Neat! I have to cringe as I read the source code though. There are only 19 commented lines out of 826! Also, it wasn't written with security in mind. For instance, if I have ftp access to an account on a machine running smtp.pl, I can execute arbitrary shell commands by uploading a file to my home directory named ".perlsmtp" containing the line "maildeliver = |/do/whatever".
Here's another thing that jumped out at me:
open(CONFIG, $_[0]) or die "Could not open config file $_[0]\n";
Randal would call this "running with scissors". You should always, always, always specify a mode for open(). E.g.:
open(CONFIG, "<$_[0]") or die "Could not open config file $_[0]\n" +;
Otherwise you run the risk of a malicious user sneaking a value like "|rm -rf /home" into the filename. The above example isn't exploitable in the smtp script, mind you, but seeing that, I have to wonder what other bad habits might be lurking in the other 825 lines.
-Matt
In reply to RE: An SMTP server in Perl
by DrManhattan
in thread An SMTP server in Perl
by strredwolf
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |