sendmail";=$UseFriendlyToLine = 0;

which gave the following errors in the apache error and rt logs when it
tried to send a mail after a ticket creation;

 Insecure $ENV{PATH} while running with -T switch at
/usr/local/rt2/lib/RT/Action/SendEmail.pm line 109, <GEN0> line 47.

line 109 is;
 open (MAIL, "|$RT::SendmailPath $RT::SendmailArguments") || return(0);

all the web scripts in my rt bin look like they set the ENV{PATH} to a
constant so should untaint it, but i kept getting the error. so i hacked
SendEmail.pm to local %ENV and set $ENV{PATH} to nothing when it runs the
piped mail command, which got it working.

anyone know whats going on, or seen this before? as i dont think my hack is
really a proper solution (but does work) ;-)

have fun,
grommit
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20020103/bc05488c/attachment.htm>