Re: Secure Form Script?
From: Stephen Samuel (samuel_at_bcgreen.com)
Date: 05/15/04
- Previous message: Stephen Samuel: "Re: Secure Form Script?"
- In reply to: Bryce Porter: "RE: Secure Form Script?"
- Next in thread: Glynn Clements: "RE: Secure Form Script?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 14 May 2004 15:04:26 -0700 To: Bryce Porter <bporter@heart.net>
Bryce Porter wrote:
> Stephen,
>
> Yes, Net::SMTP supports MIME just fine. I have not tested pushing a
> single line with a '.' on it to an array to be sent to $smtp->data, but
> I do not think it would work like that.
>
> Also, what if you call sendmail directly, but quote it wrong? Someone
> could send an email with '; cat /etc/passwd' or whatever they wanted in
> it, and have it be executed with the same permissions the script is
> running as. Directly executing anything is a big risk no matter how you
> look at it, as far as I'm concerned.
Once again, the only thing going to the command line is the
recipient -- and I'm presuming that that is fixed. If the recipient
is not fixed, then yes, you have to validate the input (and I tend
to be relatively draconian/paranoid there).
Once you get past the command line, you're essentially dealing with
the same issues as SMTP after the 'DATA' line.
-- Stephen Samuel +1(604)876-0426 samuel@bcgreen.com http://www.bcgreen.com/~samuel/ Powerful committed communication. Transformation touching the jewel within each person and bringing it to light.
- Previous message: Stephen Samuel: "Re: Secure Form Script?"
- In reply to: Bryce Porter: "RE: Secure Form Script?"
- Next in thread: Glynn Clements: "RE: Secure Form Script?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
