Gunnar Hjalmarsson wrote:
>> For the body of the message, one thing that occurs to me is \n.\n as
>> that would end the message? But presumably nothing else could be entered
>> after that as sendmail would close?
>
> True. But that's not exactly a security issue, right?
No, not as long as it does close the connection, but I wasn't 100% sure
that there is no risk from this.
>> So there's nothing that they could "inject" and compromise security in
>> any way?
>
> Not as far as I know.
Great, thanks.
>> For the header, other than newlines, what should I consider?
>
> Not quite sure of what you mean.
Earlier you said "if one or more parameter is intended for the message
headers, there are a few things to consider.", I just meant to ask what
those things were.
> In CGI::ContactForm (the module I'm using for the contact form you
see if you click the link below) I do something like:
>
> for ( [ user data for inclusion in message headers ] ) {
> s/^\s+//;
> s/\s+$//;
> s/\s+/ /g;
> }
>
> That wipes out all attempts to include newlines.
Thanks. I will be sure to strip out newlines from now on :)
> Besides that you may want to validate possible email addresses. And
please think twice before you let the users submit anything to "To:",
"Cc:" or "Bcc:".
I do some basic email validation:
/ ^ [...@]+ \@ (?: [^.]+ \. )+ [a-zA-Z]{2,3} $ /x
The only header I use user submitted data for is the reply-to header (so
I can hit reply).
--
To unsubscribe, e-mail: beginners-unsubscr...@perl.org
For additional commands, e-mail: beginners-h...@perl.org
http://learn.perl.org/
