Insecure ENV

hi all,

i originally had this problem with RT 2.0.8_02, so i’ve upgraded to 2.0.11
and am still saw the same thing.

due the the set up of the server using the default ‘sendmail’ doesn’t work
so i changed to ‘sendmailpipe’ so i could specify the exact command to use.
which gave the following errors in the apache error and rt logs when rt
tried to send a mail after actions performed via the web interface.

Insecure $ENV{PATH} while running with -T switch at
/usr/local/rt2/lib/RT/Action/SendEmail.pm line 118, line 47.

line 118: open (MAIL, “|$RT::SendmailPath $RT::SendmailArguments”) ||
return(0);

my initial fix/hack was to add

local $ENV{PATH} = ‘’;

as the line above, which got me up and running but does force u to use an
absolute $SendmailPath, and is a bit of a hack :wink:

after looking through the code i noticed that webmux.pl does set $ENV{path}
to a string, which should untaint it. it does however do this for the whole
mod_perl server, which is a bit rude as other apps may be expecting a
different ENV. also depending on what runs in what order at start-up for the
server RT could end up running with a different env. so i local’ed all these
vars, which fixes these probs and seems to have solved my taint probs :slight_smile:

patch below, hope its ok, this is my 1st patch to an open source project :slight_smile:

have fun,
grommit
"In the beginning, there was nothing, which exploded"

diff -c against rt-2-0-11

*** webmux.pl.orig Thu Jan 10 14:05:11 2002
webmux.pl Thu Jan 10 14:11:21 2002
*** 2,14 ****

RT is © 1996-2000 Jesse Vincent (jesse@fsck.com);

use strict;

  • $ENV{‘PATH’} = ‘/bin:/usr/bin’; # or whatever you need

  • $ENV{‘CDPATH’} = ‘’ if defined $ENV{‘CDPATH’};

  • $ENV{‘SHELL’} = ‘/bin/sh’ if defined $ENV{‘SHELL’};

  • $ENV{‘ENV’} = ‘’ if defined $ENV{‘ENV’};

  • $ENV{‘IFS’} = ‘’ if defined $ENV{‘IFS’};

    We really don’t want apache to try to eat all vm

    see

http://perl.apache.org/guide/control.html#Preventing_mod_perl_Processes_Fr

— 2,18 ----

RT is © 1996-2000 Jesse Vincent (jesse@fsck.com);

use strict;

  • Secure the ENV

  • Local so that we dont play with the ENV for any other apps, running in

the

  • same mod_perl server and they dont play with ours.

  • local $ENV{‘PATH’} = ‘/bin:/usr/bin’; # or whatever you need

  • local $ENV{‘CDPATH’} = ‘’ if defined $ENV{‘CDPATH’};

  • local $ENV{‘SHELL’} = ‘/bin/sh’ if defined $ENV{‘SHELL’};

  • local $ENV{‘ENV’} = ‘’ if defined $ENV{‘ENV’};

  • local $ENV{‘IFS’} = ‘’ if defined $ENV{‘IFS’};

    We really don’t want apache to try to eat all vm

    see

http://perl.apache.org/guide/control.html#Preventing_mod_perl_Processes_Fr

*** 30,39 ****

! $VERSION="!!RT_VERSION!!";

! use lib “!!RT_LIB_PATH!!”;
! use lib “!!RT_ETC_PATH!!”;

#This drags in RT’s config.pm
use config;
— 34,43 ----

! $VERSION=“2.0.11”;

! use lib “/usr/local/rt2/lib”;
! use lib “/usr/local/rt2/etc”;

#This drags in RT’s config.pm
use config;

ITN is endeavouring to ensure it receives mail electronically rather than by
manual post. Please send any correspondence by e-mail.

This email (and any attachments) is intended solely for the individual(s) to
whom addressed. It may contain confidential and/or legally privileged
information. Any statement or opinions therein are not necessarily those of
ITN unless specifically stated. Any unauthorised use, disclosure or copying
is prohibited. If you have received this email in error, please notify the
sender and delete it from your system. Security and reliability of the
e-mail and attachments are not guaranteed. You must take full responsibility
for virus checking.

Independent Television News Limited,
Registered No. 548648 England,
VAT Reg. No: GB 756 2995 81,
200 Gray’s Inn Road, London WC1X 8XZ,
Telephone: 0207 833 3000.