Re: Secure Form Script?

From: Stephen Samuel (samuel_at_bcgreen.com)
Date: 05/15/04

  • Next message: Stephen Samuel: "Re: Secure Form Script?"
    Date: Fri, 14 May 2004 15:04:26 -0700
    To: Bryce Porter <bporter@heart.net>
    
    

    Bryce Porter wrote:
    > Stephen,
    >
    > Yes, Net::SMTP supports MIME just fine. I have not tested pushing a
    > single line with a '.' on it to an array to be sent to $smtp->data, but
    > I do not think it would work like that.
    >
    > Also, what if you call sendmail directly, but quote it wrong? Someone
    > could send an email with '; cat /etc/passwd' or whatever they wanted in
    > it, and have it be executed with the same permissions the script is
    > running as. Directly executing anything is a big risk no matter how you
    > look at it, as far as I'm concerned.

    Once again, the only thing going to the command line is the
    recipient -- and I'm presuming that that is fixed. If the recipient
    is not fixed, then yes, you have to validate the input (and I tend
    to be relatively draconian/paranoid there).

    Once you get past the command line, you're essentially dealing with
    the same issues as SMTP after the 'DATA' line.

    -- 
    Stephen Samuel +1(604)876-0426                samuel@bcgreen.com
    		   http://www.bcgreen.com/~samuel/
        Powerful committed communication. Transformation touching
          the jewel within each person and bringing it to light.
    

  • Next message: Stephen Samuel: "Re: Secure Form Script?"

    Relevant Pages

    • Re: Protocol Event sink
      ... > Peter, thank you very much for the reply. ... > It's too bad you can't get the server to ignore a command. ... > waiting for a response, but a response could easily be an error code. ... recipient specification command (i.e. the recipient will not be added to the ...
      (microsoft.public.exchange2000.development)
    • Re: Protocol Event sink
      ... > Peter, thank you very much for the reply. ... > It's too bad you can't get the server to ignore a command. ... > waiting for a response, but a response could easily be an error code. ... recipient specification command (i.e. the recipient will not be added to the ...
      (microsoft.public.exchange.development)
    • Please help - Exchange Sink ignore command
      ... multiple newsgroups and forum but nobody seems to know? ... I changed the tutorial so I listen for the RCPT command. ... can read the recipient from the command. ... not, of course, want the server to completely drop the session and my other ...
      (microsoft.public.exchange2000.admin)
    • Exchange Sink - discard recipients in email
      ... using ISmtpInCommandSink. ... I listen for the RCPT command, and I can read the recipient from the command ...
      (microsoft.public.exchange2000.development)