Re: Secure Form Script?

From: Stephen Samuel (samuel_at_bcgreen.com)
Date: 05/14/04

  • Next message: Stephen Samuel: "Re: Secure Form Script?" 
    Date: Fri, 14 May 2004 14:33:44 -0700
To: Bryce Porter <bporter@heart.net>

    Bryce Porter wrote:
    > Stephen,
    >
    > When calling a binary directly, you run a lot of risks, especially
    > format string vulnerabilities.
    >
    > I agree about using the fixed To: address, but I think he was originally
    > wanting that to be flexible. If not, fixed is most definitely the way to
    > go.

    My understanding is that he was looking for something to replace
    mailto: links and that didn't expose your email address to
    spammers, (and didn't allow spammers to hijack your server).

    A fixed destination on the CGI helps towards both of those.
    At that point the only user-input that goes into the header
    should be the Subject: field -- and you can move that into
    the body if you want to.

    Once you're dealing with the body, the only thing that you
    really have to worry about is making sure that you don't send
    a line with a bare '.'. From what I can see you may have to
    worry about the same thing with Net:SMTP .

     From where I sit, feeding /usr/sbin/sendmail directly is
    pretty much the same as talking to localhost:25, and
    Net::SMTP is (if you're sending to/via localhost), just
    a prettied-up way of doing the same thing. (it doesn't even
    seem to directly support MIME).

    It does, however, get more useful if you want to talk
    to a remote server and/or play a bit with the TCP/IP options,
    etc.

    In my case, my CGI scripts punts the Email to a second
    script which does a bit more pre-procesing, then calls
    sendmail with the result. It could have just as
    easily used Net::SMTP *and I may just play with doing that
    for the exercise). 

    -- 
Stephen Samuel +1(604)876-0426                samuel@bcgreen.com
		   http://www.bcgreen.com/~samuel/
    Powerful committed communication. Transformation touching
      the jewel within each person and bringing it to light.
  • Next message: Stephen Samuel: "Re: Secure Form Script?"

    Relevant Pages

    • Re: You just showed up at a new course for a tournament
      ... I think what Tex is saying is that he doesn't worry about it. ... Golf is golf. ... > If you want to learn more about the game, get off your ass and go play! ...
      (rec.sport.golf)
    • Re: UKSF XI vs. Australia - Team Announcement
      ... If I was playing in this match, which very sadly I'm not, my only worry ... We play 7-a-side on Tuesday ... play right-wing, and our one and only left-footer, Julian, plays left wing. ... "I am the fat puddin', but a single puddingness" - Vicky Conlan ...
      (uk.sport.football)
    • Re: Testing the water - another Halo 3 knockout
      ... Chris Stevens wrote: ... I'd like to play if that's ok? ... worry, I'm not very good. ... Whilst my initial feeling put me in the first camp, I don't feel tremendously strongly either way, and I wouldn't like to be so rude as to say no.:) ...
      (uk.games.video.misc)
    • Re: How to start playing a guitar....
      ... First off be sure that you really want to play a guitar. ... Don't worry about getting every song perfect. ... well in practice as you will live no matter how much you practice. ... piano part because you don't have a keys player. ...
      (alt.guitar.beginner)
    • Re: Marvin and best of 13 (tourney)
      ... A streak of 7 is mind-boggling. ... below 4 hours on a remote server to be possible. ... menucolors, and sortloot, all of which help me play quicker. ... play a lot of wizards. ...
      (rec.games.roguelike.nethack)