Rt 3.0.9 can't have PerlTaint turned on

Hello,

I thought I’d try turning PerlTaint on in my httpd.conf file and
while the website runs, you can’t send any email out:

Feb 20 12:57:06 it-linux1 RT: <rt-3.0.9-510-2953.5.41022378369007@appliedminds.c
om> Could not send mail. -Insecure $ENV{PATH} while running with -T switch at /e
xport/home2/apache/intranet_html/rt-3.0.9/lib/RT/Action/SendEmail.pm line 269.
Stack: [/export/home2/apache/intranet_html/rt-3.0.9/lib/RT/Action/SendEmail.pm
:269] [/export/home2/apache/intranet_html/rt-3.0.9/lib/RT/Action/SendEmail.pm:
181] [/export/home2/apache/intranet_html/rt-3.0.9/lib/RT/ScripAction_Overlay.p
m:207] [/export/home2/apache/intranet_html/rt-3.0.9/lib/RT/Scrip_Overlay.pm:41
7] [/export/home2/apache/intranet_html/rt-3.0.9/lib/RT/Scrip_Overlay.pm:352]
[/export/home2/apache/intranet_html/rt-3.0.9/lib/RT/Scrips_Overlay.pm:196] [/
export/home2/apache/intranet_html/rt-3.0.9/lib/RT/Transaction_Overlay.pm:118]
[/export/home2/apache/intranet_html/rt-3.0.9/lib/RT/Ticket_Overlay.pm:3801] [/
export/home2/apache/intranet_html/rt-3.0.9/lib/RT/Ticket_Overlay.pm:625] [/exp
ort/home2/apache/intranet_html/rt-3.0.9/lib/RT/Interface/Email.pm:670] [/expor
t/ho

Best,
Blair

Blair Zajac blair@orcaware.com
Plots of your system’s performance - http://www.orcaware.com/orca/

Hello,

I thought I’d try turning PerlTaint on in my httpd.conf file and
while the website runs, you can’t send any email out:

Blair,

Hm. Aren’t we forcing $ENV{‘PATH’} to a safe value in webmux.pl?
Also, I seem to recall that you spent some time looking into tainting
in a previous release. Did this work fine in 3.0.8?

Jesse Vincent wrote:

Hello,

I thought I’d try turning PerlTaint on in my httpd.conf file and
while the website runs, you can’t send any email out:

Blair,

Hm. Aren’t we forcing $ENV{‘PATH’} to a safe value in webmux.pl?
Also, I seem to recall that you spent some time looking into tainting
in a previous release. Did this work fine in 3.0.8?

Jesse,

Yes, there’s this line in webmux.pl:

BEGIN {
$ENV{‘PATH’} = ‘/bin:/usr/bin’; # or whatever you need

I get this error happens when I send email to the RT mail address and
it runs rt-mailgate. I don’t have a good sense of what rt-mailgate
does, but does it post the message via the web site to get the
message into the database?

I haven’t tried turning on PerlTaint for a while and didn’t try it
with 3.0.8. Just thought I try today.

Best,
Blair

Blair Zajac blair@orcaware.com
Plots of your system’s performance - http://www.orcaware.com/orca/