On Wed, 15 May 2002 02:11:22 +0100, Drieux wrote: > On Tuesday, May 14, 2002, at 10:45 , Dave Cross wrote: >> On Mon, 13 May 2002 17:14:03 +0100, Drieux wrote: > [..] >>> there was a security update to v1.92 on 04/21/02 has there been some >>> new issue arise??? since then? >> >> Matt's version 1.92 fixes all of the spam relay problems with FormMail. >> There are, I believe, a couple of Cross-Site Scripting vunerabilities >> remaining. > > thanks for the heads up on that. My working premise then is that any > such issues are closed in the nms?
We think so. But if you find something be sure to let us know [EMAIL PROTECTED] > I have only just started to > deconstruct it. There seems to be way more firepower in this than I > think we will want to use.... but... There's really not much in there that isn't available in Matt's version. > I have found a few things I would wonder about - but these tend to be > the sorts of trade offs on when is it really better to code in line - or > have a simple function test.... We'd be interested in hearing any questions that you've got about the code. >> However secure this version is, it's still written for Perl for and >> doesn't use "strict", "-w", taint mode or CGI.pm. It's a really bad >> example of Perl code and I wouldn't want anyone to see the source and >> think they can learn Perl from it. > [..] > > So far about the only complaint I have with the nms FormMail is that the > tarball did not come with a version number in it, hence I have no > tracking control on the tarball or the folder that it generates. Well, there's a CVS version number in the the script. But you're right, we need to make that visible _before_ you download it. Dave... -- Shoot some of those missiles, think of us as fatherless scum It won't be forgotten 'cause we'll never say anything nice again Will we? -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
