[Date Prev][Date Next][Thread Prev][Thread Next] [Search] [Date Index] [Thread Index]

Re: [MacPerl-WebCGI] Quoting body from a WWWboard posting



>>At 19:32 -0700 07/22/1999, Bruce Van Allen wrote:
>>>1. Too many of us too many times find errors, security problems, or
>>>poor handling of special cases in MW's scripts. I would guess many
>>>have also learned some Perl the hard way by trying to fix these
>>>scripts... ;-)
>>
>>You mean like FormMail.cgi?
>>
>>Richard Gordon
>>--------------------
>
> As a newbie to CGI programming and currently using Formmail, this caught
> my attention.  I am interested in learning more about the things in
> Formmail that need to be fixed, particularly if there are any security
> issues.
>
> Thanks,
> Brian

PMFJI:

FormMail, in of itself, is harmless - it will allow your users to
send mail as if they were someone else, but anyone who can
program simple scripts in Perl can already do that.

The biggest issue I found in FormMail is that you can get the
script to mail out server files, if it is not set up properly.
For that reason I quit using it sometime ago.

I had expressed an interest in clp.misc to possibly  start a
group to rewrite some of the more popular scripts into a
correct form, proper -w, strict, Taint safe versions, but
no one seemed interested...

Here is some starter code, if anyone is interested in
replacing FormMail with one that addresses their
own needs better.  It's an AutoResponder by Jochen Wiedman,
which I ahve changed somewhat, but it will give you some
ideas about how to provide the FormMail functions yourself:

#!/usr/local/bin/perl -w

=pod

=head1 NAME

    autoresponder - A script for receiving a mail and immediately replying.


=head1 SYNOPSIS

    autoresponder [options] [filename]


=head1 DESCRIPTION

While installing a new mail server or client you typically are sending
and receiving test mails over and over again. Even worse, you sometimes
have to make a phone call and ask someone to send a mail to you.

This script will help you in some cases by setting up an email address
like autoresponder@company.com that will receive email addresses and
immediately reply it back.


=head1 INSTALLATION

Install the prerequisite Perl modules, in particular Graham Barr's
excellent Mailtools package. L<Mail::Internet(3)>.

In /etc/mail/aliases or /etc/aliases, put lines like this:

 autoresponder: "| /usr/local/bin/autoresponder"
 owner-autoresponder: /dev/null
 autoresponder-owner: /dev/null

Then do a "newaliases".

Edit the autoresponder script and change the reply-to address to
point back to one of the owner addresses. This should have the
advantage that you won't see error messages generated by the
autoresponder.


=head1 SCRIPT CATEGORIES

mailstuff


=head1 PREREQUISITES

The MailTools package, in particular the Mail::Internet module.
L<Mail::Internet(3)>.


=head1 OSNAMES

any OS using sendmail or a compatible mail server


=head1 AUTHOR

 Jochen Wiedmann
 Am Eisteich 9
 72555 Metzingen
 Germany

 Email: joe@ispsoft.de


=head1 SEE ALSO

L<Mail::Internet(3)>, L<aliases(5)>


=cut

use strict;
use diagnostics;

############################################################################
#
#   Configurable section
#
############################################################################

my $REPLY_TO = 'root@localhost';
#
#   Use an entry like
#
# autoresponder-owner: /dev/null
#
#   to suppress error messages from autoresponders replies.
#
############################################################################

use Mail::Internet ();
use Getopt::Long ();

use vars qw($opt_debug $opt_verbose $opt_help);


sub Usage() {
    print <<EOF;
Usage: autoResponder [options] [filename]

Reads an email from [filename] (default: stdin) and replies to the sender.

Possible options are:
    --debug     Turn on debugging mode. (Suppresses actions)
    --help      Print this help message.
    --verbose   Turn on verbose mode.
EOF
    exit 1;
}

eval { Getopt::Long::GetOptions('debug', 'verbose', 'help') };
Usage() if $@ || $opt_help;
$opt_verbose = 1 if $opt_debug;

my $fh;
if (@ARGV) {
    my $file = shift @ARGV;
    open(FILE, "<$file") or die "Failed to open $file: $!";
    $fh = \*FILE;
    print "Reading mail from $file.\n" if $opt_verbose;
} else {
    $fh = \*STDIN;
    print "Reading mail from STDIN.\n" if $opt_verbose;
}

my $msg = Mail::Internet->new($fh, 'Modify' => 0, 'MailFrom' => 'KEEP');

my @headers = @{$msg->head()->header()};
my @body = @{$msg->body()};
my @message = ("Hello from the E-Mail AutoResponder :]\n",
        "Your mail was received by the autoresponder on ", scalar localtime,
".\n",
        "Your mail was assigned the following (dss) Security Number: ",
localtime, ".\n",
        "\n",
        "=== Your message's E-Mail Header, as sent:\n\n",
        @headers,
        "=== End of Headers\n",
        "\n",
        "=== Your message's E-Mail Body, as sent, follows:\n\n",
        @body,
        "=== End of Body\n",
        );

$msg = $msg->reply();
$msg->body(\@message);

print("Replying to $REPLY_TO.\n") if $opt_verbose;
$msg->head()->replace('Reply-To', $REPLY_TO);
print("Replying message:\n", $msg->as_string()) if $opt_verbose;
$msg->smtpsend() unless $opt_debug;


HTH,
-Sneex-  :]
____________________________________________________________________
Bill Jones * Data Security Specialist * http://jacksonville.pm.org/
FCCJ * 501 W State St * Jacksonville, FL 32202 * 1 (904) 632-3089
    __ __                      __ __         __
   / // /__ ____  ___  __ __  / // /__ _____/ /_____ ____
  / _  / _ `/ _ \/ _ \/ // / / _  / _ `/ __/  '_/ -_) __/
 /_//_/\_,_/ .__/ .__/\_, / /_//_/\_,_/\__/_/\_\\__/_/
          /_/  /_/   /___/
         Running LinuxPPC RedHat 5.0 (Hurricane)
       __ _                     http://www.linuxppc.org
      / /(_)_ __  _   ___  __   http://www.apache.org
     / / | | '_ \| | | \ \/ /   http://www.redhat.com
    / /__| | | | | |_| |>  <    http://www.perl.com
    \____/_|_| |_|\__,_/_/\_\   http://www.gimp.org

==== Want to unsubscribe from this list?
==== Send mail with body "unsubscribe" to macperl-webcgi-request@macperl.org