sendmail和代码注入

Question

I am sending content through 'sendmail' that includes some user supplied data. I call it using perl, eg

open(MAIL, "| /usr/sbin/sendmail -fsomeone\@somewhere.com -t ") 
print MAIL "the user content..."
close(MAIL)

Are there any risks here, eg a user formats his data in a way that injects code?

Answer 1

The Perl script itself isn't at risk through this specifically (I'm assuming that "the user content" stands for, say, the contents of a variable). But whoever gets the mail is at the mercy of whatever "the user content..." might be.

To make sure nothing bad happens, we'd need to see much more of your script. Read (and make sure you understand) Dawid Wheeler's "Secure programming for Linux and Unix HOWTO" , look also for secure Perl programming (perhaps the CERT standard is a good starting point).

Answer 2

That depends if the email adress in the command line argument is hardcoded, or user-supplied.

If the command is hardcoded, and you use a double-quoted string, the @somewhere array will be interpolated. I assume this is a typo, and it would be backslashed.

If that adress can be user-set ( open MAIL, "| ... -f$adress" ), then this is vulnerable to shell code injection: $adress = '; rm -rf * ;' $adress = '; rm -rf * ;'

This can be avoided by input validation, and/or by using multiple arguments for open :

open my $MAIL, "|-", "/usr/bin/sendmail", @args or die ...;

• Lexical Filehandles are better
• Explicit open mode as seperate argument is safer ( |- -| < > >> +< )
• Multiple arguments to avoid shell interpretation of command.
• Return value checking

The -t flag will (iirc) read header values from the user input. This will not affect the security of your script, but would allow the user to include bogus headers. Users may be able to abuse your script for their purposes, eg spamming! It might be better to construct the header yourself, and restrict the user to providing the body of the message only.