Of course it depends on how much mail you are talking about here, but for very simple things I pipe my output to mail. For instance, I sometimes have to send a test email to people, to allay their fears of email trouble. The message is always the same, but the address changes, so I wrote up a little script to speed up the 'test message' task. The meat of it is very simple, and looks like this:
eval{ open (MAIL, "|/bin/mail $address -s $mail_subject"); print MAIL "$standard_message \n"; $comment and print MAIL "$comment \n"; close MAIL; }; $@ and die "A local error occurred while attempting to send the messag +e: $@\n";
Now for me, I assume this is "secure enough" in that the script is for my own use. I have hard-coded the path to /bin/mail, so unless someone on my system has access to modify the mail executable, I should have no trouble there; and I know I'm never going to pass it an evil value for $mail_subject like 'cat /etc/passwd | head -20' ...
If I was writing a script for the public to use, I would want to do a lot of checking on those variables to make _sure_ they were safe looking and normal before I passed them to open() ... I would want to think about what would happen if someone tried to pass me some Unicode, or hex escape codes, or abuse the script to send anonymous mail, and so on and so forth.
You can run perl in taint mode (-T) to catch insecure situations where others might potentially pass your script evil values and try to get it to misbehave. You can read all about taint in perlsec. Eventually it comes down to writing a regexp to 'launder' your input of any nastygrams someone might try and pass off.
In reply to Re: Re: bad email code?
by mull
in thread bad email code?
by Anonymous Monk
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |