I'm having a problem with this code when I add -T ?? 1

[garymgordon]

I have this very basic email parsing script that works fine when I have -w added to the shebang line. But, when I change it to have -wT (for tainting) instead of just the -w, I get an INTERNAL SERVER ERROR returned. (Error included: The server encountered an internal error or misconfiguration and was unable to complete your request.)

Evidently there is something wrong in the code, but being that I am quite new to Perl, I can't figure it out.

If you can, please let me know what part of this code needs to be changed in order to stop any and all errors from occuring. (And any other suggestions you'd like to make are always welcome.)

Thanks ... and here's the code:


#!/usr/local/bin/perl -wT

&get_form_data();
&send_email;
&print_thankyou_page;
sub get_form_data

{
read(STDIN, $buffer, $ENV{ 'CONTENT_LENGTH' } );

# Split the name-value pairs
@pairs = split (/&/, $buffer);
foreach $pair (@pairs)

{
($name, $value) = split(/=/, $pair);

$value =~ tr/+/ /;
$value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
$value =~ s/<!--(.|\n)*-->//g;
$FORM{$name} = $value;
}
}


sub send_email
{


$to = &quot;webmaster\@garymgordon.com&quot;;



$mailprog = '/usr/lib/sendmail';


open(MAIL,&quot;|$mailprog -t&quot;
print MAIL &quot;From: $FORM{'email'}\n&quot;;
print MAIL &quot;To: $to\n&quot;;
print MAIL &quot;Subject: General Email Contact Form.\n\n&quot;;
print MAIL &quot;First Name: \t$FORM{'first_name'} \n\n&quot;;
print MAIL &quot;Last Name: \t$FORM{'last_name'} \n\n&quot;;
print MAIL &quot;E-mail Address: \t$FORM{'email'} \n\n&quot;;
print MAIL &quot;Status: \t$FORM{'status'} \n\n&quot;;
print MAIL &quot;Other \(if other is selected for Status\): \t$FORM{'other'} \n\n&quot;;
print MAIL &quot;Comments: \t$FORM{'comments'} \n\n&quot;;
print MAIL &quot; \n&quot;;
close(MAIL);
}


sub print_thankyou_page

{

print &quot;Content-type: text/html\n\n&quot;;
print &quot;<HTML>\n<HEAD>\n</HEAD>\n<BODY BGCOLOR=\&quot;#FFFFFF\&quot;>\n&quot;;
print &quot;<H3>THANK YOU SUBMITTING YOUR INFORMATION.</H3>\n\n&quot;;
print &quot;<P>\n&quot;;
print &quot;We have received your comments and will forward this to the appropriate person.<BR><BR><BR>\n&quot;;
print &quot;Click below to return back:<BR>\n&quot;;
print &quot;<B><A HREF=\&quot;

http://www.garymgordon.com/\&quot;

TARGET=\&quot;\_top\&quot;>Gary M. Gordon, Web Developer</A></B><BR><BR>\n\n\n&quot;;
print &quot;</BODY>\n</HTML>&quot;;

}
Gary M. Gordon, LLC
webmaster@garymgordon.com
Certified Web Developer ::
Application Programmer

http://www.garymgordon.com/

 

[garymgordon]

Additional question.

I added :

$ENV{PATH}=~/(.*)/;
$ENV{PATH}=$1;


to:

$ENV{PATH}=~/(.*)/;
$ENV{PATH}=$1;
open(MAIL,&quot;|$mailprog -t&quot;
print MAIL &quot;From: $FORM{'email'}\n&quot;;
print MAIL &quot;To: $to\n&quot;;
print MAIL &quot;Subject: General Email Contact Form.\n\n&quot;;
print MAIL &quot;First Name: \t$FORM{'first_name'} \n\n&quot;;
print MAIL &quot;Last Name: \t$FORM{'last_name'} \n\n&quot;;
print MAIL &quot;E-mail Address: \t$FORM{'email'} \n\n&quot;;
print MAIL &quot;Status: \t$FORM{'status'} \n\n&quot;;
print MAIL &quot;Other \(if other is selected for Status\): \t$FORM{'other'} \n\n&quot;;
print MAIL &quot;Comments: \t$FORM{'comments'} \n\n&quot;;
print MAIL &quot; \n&quot;;
close(MAIL);
}


and now it doesn't give me the error. BUT ... I don't understand what this is doing and why it worked?

Also ...

I'd like to include the line:


use strict;


But the code (even with the revision) won't work with that.

Any idea of how I can also re-write this code so it will work with not only the -wT but with use strict;


Thanks,
Gary

Gary M. Gordon, LLC
webmaster@garymgordon.com
Certified Web Developer ::
Application Programmer

http://www.garymgordon.com/

 

[stillflame]

with taint checking on, you cannot execute a script in a directory that's writable by others, any outside data has to be run through a regular expression before you can do anything dangerous with it, and it also makes sure that you check $ENV{PATH} and ensure that it is what you want it to be before you can make any calls to programs in those paths.
although your method works, it would be better instead to set it explicitly to the location of the mail program and nothing else. basically, with taint checking, you have to at least make perl think you've looked at everything dangerous before you use it dangerously. really, though, you should actually check it instead of just pretending to. that's the point of taint checking. &quot;If you think you're too small to make a difference, try spending a night in a closed tent with a mosquito.&quot;

 

[garymgordon]

Could you (would you) help me in modifying the code so I change it correctly?

