[rt-users] ENV taint errors with sendmailpipe [plaintext]

Addison, Mark Mark.Addison at itn.co.uk
Fri Jan 4 05:37:57 EST 2002


apologies for last mail, now in plaintext. (not my choice of mail server,
mumble, ggrrrrr, groan....)

hi all,

i've been setting up RT (with RT 2.0.8_02 and qmail on a Solaris Box) all
seemed well, with web ui working, but i initially didn't get any mail sent
from the Scrips set up to do so. after some reading and failures i got to a
config.pm with;

 # {{{ Outgoing mail configuration
 $MailCommand = 'sendmailpipe';
 $SendmailArguments="-oi -t";
 $SendmailPath = "/var/qmail/bin/sendmail";=$UseFriendlyToLine = 0;

which gave the following errors in the apache error and rt logs when it
tried to send a mail after a ticket creation;

 Insecure $ENV{PATH} while running with -T switch at
/usr/local/rt2/lib/RT/Action/SendEmail.pm line 109, <GEN0> line 47.

line 109 is;
 open (MAIL, "|$RT::SendmailPath $RT::SendmailArguments") || return(0);

all the web scripts in my rt bin look like they set the ENV{PATH} to a
constant so should untaint it, but i kept getting the error. so i hacked
SendEmail.pm to local %ENV and set $ENV{PATH} to nothing when it runs the
piped mail command, which got it working.

anyone know whats going on, or seen this before? as i dont think my hack is
really a proper solution (but does work) ;-)

cheers,
grommit




More information about the rt-users mailing list