Six has asked for the wisdom of the Perl Monks concerning the following question:

Hi, rather new to the perl world. I have some code I customized for my own use for a web page form e-mail. It sends the e-mail, but will ask the user to download the .pl file instead of sending them to my redirect page. Here is the code 
#!C:/Perl/bin/perl.exe

use strict;
use CGI qw(:standard);

my $sname=param('sendername');
my $saddr=param('senderaddr');
my $rname=param('recpientname');
my $raddr=param('recipientaddr');
my $subject=param('subject');
my $server="server.theone.i.use"; 
my $ThankPage = "http://the.site.i.want.to.end.with";
my $message=param('message');

my $lt='<';
my $gt='>';


open (messtxt,">message.txt");
print messtxt ($message);
close messtxt;

my $blat="E:\\Inetpub\\wwwroot\\misc\\blat\\blat\.exe -body \"$message
+\" -s \"$subject\" -t \"$raddr\" -server $server  -f \"$saddr\"";


system($blat);

print "Location: $ThankPage\n\n";

[download]
Any ideas?

Replies are listed 'Best First'.
Re: Perl Mailer
by MidLifeXis (Monsignor) on Dec 17, 2008 at 17:38 UTC

    2 things...

    1. I don't see where you are sending the status code back to the browser (302 in this case, I believe)
    2. However, since you say it is sending the .pl file back to the user, it sounds like your server is not running the .pl file (shouldn't that be .cgi?), but is treating it as a binary file. What are the contents of the file it is asking you to download? See the posts by trwww below.

    Now a few warnings:

    • Your code is not sanitizing the data from the user at all. In fact, it would be trivial to implement a code injection attach against this script. What happens if $message, $subject, $raddr, or $saddr contain quotes, extra parameters, or even extra commands?
    • You are using the one parameter form of system. Use the multiple parameter form of system instead. That can help mitigate the risk of only part of the previous security question.

    Not to be harsh, but this script has gaping holes reminiscent of Matt's Script Archive and large enough for Santa Clause to drive his sleigh through. Please consider finding an application from NMS or other recommended sites that meets your needs.

    --MidLifeXis

[reply]
[d/l]
[select]
      Gaping holes? I'm sure, I'm very new to this and this is just a script i found and am editing to suit my needs. I'm interested in learning more about perl, but deadlines often trump our best laid plans. thanks for the advice, I'll take a look at all of this and see what I can do, thanks again!
[reply]

        A mantra oft spoken within the monastery walls is "Don't reinvent the wheel". Now it looks like you are trying to listen to that advice. However, your starting point appears to be not worth it.

        At the very least, look at sanitizing form input, safe system, CGI security, Ovid's old course, and other security topics.

        --MidLifeXis

[reply]
Re: Perl Mailer
by trwww (Priest) on Dec 17, 2008 at 18:13 UTC

    Hello,

    Rename your script to have a .cgi extension.

    Also see Node #687731.

    Regards,

[reply]

      I am not certain that is the issue. See the struck portion of my first post. If there is no content type header provided by the script, I think that the default type for a .pl file would be used. I am not certain what Six's server will do. Specifically since it is said that the email is sent.

      --MidLifeXis

[reply]

        Hello,

        I knew I should have left this thread alone. I'd probably put money on this problem being what is described in the link I've provided. I've dealt with it a few times.

        Not sure what you pointing out the email being sent means. Thats what the script does... send email.

        Regards,

[reply]

Back to Seekers of Perl Wisdom