•Security Alert (was Re: Re: checking for null variables)

Ahh yes, my common rant in "cgi-to-email" solutions. Your form can be used to send spam. Please do not deploy this code on the world-wide web until you have ensured that you do not get delivery addresses from form data. Otherwise, when someone discovers that your form sends email, they'll exploit it for spamming, and you'll get the blame, and then your system will be RBL'ed, and you'll end up hating the world, or something like that.

-- Randal L. Schwartz, Perl hacker
Be sure to read my standard disclaimer if this is a reply.

Comment on •Security Alert (was Re: Re: checking for null variables)

Replies are listed 'Best First'.
Re: •Security Alert (was Re: Re: checking for null variables) by edahm (Initiate) on Apr 16, 2003 at 20:02 UTC
I appreciate your comment, but, as you can tell, I am a perl novice and know of no solution. Could you recommend a good tutorial to me? I was using the one at htmlgoodies.com	[reply]
•Re: Re: •Security Alert (was Re: Re: checking for null variables) by merlyn (Sage) on Apr 16, 2003 at 20:08 UTC
Well, there are (at least) two rules to follow about "form-to-email". First, do not fill in the `to:` or `cc:` fields (or any other field that can have a delivery address) from any form data. Hardwire it into the program: `print SENDMAIL <<"END"; To: some.person\@my.domain.only Subject: $FORM{subject} $FORM{detail} END` [download] Second, if you use any form data in the header (like `subject` above), make very sure that the data cannot possibly contain newlines or anything resembling newlines. Otherwise, a bad guy can insert a newline into the data (not using your form, but using their own formstuffer), and insert a to/cc/bcc field, thus losing the protection provided in the previous point. Does that help? -- Randal L. Schwartz, Perl hacker Be sure to read my standard disclaimer if this is a reply.	[reply] [d/l]