remote .forward setter

Category:	mail utils
Author/Contact Info	Artem Litvinovich
Description:	SetForward By Artem Litvinovich Feb 15, 2003 This is a small cgi which provides the ability to update a ".forward" file remotely. Access to setforward.html maybe protected with htaccess settings. The valid origin for requests is configurable within the cgi.
#!/usr/bin/perl # By Artem Litvinovich (al867@columbia.edu) # Feb 15, 2003 use CGI qw(:standard); # TARGET DIRECTORY (must have write permission) my $targetdir = "/tmp"; # VALID CALLER URL (beginning) my $validorigin = "http://localhost"; my $q = CGI->new(); my $notify = $q->param("notify"); if(referer() =~ /^\Q$validorigin\E/) { `echo $notify \| cat > $targetdir/.forward` if($notify); print header,start_html(),"Forwarding to: <b>".(`cat $targetdir/.f +orward`)."</b>",end_html(); } else { print header,start_html(),"invalid origin",end_html(); } exit 1; ----- `<html><body> <form action="setnotify.cgi" method="get"> Update notification email address: [<i>leave blank to view current set +ting</i>]<br><br> <input type="text" name="notify" size="48" maxlength="250"> <inpu +t type="submit" value="View/Update"> </form> </body></html>`

Comment on remote .forward setter Select or Download Code

Replies are listed 'Best First'.
•Re: remote .forward setter by merlyn (Sage) on Feb 28, 2003 at 12:07 UTC
The referer value is trivially forged, so putting code to check it is a false security step (and a bit distracting). If you don't protect this with SSL, you're gonna get bit. (I hope you're aware that BasicAuth is trivially sniffed.) And, your `.forward` has to be owned by you, not by the web user, and not writable by group or world, or else it will be ignored by every sensible MTA that I've seen. Also, calling a bunch of shell-outs in a Perl program for things that are trivially done in Perl doesn't win any points for style. In fact, it has the negative impact in that if you decide to make this script setuid to fix the previous problem, your script will no longer work! In summary, nice idea, but poor implementation. -- Randal L. Schwartz, Perl hacker Be sure to read my standard disclaimer if this is a reply.	[reply]

Replies are listed 'Best First'.

•Re: remote .forward setter
by merlyn (Sage) on Feb 28, 2003 at 12:07 UTC

don't

And, your .forward has to be owned by you, not by the web user, and not writable by group or world, or else it will be ignored by every sensible MTA that I've seen.

Also, calling a bunch of shell-outs in a Perl program for things that are trivially done in Perl doesn't win any points for style. In fact, it has the negative impact in that if you decide to make this script setuid to fix the previous problem, your script will no longer work!

In summary, nice idea, but poor implementation.

-- Randal L. Schwartz, Perl hacker
Be sure to read my standard disclaimer if this is a reply.

[reply]