And, could you tell me what I need to check on my end ... specifically ... and how?

For example,

1) What permissions should I have set on the file?
2) How do I check the $ENV{PATH} ?? (other than just saying that in the script?)
3) How do I set set it explicitly to the location of the mail program? (I'm just kind of confused. Sorry.)
4) How do I set this up so any outside data is sent through a regular expression before I do anything dangerous with it? (Again, I am confused on how to write this part?)
5) What else do I need to check to make sure I am checking everything that I should be checking?

I hope you can help.

Thanks,
Gary

Gary M. Gordon, LLC
webmaster@garymgordon.com
Certified Web Developer ::
Application Programmer

http://www.garymgordon.com/

 

[stillflame]

Chapter 6 in the camel book (mine is only 2nd edition, yours is 3rd, there may be a difference) has a section called &quot;cooperating with strangers&quot; which explains it in detail, but here's some of it:

if the directory that holds the script being called has permissions set so that anyone can write to it, the script won't even start to run. this isn't a problem in your case, as your cgi-bin is most definitely not writable by the world. it's likely not even readable.

any data derived from any source that is not inside your script (@ARGV, STDIN, any files or datastreams) is tainted and cannot be used to do anything dangerous (system calls, writing to files, unlinking files). here's how to untaint it (assume $taint has tainted data in it):[tt]
$taint=~m/(some pattern that ensures saftey in your situation)/;
$untainted = $1;[/tt]
that's it. common patterns include &quot;\w+&quot;, as word characters are usually safe, or &quot;[^'&quot;,:]*&quot; to exclude any of a specific set of characters, in this case '&quot;,: . it's usually better to use something like the first pattern, rather than trying to exclude everything dangerous, as you're more likely then to overlook something.

$ENV{PATH} is tainted because it is data from outside your script. you have to read it into a regular expression and make sure it doesn't have anything dangerous. it's likely not going to have anything dangerous in your case, but you should check it anyway. or, if, as in your case, it doesn't matter what else is in PATH so long as you can call your sendmail program, it would be easier to just say:[tt]
$ENV{PATH} = '/path/to/sendmail';[/tt]
and then you could call sendmail like normal. taintchecking is just looking out for the possibility of the script being used improperly.

as for checking everything you need to be checking, with taint on, you will get an error if you don't, in almost all cases (the camel book should have more on that). just be sure not to use any outside data without looking at it first.

HTH &quot;If you think you're too small to make a difference, try spending a night in a closed tent with a mosquito.&quot;

 

[garymgordon]

Would I be asking too much of you to ask you to re-write my script - as you think it should be written ... and ... indicate through comments - what you did and why?

I think this would be a HUGE help to me ... if I'm not asking too much of you.

But, I'd greatly appreciate it.

Please let me know.

Thanks,
Gary
Gary M. Gordon, LLC
webmaster@garymgordon.com
Certified Web Developer ::
Application Programmer

http://www.garymgordon.com/

 

[stillflame]

the only thing i would have done differently that matters in this case is this -
change these lines:[tt]
$ENV{PATH}=~/(.*)/;
$ENV{PATH}=$1;[/tt]
to this:[tt]
$ENV{PATH} = '/path/to/sendmail';
[/tt]
that way, if there is anything bad in the PATH entry, it won't matter, you'll have replaced it with a single directory, the only one you need.
in your case, since you're completely writing out the path in '$mailprog' already, you can just set PATH to an empty string and it'll still work. (probly) &quot;If you think you're too small to make a difference, try spending a night in a closed tent with a mosquito.&quot;

 

[garymgordon]

And that will allow the -T to work???

Nothing else??

But ... first let me say THANKS!! I want to tell you that I have appreciated all your help in the past (to date) as well as with this.

With that being said ...

Is that all I will have to do to get this to work using the -T , added to the shebang line??

Gary
Gary M. Gordon, LLC
webmaster@garymgordon.com
Certified Web Developer ::
Application Programmer

http://www.garymgordon.com/

 

[stillflame]

yea, should be.
'$buffer' is also tainted data, but since you're not doing anything dangerous with it, that shouldn't be a problem.
the only dangerous call the program makes is opening the pipe to the mail program.
glad i've been of help. &quot;If you think you're too small to make a difference, try spending a night in a closed tent with a mosquito.&quot;

 

[garymgordon]

You are always a big help.

I thank you!!!!

Gary
Gary M. Gordon, LLC
webmaster@garymgordon.com
Certified Web Developer ::
Application Programmer

http://www.garymgordon.com/