in reply to Re: Re: Re: making first letter of all words in array upper case
in thread making first letter of all words in array upper case

Well, as we've been trying to tell you, you need a thorough understanding of CGI security issues before putting this program on a public-facing server. But as you seem determined to ignore this advice and go ahead anyway, here are a couple of things that you really must think about.

  1. In any program that writes an email, you must ensure that none of the header fields can contain newline characters. If a user can insert newlines into the email headers then they can invent whatevr headers they want and cause your headers to be ignored.
  2. A good rule of thumb is to only send fixed text to email addresses that are read from the form and to only send input taken from the form to a fixed set of known email addresses.
--
<http://www.dave.org.uk>

"The first rule of Perl club is you do not talk about Perl club."
-- Chip Salzenberg

  • Comment on Re: Re: Re: Re: making first letter of all words in array upper case

Replies are listed 'Best First'.
Re: Re: Re: Re: Re: making first letter of all words in array upper case
by iamrobj (Initiate) on Jan 01, 2003 at 18:57 UTC
    Thanks for the tips :)

    How does this look: 

    #!/usr/bin/perl

#The path to the mail program on your system
$mailprog = "/usr/sbin/sendmail";

# redirect page
$redirect = "http://";

# Site url being referred
$siteurl = "http://";

# Read the form
read(STDIN, $input, $ENV{'CONTENT_LENGTH'});

# split the input
@pairs = split(/&/, $input);

# split the name/value pairs
foreach $pair (@pairs) {

  ($name, $value) = split(/=/, $pair);

  $name =~ tr/+/ /;
  $name =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
  $value =~ tr/+/ /;
  $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
  $value =~ s/<([^>]|\n)*>//g;

  $FORM{$name} = $value;
}

# some variables
$to = $FORM{'to'};
$tomail = $FORM{'tomail'};
$from = $FORM{'from'};
$frommail = $FORM{'frommail'};
$message = $FORM{'message'};

# make all first characters of names, uppercase

@from = split(/ /, $from);
@from = map ucfirst, @from;

@to = split(/ /, $to);
@to = map ucfirst, @to;

# make the first letter of the message upper case
$message = ucfirst($message);

##############################################
# puts a period at the end of senders message,
# if one was not there, AND, if there is no
# question OR explanation mark.

$message .= '.' if $message !~ /[.!?]$/;

# do the mail...
open (MAIL, "|$mailprog -t") || die "Can't open $mailprog!\n";
  print MAIL "From: $frommail\n";
  print MAIL "To: $tomail\n";
  print MAIL "Subject: @to, @from says check out $sitename!\n\n";
  print MAIL "This is NOT spam! You were sent the email by @from ($fro
+mmail),\nat IP: $ENV{'REMOTE_ADDR'}\n\n\n";
  print MAIL "Hello @to, @from has sent you this email inviting you to
+ check out $siteurl\n\n\n";
  print MAIL "@from also had this to say:\n$message\n\n\n" if ($messag
+e ne "");
  print MAIL "So check out $siteurl!";
close (MAIL);

# redirect the browser
print "Location: $redirect\n\n";

# tell me if they told
#&told;

exit;

sub told {       
  open (MAIL, "|$mailprog -t") || die "Can't open $mailprog!\n";
  print MAIL "To: toldafriend\@whatever.com\n";
  print MAIL "From: toldafriend\@whatever.com\n";
  print MAIL "Subject: $frommail (@from) told $tomail (@to)\n";
  close(MAIL);
}

    [download]
    Do I need the exit; line about "sub told" ??
[reply]
[d/l]
      1. You've removed "-w", "-T" and "use strict" from your program. No CGI program should be deployed without using all of those.
      2. You've switched from using CGI.pm to a buggy homemade CGI parameter parsing routine.
      3. You still send input from the form to an email address that also comes from the form. I told you that you should only ever send fixed content to email addresses that you get from user input.
      4. The relevant FAQ suggests including "-oi" in the options that to pass to sendmail for good reason. You ignore that advice.

      There's probably more, but these were problems I picked up on in the first minute of looking.

      Have you read any of the CGI security documents that merlyn pointed you at?

      --
      <http://www.dave.org.uk>

      "The first rule of Perl club is you do not talk about Perl club."
      -- Chip Salzenberg

[reply]
        "You still send input from the form to an email address that also comes from the form"... How else can someone tell their friend about my site through my site?!
[reply]
      A reply falls below the community's threshold of quality. You may see it by logging in.

      How does this look:

      It looks awful. 

      $foo++  # increment $foo

# Greet the user
print "Hello!\n";

If ($foo =~ /bar/) {  # If $foo contains 'bar'

      [download]
      Don't comment what is obvious. Don't explain what code does. Explain algorithms, explain strange things. But don't insult the reader. If someone wants to know what a certain operator does, that someone should use the documentation.

      Always assume that whoever reads source code either knows the language, or wants to learn it.

      Further comments:

      • Don't parse form fields yourself if you don't know how to. There are many modules that you can use for this.
      • Don't send mail this way. As merlyn already pointed out, ione can easily use your script as an anonymous mailer.
      • Don't leave unused subroutines around. It's confusing. If you really want to have the code around, comment it out.
      • use strict and warnings.
      • Use a module that sends e-mail. My favourite is MIME::Lite (despite its name, it can also send simple plain text messages).
      • Learn Perl before writing scripts that are accessible publicly. It's okay to write bad code, but it is not okay to write bad code that others can abuse. 

      - Yes, I reinvent wheels.
- Spam: Visit eurotraQ.

[reply]
[d/l]

        Use a module that sends e-mail. My favourite is MIME::Lite (despite its name, it can also send simple plain text messages).

        You do know that MIME::Lite just uses sendmail don't you? That being the case perhaps you might like to share your rationale for this suggestion.

        cheers

        tachyon

        s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print

[reply]
        I am not trying to insult anyone. If I were going to give this script to someone who is very new to Perl or CGI (like ME!), this would help them out greatly!!

        What I don't understand is, with all the responses I have got on this site, no one can help me fix it. Is it really such a hard task to make this script safe to use?! I am a "Seeker of Perl Wisdom"...

[reply]
      I don't know if it's secure but this module does much the same thing 
      
use CGI::Application::MailPage;
my $mailpage = CGI::Application::MailPage->new(
            PARAMS => {
                         document_root => 'whatever',
                         smtp_server => 'smtp.myserver',
                       },
            );
$mailpage->run();

      [download]

      poj
[reply]
[d/l]

In Section Seekers of Perl Wisdom