|Think about Loose Coupling
Re^3: CGI recipient Optionby iburrell (Chaplain)
|on Sep 01, 2004 at 18:27 UTC
The import question is it accessible to the web? Being used internally may make it harder for bad guys to find and exploit. But as long as it is visible to the whole web, it is vulnerable.
First, use CGI.pm to parse the form parameters. There are bugs and security issues in parsing form parameters that CGI.pm fixes. Lincoln Stein has done the work, and tons of people have tested and trusted it, so you don't need to. If you want a hash, use Vars method.
Second, reduce what comes from form parameters. Form parameters can be set to anything by attackers. For example, with the Reply-to line, I could send "your@email-address\nTo: some spam viction\nSubject: this is spam\n\nMy spam message" as the espr2 parameter. The recipient receives some spam with your message as junk at the end. Hard code them in the script where you can. You have done with with the recipient which is good. One trick is to reorder the headers with form parameter fields last.
Some values, like the From: line in your script, have to come from the form parameters. Validate those that are important from a security stand point. Email address parameters should only look like an email address, and you can be more strict than the general address matching. Names in headers should just be words. Other fields in the header should not contain line breaks.