I have to argue the point about using the NMS formmail over
the one found
here. I'm doing ok so far but I think it suffers from the poison null byte and I'm not sure if the test program I have written is correct.
I've taken the decoding section from the script which is used to decode the name and values from the CGI environment. Yes, this doesn't use CGI but thats on my list of errors (see below):
s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
Now I've taken this snippet and I've created two files called 'test' and 'testtwo'. The idea is that I *should* open 'testtwo' but if theres the null byte then it opens 'test'. From what I can see it opens 'test' indicating the error.
Now to me, this is correct as all the snippet above does is decode the form data (and thats it). However, I'm about to out my neck out and so I'd love some feedback. My code follows (and the *current* list of errors with that script follow that).
use strict;
use warnings 'all';
my $data = "d:\\test%00two";
print $data,"\n";
$data =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
print $data,"\n";
my $bob;
open FILE, "<$data" or die "Cannot open $data: $!\n";
{
local $/;
$bob = <FILE>;
}
close FILE;
print $bob;
Note that its hardcoded to my 'd' drive so if you want to run it, you'll have to create the files and change the path.
I put 'in test' and 'in test two' in the respective files.
My list of errors (for the interested) is currently:
Problems:
1) Does not use strict
2) Does not use warnings
3) Does not use taint
4) Does not use the standard CGI module
5) A patch to Matts script version 1.6 - seeing as its now at
version 1.92 why not patch that?
6) Sendmail is called by -t and not by -oi -t
7) No attempt made at checking data length of posted data and
thus preventing posts of arbitrary size
8) No attempt at checking the content type of the post thus
allowing multi-part form data and thus arbitrary length uploads
9) No attempt at stopping uploads
10) The programmatic environment is not cleaned up, ie things not
relating directly to the execution of the program are not
deleted (i.e. IFS CDPATH ENV BASH_ENV)
11) Makes use of arbitrarily declared globals in and out of routines
and doesn't even use 'use vars'.
12) No error trapping on the sending of the email (or in the program
at all). For example, using Carp or even 'local $SIG{__DIE__}'
13) Does not allow for mailing list references within a form and thus
hiding all emails within the web page and prevent spam harvesting.
14) Appears to suffer from the poison null byte issue.
Though of course I'm still working on it :)
Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
Read Where should I post X? if you're not absolutely sure you're posting in the right place.
Please read these before you post! —
Posts may use any of the Perl Monks Approved HTML tags:
- a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
| |
For: |
|
Use: |
| & | | & |
| < | | < |
| > | | > |
| [ | | [ |
| ] | | ] |
Link using PerlMonks shortcuts! What shortcuts can I use for linking?
See Writeup Formatting Tips and other pages linked from there for more info.