Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I am sending content through ‘sendmail’ that includes some user supplied data.
I call it using perl, e.g.
open(MAIL, "| /usr/sbin/sendmail -fsomeone\@somewhere.com -t ")
print MAIL "the user content..."
close(MAIL)
Are there any risks here, e.g. a user formats his data in a way that injects
code?
The Perl script itself isn’t at risk through this specifically (I’m assuming that “the user content” stands for, say, the contents of a variable). But whoever gets the mail is at the mercy of whatever “the user content…” might be.
To make sure nothing bad happens, we’d need to see much more of your script. Read (and make sure you understand) Dawid Wheeler’s “Secure programming for Linux and Unix HOWTO”, look also for secure Perl programming (perhaps the CERT standard is a good starting point).