#1 Unchecked results from MX lookup causes taint errors.

open
nobody
None
5
2003-01-02
2003-01-02
Bjorn Jacobsen
No

There is a problem and potential security hazard that causes the
Mail::CheckUser to fail in Perl 5.8.0 with taint checking enabled.
I have not tried with previous versions of perl.

The list of
MX records returned from DNS is passed directly to Net::Ping-
>XXX without checking the host names for validity. These have
to be untainted and should be checked for valid syntax. I have not
studied the code much, but in the event someone controls the
DNS of the email address being verified, it might open security
holes now or in the future.

I have uploaded a simple patch,
although you might want to provide a more elegant solution. I just
needed to get it working in a hurry after upgrading Perl :-)

Discussion