From: Stephen Samuel (samuelbcgreen.com)
Date: Fri May 14 2004 - 16:33:44 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Bryce Porter wrote:
> Stephen,
>
> When calling a binary directly, you run a lot of risks, especially
> format string vulnerabilities.
>
> I agree about using the fixed To: address, but I think he was originally
> wanting that to be flexible. If not, fixed is most definitely the way to
> go.

My understanding is that he was looking for something to replace
mailto: links and that didn't expose your email address to
spammers, (and didn't allow spammers to hijack your server).

A fixed destination on the CGI helps towards both of those.
At that point the only user-input that goes into the header
should be the Subject: field -- and you can move that into
the body if you want to.

Once you're dealing with the body, the only thing that you
really have to worry about is making sure that you don't send
a line with a bare '.'. From what I can see you may have to
worry about the same thing with Net:SMTP .

 From where I sit, feeding /usr/sbin/sendmail directly is
pretty much the same as talking to localhost:25, and
Net::SMTP is (if you're sending to/via localhost), just
a prettied-up way of doing the same thing. (it doesn't even
seem to directly support MIME).

It does, however, get more useful if you want to talk
to a remote server and/or play a bit with the TCP/IP options,
etc.

In my case, my CGI scripts punts the Email to a second
script which does a bit more pre-procesing, then calls
sendmail with the result. It could have just as
easily used Net::SMTP *and I may just play with doing that
for the exercise).

--
Stephen Samuel +1(604)876-0426 samuelbcgreen.com
                   http://www.bcgreen.com/~samuel/
    Powerful committed communication. Transformation touching
      the jewel within each person and bringing it to light.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]