Re: Witango-Talk: formmail

[Jason Pamental]

Roland makes some very important points. You might be able to address  
it though by adding a check in the form processing taf that looks at  
the referring URL and compares it to a list (one form mailer and you  
keep a list in a text file next to the taf that you can update with the  
sites you want to allow to use it). You could use <@cgiparam  
name=referrer> to get the site or if it's known, the IP address. If the  
list is external to the taf, you could update it pretty easily without  
having to open and resave the taf. since no-one would have access to  
the taf directory directly, they'd never know the list was there.

Jason
--  

On Mar 7, 2005, at 8:07 PM, Roland Dumas wrote:
In fact, I just sent a couple of messages through your form handler to
arbitrary (my) addresses from bogus senders with arbitrary content.  
You are,
in effect, an open relay.

You can have no fewer than 2 tafs to do this without causing yourself
headaches:
1. Arbitrary content, constrained recipients
2. Arbitrary recipients, constrained content
And you can't constrain by placing things in hidden fields. They're not
hidden and quite accessible.
F'rinstance:
The #1 case:
You can allow the form designer lots of latitude to create fields, as  
long
as at least one is constrained to a selection list, say the subject.  
If the
subject list is maybe 10 items, then your taf can direct it to the
appropriate recipient based on the subject. The recipient is both truly
hidden and constrained. (you can make this recipient selection logic
complex, if that's to your liking.)

(You'd have to pull out all the ARGs and their values to place in the  
email
message, and you're ok.)

The #2 Case:
A form on a web page that says "send me to your friends". Sender puts  
in
his/her own sender email, recipient's, a message, and off it goes. The  
taf
then generates a copy of that page with the sender's comments and  
sends to
the recipient. That has little value to a hijacker, because your  
content is
filling up the page.

Moral: All Purpose = All Headache
On 3/7/05 4:18 PM, "Robert Shubert" <[EMAIL PROTECTED]> wrote:
I would be willing to share mine if you would like. It has some
semi-advanced features. I'm not certain how I would release it, but
that's open for discussion. I wouldn't charge for it. You can see what
it does here:
http://www.tronics.net/formhandler.taf?_function=help
Feel free to try it out.
Robert
On Mar 7, 2005, at 5:54 PM, Fogelson, Steve wrote:
Has anyone written a all purpose general taf that would accept
arguments
from a form and would send them to the specified email address  
similar
to
the script available as freeware. Probably need a return url to
execute when
finished.

IE: a "contact us", etc form
I would like to avoid using a script and use Witango instead. I can
probably
write one, but just checking to see if anyone has one to share.
Thanks
Steve Fogelson
Internet Commerce Solutions
_____________________________________________________________________ 
__
_
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
______________________________________________________________________ 
__
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf


-----------------------------------------
Roland Dumas
Roberts Information Services
310 W. Bellevue Avenue
San Mateo CA 94402
650-347-1373
415-412-9300 (cell)
[EMAIL PROTECTED]
SMS: http://new.servqual.com/html/sms.tml
_______________________________________________________________________ 
_
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf

________________________________________________________________________
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf