From: Aaron Bentley <abentleyat_private> > I'm writing a CGI program in C++ that sends email. I'm using Sendmail > for the transmission, so I need a command that lets me specify stdin for > Sendmail. > I understand popen() is not very secure, because it uses the shell to > execute the command, but I don't know of a safe alternative. I can > sanitize my input, but is escaping all non-alphanumeric characters the > right answer? > > The program is not privileged, but I don't want people to be able to > gain privileges as 'nobody' on the web server. > > Any suggestions for this ? Ken Arnold published a secure popen() in Unix Review years ago (1994?). It's been used in Vixie Cron and in the TIS Firewall toolkit. (I'm assuming those writers copied it from UR as I recognised the code when I saw it.) The 1999 root bug in Vixie Cron did not arise from a flaw in this but in the choice of sending mail as root with the username on the command line - that was 2 errors and it was spotted by M. Zalewski and exploited by O. Kirch IIRC. This brings us to your question: If you do the pipe()-fork()-exec() thing and call execl("/usr/lib/sendmail","sendmail","-oi","-t"); you can then pipe in your recipients' names as To: abentleyat_private and there is no chance of polluting the sendmail command line with shell metas or "-C". Check all return codes including the one from the child process. -- ############################################################## # Antonomasia ant notatla.demon.co.uk # # See http://www.notatla.demon.co.uk/ # ##############################################################
This archive was generated by hypermail 2b30 : Tue Jun 19 2001 - 20:30:18 PDT