[rt-users] ENV taint errors with sendmailpipe [plaintext]
Addison, Mark
Mark.Addison at itn.co.uk
Fri Jan 4 05:37:57 EST 2002
apologies for last mail, now in plaintext. (not my choice of mail server,
mumble, ggrrrrr, groan....)
hi all,
i've been setting up RT (with RT 2.0.8_02 and qmail on a Solaris Box) all
seemed well, with web ui working, but i initially didn't get any mail sent
from the Scrips set up to do so. after some reading and failures i got to a
config.pm with;
# {{{ Outgoing mail configuration
$MailCommand = 'sendmailpipe';
$SendmailArguments="-oi -t";
$SendmailPath = "/var/qmail/bin/sendmail";=$UseFriendlyToLine = 0;
which gave the following errors in the apache error and rt logs when it
tried to send a mail after a ticket creation;
Insecure $ENV{PATH} while running with -T switch at
/usr/local/rt2/lib/RT/Action/SendEmail.pm line 109, <GEN0> line 47.
line 109 is;
open (MAIL, "|$RT::SendmailPath $RT::SendmailArguments") || return(0);
all the web scripts in my rt bin look like they set the ENV{PATH} to a
constant so should untaint it, but i kept getting the error. so i hacked
SendEmail.pm to local %ENV and set $ENV{PATH} to nothing when it runs the
piped mail command, which got it working.
anyone know whats going on, or seen this before? as i dont think my hack is
really a proper solution (but does work) ;-)
cheers,
grommit
More information about the rt-users
mailing list