2009/3/16 Nigel Peck <nigel.p...@miswebdesign.com>:
>
> I'd appreciate hearing (reading!) people's thoughts on making web form data
> safe for using to compose an email via sendmail.
>
> Basically, see comments in pseudo-code below, what should I be doing to the
> data to make it safe?
>
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
>
> use strict;
> use CGI;
>
> my $query = new CGI;
>
> my $example_data = $query->param('some_form_item');
>
> ## What should I be doing to $example_data to make it safe??
>
> my $sendmail = '/usr/lib/sendmail';
>
> open (SENDMAIL, "|$sendmail $webmaster") || die "Can't open $sendmail!\n";
>
> # Etc.
>
> print SENDMAIL $example_data . "\n";
>
> print SENDMAIL ".\n";
>I think you might consider not using sendmail directly but instead use MIME::Lite or NET::SMTP modules instead. Your code is about to pipe directly into a system binary and there may be scope for error/abuse. You might also consider restricting the size data and type of the data. You probably don't want someone dumping a 20Mb binary file into your form and for you to pass to sendmail. I believe it is also good practice to enable taint-checks on you script if your using CGI although I am not sure if that is necessary in this case. HTH, Dp. -- To unsubscribe, e-mail: beginners-unsubscr...@perl.org For additional commands, e-mail: beginners-h...@perl.org http://learn.perl.org/
