Re: Security bug in CGI::Lite::escape_dangerous_chars() function

[tee () T72 org]

Hi Ronald,

Ronald F. Guilmette wrote:
>         Below is a trivially simple example of how this security flaw can
>         cause a problem, in practice:
>
>       =====================================================================
>       #!/usr/bin/perl -w
>
>       use strict;
>       use CGI::Lite;
>
>       my $cgi = new CGI::Lite;
>       my %form = $cgi->parse_form_data;
>       my $recipient = $form{'recipient'};
>
>       my $message = "From: sender\nSubject: Hello\n\nHello my friend!\n\n";
>
>       $recipient = escape_dangerous_chars ($recipient);
>
>       open (SM, "|/usr/sbin/sendmail -f rfg $recipient");
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Uhm... no matter how you escape dangerous stuff but you should not be
using that code in the first place...

Better would be...

      $pid = open(MAIL, "|-");
      defined ($pid) or die "Fork: $!";
      if (!$pid) {
         exec '/usr/lib/sendmail', '-t', '-oi' || exit 255;
      }
      print MAIL "To: $to\n";
      print MAIL "From: $from\n";
      print MAIL "Subject: $subject\n";
      ...
      ...

Peace,

--T

-- 
 tee at T72 dot org - "On kolmenlaisia ihmisiä - niitä jotka
                       ovat matemaattisesti lahjakkaita ja
                       niitä jotka eivät ole."