#!/usr/bin/perl -wT

use strict;
use Mail::Mailer;
use Email::Valid;
use CGI qw/:standard escapeHTML/;

# used for debugging, commented out for live code
#use CGI::Carp qw(fatalsToBrowser);

$ENV{'PATH'} = '/bin:/usr/bin:/sbin';
delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};

my ($mailer, $from, $email_address, $to_address, $subject, $body);
my ($tainted_from, $tainted_email, $tainted_subject, $tainted_body);

# I amuse myself so easily
my @random_senders = ( 'a giant purple monkey',
                       'frozen waffles',
                       'a group of rabid penguins',
                       'albuquerque',
                       'a fluorescent dog',
                       'a black moldy banana',
                       'planet zod',
                     );

# Get the input values
$tainted_from = param('from'); # User supplied name, not email addy
$tainted_email = param ('email');
$tainted_subject = param('subject');
$tainted_body = param('body');

# Do some untainting
($from) = $tainted_from =~ /^([\w\-\.\s]+)$/ if $tainted_from;

if ($tainted_email and Email::Valid->address($tainted_email))
{
    # Is this safe?
    $email_address = $tainted_email;
}
else
{
    $email_address = 'Nobody@Nowhere.com';
}

($subject) = $tainted_subject =~ /^([\w\s\.,\?\'\!]+)$/ 
    if $tainted_subject;

# This is just getting silly:
$tainted_body =~ 
    s![^\w\s\d.,?\!\$\@~\'\"\#\%\&\^\(\)\[\]\{\};:\\/~\*\-\+]!!g 
    if $tainted_body;
$body = $tainted_body || "I have nothing intelligent to say.";

# Set default values if the input was blank or bad
$from = $random_senders[int(rand(scalar @random_senders))] 
    if not $from;
$subject = "Aliens speaking through $from say \"".(
    $subject ? $subject : "Kumquat!")."\"";

# Hardcode my address, I always send it to one place
$to_address = 'my@address.com';

# This does the actual mail sending
$mailer = Mail::Mailer->new();
$mailer->open({ From    => $email_address,
                To      => $to_address,
                Subject => $subject,
              })
    or die "Can't open: $!\n";
print $mailer $body;
$mailer->close();

# Show the user some spiffy results.
print header,
    title("Message results"),
    start_html,
    p("Message sent successfully!"),
    p("Your email:",br,$email_address),
    p("Subject:",br,$subject),
    p("Body:",br,pre(escapeHTML($body))),
    p("Note that if those aren't the values ",
      "you put in, they didn't pass through",
      "my validation filters.  Or you were too",
      "lazy to actually put in any values."),
    end_html;