ENV taint errors with sendmailpipe

Addison_Mark · January 3, 2002, 4:05pm

hi,

i’ve been setting up RT (with RT 2.0.8_02 and qmail on a Solaris Box) all
seem well, with web ui working, but i initially didn’t get any mail sent
from the Scrips set up to do so. after some reading and failures i got to a
config.pm with;

{{{ Outgoing mail configuration

$MailCommand = ‘sendmailpipe’;
$SendmailArguments=“-oi -t”;
$SendmailPath = “/var/qmail/bin/sendmail”;=$UseFriendlyToLine = 0;

which gave the following errors in the apache error and rt logs when it
tried to send a mail after a ticket creation;

Insecure $ENV{PATH} while running with -T switch at
/usr/local/rt2/lib/RT/Action/SendEmail.pm line 109, line 47.

line 109 is;
open (MAIL, “|$RT::SendmailPath $RT::SendmailArguments”) || return(0);

all the web scripts in my rt bin look like they set the ENV{PATH} to a
constant so should untaint it, but i kept getting the error. so i hacked
SendEmail.pm to local %ENV and set $ENV{PATH} to nothing when it runs the
piped mail command, which got it working.

anyone know whats going on, or seen this before? as i dont think my hack is
really a proper solution (but does work)

have fun,
grommit

Addison_Mark · January 4, 2002, 10:37am

apologies for last mail, now in plaintext. (not my choice of mail server,
mumble, ggrrrrr, groan…)

hi all,

i’ve been setting up RT (with RT 2.0.8_02 and qmail on a Solaris Box) all
seemed well, with web ui working, but i initially didn’t get any mail sent
from the Scrips set up to do so. after some reading and failures i got to a
config.pm with;

{{{ Outgoing mail configuration

$MailCommand = ‘sendmailpipe’;
$SendmailArguments=“-oi -t”;
$SendmailPath = “/var/qmail/bin/sendmail”;=$UseFriendlyToLine = 0;

which gave the following errors in the apache error and rt logs when it
tried to send a mail after a ticket creation;

Insecure $ENV{PATH} while running with -T switch at
/usr/local/rt2/lib/RT/Action/SendEmail.pm line 109, line 47.

line 109 is;
open (MAIL, “|$RT::SendmailPath $RT::SendmailArguments”) || return(0);

all the web scripts in my rt bin look like they set the ENV{PATH} to a
constant so should untaint it, but i kept getting the error. so i hacked
SendEmail.pm to local %ENV and set $ENV{PATH} to nothing when it runs the
piped mail command, which got it working.

anyone know whats going on, or seen this before? as i dont think my hack is
really a proper solution (but does work)

cheers,
grommit

Darrin_Walton · January 4, 2002, 6:40pm

|+ # {{{ Outgoing mail configuration
|+ $MailCommand = ‘sendmailpipe’;
|+ $SendmailArguments="-oi -t";
|+ $SendmailPath = “/var/qmail/bin/sendmail”;=$UseFriendlyToLine = 0;
|+

I thought sendmailpipe was just for sendmail, and you didn’t have to use it with
qmail. That may be the problem, may want to try just using ‘sendmail’ and
removing the ‘-t’.

Phil_Homewood2 · January 5, 2002, 9:16am

Darrin Walton wrote:

|+ # {{{ Outgoing mail configuration
|+ $MailCommand = ‘sendmailpipe’;
|+ $SendmailArguments=“-oi -t”;
|+ $SendmailPath = “/var/qmail/bin/sendmail”;=$UseFriendlyToLine = 0;
|+

I thought sendmailpipe was just for sendmail, and you didn’t have to use it with
qmail. That may be the problem, may want to try just using ‘sendmail’ and
removing the ‘-t’.

I’m going to bet that the problem is that two lines of the
config file seem to have become joined by an “=”. Try:

{{{ Outgoing mail configuration

$MailCommand = ‘sendmailpipe’;
$SendmailArguments=“-oi -t”;
$SendmailPath = “/var/qmail/bin/sendmail”;
$UseFriendlyToLine = 0;

sendmailpipe should work fine for sendmailalikes which support
similar syntax; not being a bernsteinite I can’t vouch for
qmail, but as far as I know qmail/bin/sendmail should work OK.

Addison_Mark · January 7, 2002, 11:04am

I thought sendmailpipe was just for sendmail, and you didn’t
have to use it with
qmail. That may be the problem, may want to try just using
‘sendmail’ and removing the ‘-t’.

using just sendmail doesn’t work on our server, i just get errors that look
like;
RT::Action::Notify=HASH(0x9e580ac): Could not send mail for
RT::Transaction=HASH(0x9d876e4)

and nothing in the qmail log. i think this is due to the server set-up, but
our sys-admin is still on hols.

so i moved to sendmailpipe, so i could set the mail command to use
explicitly, which is when the taint errors started. so it really seems to be
prob with the sendmailpipe implementation in my installed rt or something
odd with the way it runs as the ENV is getting tainted.

is this really something for the dev list (i’m new to the rt lists)?

cheers,
grommit