Re: Secure Form Script?
From: Stephen Samuel (samuel_at_bcgreen.com)
Date: Fri, 14 May 2004 15:04:26 -0700 To: Bryce Porter <firstname.lastname@example.org>
Bryce Porter wrote:
> Yes, Net::SMTP supports MIME just fine. I have not tested pushing a
> single line with a '.' on it to an array to be sent to $smtp->data, but
> I do not think it would work like that.
> Also, what if you call sendmail directly, but quote it wrong? Someone
> could send an email with '; cat /etc/passwd' or whatever they wanted in
> it, and have it be executed with the same permissions the script is
> running as. Directly executing anything is a big risk no matter how you
> look at it, as far as I'm concerned.
Once again, the only thing going to the command line is the
recipient -- and I'm presuming that that is fixed. If the recipient
is not fixed, then yes, you have to validate the input (and I tend
to be relatively draconian/paranoid there).
Once you get past the command line, you're essentially dealing with
the same issues as SMTP after the 'DATA' line.
-- Stephen Samuel +1(604)876-0426 email@example.com http://www.bcgreen.com/~samuel/ Powerful committed communication. Transformation touching the jewel within each person and bringing it to light.