Camilo Gonzalez wrote:My concern is to prevent a spammer from sending BCC messages using the email field of my contact form. I figure if I can prevent him from sending a line with more than one asterisk and/or a slash followed by an n, I can prevent him from sending BCC messages. I realise there are lots more dangerous characters out there but frankly, I'm too damn lazy to look for them. I truly do appreciate your help and I apoligize if you've taken umbrage with anything I've said, but TMTOWTDO, man. Chill. More of my code follows if you've got the time and inclination to rip it further.
zsdc wrote:
Tracy Hurley wrote:Seems like a tad bit of overkill for my purpose. Thanks for the caveat about other unsafe characters and I'll keep the CGI::Untaint module in mind in the future.
Camilo,
I don't think you need to put $email in quotes to do the check, but it works if you do. Try this:
if $email =~/@.*@/g || $email =~ /\n/s;
It still might not be secure depanding on how $email is being used later. Is it used in a system() call? In open()? In backticks? What about the whitespace? What if there is "\r" in $email? What about ";"? "\0"?
I would suggest to match safe characters, not the unsafe ones, because it's easy to overlook something. Camilo, it's very good that you use the taint mode here. Check out CGI::Untaint::email, this is exactly what you need:
http://search.cpan.org/search?module=CGI::Untaint::email http://search.cpan.org/search?module=CGI::Untaint
It's used like this:
use CGI::Untaint; my $untaint = CGI::Untaint->new($cgiobj->Vars); my $email = $untaint->extract(-as_email => 'email');
You should do the same with other parameters, like name and address. You might need to write your own handler, but it's very easy. Here's an example from the CGI::Untaint documentation, to match a single digit:
package Mysite::CGI::Untaint::digit; use base 'CGI::Untaint::object'; sub _untaint_re { qr/^(\d)$/ } 1;
It seems I needed to escape the backslash in '\n'. Here'smy new code
#!/usr/local/bin/perl -wT use CGI::Carp qw(fatalsToBrowser); use strict; use CGI; my $cgiobj = new CGI; $ENV{PATH} = "";
#Get parameters my $name = $cgiobj->param('name'); my $address = $cgiobj->param('address'); my $email = $cgiobj->param('email'); die &Print_Error if $email =~ /@.*@|\\n|;|\0|,/gs;
My advise about unsafe characters was to match _safe_ characters instead of unsafe ones, i.e.:
die unless $email =~ /$ safe pattern ^/;
and never:
die if $email =~ /$ unsafe pattern ^/;
I haven't even showed every potentially dangerous character, those were only few examples. To be honest I can't understand why this is an overkill:
use CGI::Untaint; my $untaint = CGI::Untaint->new($cgiobj->Vars); my $email = $untaint->extract(-as_email => 'email');
while this isn't:
my $email = $cgiobj->param('email'); die &Print_Error if $email =~ /@.*@|\\n|;|\0|,/gs;
especially when your regular expression has to be much longer, because it still is unsafe. (By the way, it doesn't match a newline, only a backslash followed by "n").
How do you use the $mail variable later in your program? How do you actually send the email? I'll tell you how it can be dangerous, but only when I know how it is used.
#!/usr/local/bin/perl -wT
#use CGI::Carp qw(fatalsToBrowser);
use strict;
use CGI;
my $cgiobj = new CGI;
$ENV{PATH} = "";#Get parameters
my $name = $cgiobj->param('name');
my $address = $cgiobj->param('address');
my $email = $cgiobj->param('email');
die &Print_Error if $email =~ /@.*@|\\n|;|\0|,/gs;
my $comments = $cgiobj->param('comments');#send emails to Camilo and sender
my $from ='Opensourceman';
my $subject = 'Contact Confirmation from Opensourceman';
my $reply = '[EMAIL PROTECTED]';
my $sendmail = '/usr/lib/sendmail -i -t';
open (SENDMAIL, "|$sendmail") or die "Cannot open sendmail: $!";
print SENDMAIL "To: $email, $reply\n";
print SENDMAIL "From: $from\n";
print SENDMAIL "Reply-to: $reply\n";
print SENDMAIL "Subject: $subject";
print SENDMAIL "\n\n";
print SENDMAIL "Thanks for contacting Opensourceman. Below is what you submitted to us:\n
Name: $name\n
Address: $address\n
Email: $email\n
Comments: $comments \n\n We will be contacting you shortly";
close(SENDMAIL);
-- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] <http://learn.perl.org/> <http://learn.perl.org/first-response>
