Re: Secure Form Script?

From: Stephen Samuel (samuel_at_bcgreen.com)
Date: 05/15/04

  • Next message: Stephen Samuel: "Re: Secure Form Script?"
    Date: Fri, 14 May 2004 15:04:26 -0700
    To: Bryce Porter <bporter@heart.net>
    
    

    Bryce Porter wrote:
    > Stephen,
    >
    > Yes, Net::SMTP supports MIME just fine. I have not tested pushing a
    > single line with a '.' on it to an array to be sent to $smtp->data, but
    > I do not think it would work like that.
    >
    > Also, what if you call sendmail directly, but quote it wrong? Someone
    > could send an email with '; cat /etc/passwd' or whatever they wanted in
    > it, and have it be executed with the same permissions the script is
    > running as. Directly executing anything is a big risk no matter how you
    > look at it, as far as I'm concerned.

    Once again, the only thing going to the command line is the
    recipient -- and I'm presuming that that is fixed. If the recipient
    is not fixed, then yes, you have to validate the input (and I tend
    to be relatively draconian/paranoid there).

    Once you get past the command line, you're essentially dealing with
    the same issues as SMTP after the 'DATA' line.

    -- 
    Stephen Samuel +1(604)876-0426                samuel@bcgreen.com
    		   http://www.bcgreen.com/~samuel/
        Powerful committed communication. Transformation touching
          the jewel within each person and bringing it to light.
    

  • Next message: Stephen Samuel: "Re: Secure Form Script?"