Re: •Security Alert (was Re: Re: checking for null variables)

Replies are listed 'Best First'.
•Re: Re: •Security Alert (was Re: Re: checking for null variables) by merlyn (Sage) on Apr 16, 2003 at 20:08 UTC
Well, there are (at least) two rules to follow about "form-to-email". First, do not fill in the `to:` or `cc:` fields (or any other field that can have a delivery address) from any form data. Hardwire it into the program: `print SENDMAIL <<"END"; To: some.person\@my.domain.only Subject: $FORM{subject} $FORM{detail} END` [download] Second, if you use any form data in the header (like `subject` above), make very sure that the data cannot possibly contain newlines or anything resembling newlines. Otherwise, a bad guy can insert a newline into the data (not using your form, but using their own formstuffer), and insert a to/cc/bcc field, thus losing the protection provided in the previous point. Does that help? -- Randal L. Schwartz, Perl hacker Be sure to read my standard disclaimer if this is a reply.	[reply] [d/l]

Replies are listed 'Best First'.

•Re: Re: •Security Alert (was Re: Re: checking for null variables)
by merlyn (Sage) on Apr 16, 2003 at 20:08 UTC

First, do not fill in the to: or cc: fields (or any other field that can have a delivery address) from any form data. Hardwire it into the program:

print SENDMAIL <<"END";
To: some.person\@my.domain.only
Subject: $FORM{subject}

$FORM{detail}
END
[download]

Second, if you use any form data in the header (like subject above), make very sure that the data cannot possibly contain newlines or anything resembling newlines. Otherwise, a bad guy can insert a newline into the data (not using your form, but using their own formstuffer), and insert a to/cc/bcc field, thus losing the protection provided in the previous point.

Does that help?

-- Randal L. Schwartz, Perl hacker
Be sure to read my standard disclaimer if this is a reply.

[reply]
[d/l]