[pve-devel] [PATCH 2/2] email_from: fix for "insecure dependency in piped open" when email_from is empty

Dietmar Maurer dietmar at proxmox.com
Wed Sep 3 15:45:14 CEST 2014


> Perl considers this construction non-secure when running with "-T". It assumes
> that $hostname variable can contain something dangerous to run in a shell, for
> example, $hostname="; rm -rf /" and we get "Insecure dependency in open
> while running with -T switch" message in:
> open (MAIL,"|sendmail -B 8BITMIME -f $mailfrom $rcvrarg") || ...
> 
> More is here http://en.wikipedia.org/wiki/Taint_checking

Sure, but your fix is wrong. You need to 'untaint' $hostname instead.
Search the web for "perl untaint" ...


More information about the pve-devel mailing list