[Date Prev][Date Next][Thread Prev][Thread Next]
[Search]
[Date Index]
[Thread Index]
Re: [MacPerl-WebCGI] Quoting body from a WWWboard posting
>>At 19:32 -0700 07/22/1999, Bruce Van Allen wrote:
>>>1. Too many of us too many times find errors, security problems, or
>>>poor handling of special cases in MW's scripts. I would guess many
>>>have also learned some Perl the hard way by trying to fix these
>>>scripts... ;-)
>>
>>You mean like FormMail.cgi?
>>
>>Richard Gordon
>>--------------------
>
> As a newbie to CGI programming and currently using Formmail, this caught
> my attention. I am interested in learning more about the things in
> Formmail that need to be fixed, particularly if there are any security
> issues.
>
> Thanks,
> Brian
PMFJI:
FormMail, in of itself, is harmless - it will allow your users to
send mail as if they were someone else, but anyone who can
program simple scripts in Perl can already do that.
The biggest issue I found in FormMail is that you can get the
script to mail out server files, if it is not set up properly.
For that reason I quit using it sometime ago.
I had expressed an interest in clp.misc to possibly start a
group to rewrite some of the more popular scripts into a
correct form, proper -w, strict, Taint safe versions, but
no one seemed interested...
Here is some starter code, if anyone is interested in
replacing FormMail with one that addresses their
own needs better. It's an AutoResponder by Jochen Wiedman,
which I ahve changed somewhat, but it will give you some
ideas about how to provide the FormMail functions yourself:
#!/usr/local/bin/perl -w
=pod
=head1 NAME
autoresponder - A script for receiving a mail and immediately replying.
=head1 SYNOPSIS
autoresponder [options] [filename]
=head1 DESCRIPTION
While installing a new mail server or client you typically are sending
and receiving test mails over and over again. Even worse, you sometimes
have to make a phone call and ask someone to send a mail to you.
This script will help you in some cases by setting up an email address
like autoresponder@company.com that will receive email addresses and
immediately reply it back.
=head1 INSTALLATION
Install the prerequisite Perl modules, in particular Graham Barr's
excellent Mailtools package. L<Mail::Internet(3)>.
In /etc/mail/aliases or /etc/aliases, put lines like this:
autoresponder: "| /usr/local/bin/autoresponder"
owner-autoresponder: /dev/null
autoresponder-owner: /dev/null
Then do a "newaliases".
Edit the autoresponder script and change the reply-to address to
point back to one of the owner addresses. This should have the
advantage that you won't see error messages generated by the
autoresponder.
=head1 SCRIPT CATEGORIES
mailstuff
=head1 PREREQUISITES
The MailTools package, in particular the Mail::Internet module.
L<Mail::Internet(3)>.
=head1 OSNAMES
any OS using sendmail or a compatible mail server
=head1 AUTHOR
Jochen Wiedmann
Am Eisteich 9
72555 Metzingen
Germany
Email: joe@ispsoft.de
=head1 SEE ALSO
L<Mail::Internet(3)>, L<aliases(5)>
=cut
use strict;
use diagnostics;
############################################################################
#
# Configurable section
#
############################################################################
my $REPLY_TO = 'root@localhost';
#
# Use an entry like
#
# autoresponder-owner: /dev/null
#
# to suppress error messages from autoresponders replies.
#
############################################################################
use Mail::Internet ();
use Getopt::Long ();
use vars qw($opt_debug $opt_verbose $opt_help);
sub Usage() {
print <<EOF;
Usage: autoResponder [options] [filename]
Reads an email from [filename] (default: stdin) and replies to the sender.
Possible options are:
--debug Turn on debugging mode. (Suppresses actions)
--help Print this help message.
--verbose Turn on verbose mode.
EOF
exit 1;
}
eval { Getopt::Long::GetOptions('debug', 'verbose', 'help') };
Usage() if $@ || $opt_help;
$opt_verbose = 1 if $opt_debug;
my $fh;
if (@ARGV) {
my $file = shift @ARGV;
open(FILE, "<$file") or die "Failed to open $file: $!";
$fh = \*FILE;
print "Reading mail from $file.\n" if $opt_verbose;
} else {
$fh = \*STDIN;
print "Reading mail from STDIN.\n" if $opt_verbose;
}
my $msg = Mail::Internet->new($fh, 'Modify' => 0, 'MailFrom' => 'KEEP');
my @headers = @{$msg->head()->header()};
my @body = @{$msg->body()};
my @message = ("Hello from the E-Mail AutoResponder :]\n",
"Your mail was received by the autoresponder on ", scalar localtime,
".\n",
"Your mail was assigned the following (dss) Security Number: ",
localtime, ".\n",
"\n",
"=== Your message's E-Mail Header, as sent:\n\n",
@headers,
"=== End of Headers\n",
"\n",
"=== Your message's E-Mail Body, as sent, follows:\n\n",
@body,
"=== End of Body\n",
);
$msg = $msg->reply();
$msg->body(\@message);
print("Replying to $REPLY_TO.\n") if $opt_verbose;
$msg->head()->replace('Reply-To', $REPLY_TO);
print("Replying message:\n", $msg->as_string()) if $opt_verbose;
$msg->smtpsend() unless $opt_debug;
HTH,
-Sneex- :]
____________________________________________________________________
Bill Jones * Data Security Specialist * http://jacksonville.pm.org/
FCCJ * 501 W State St * Jacksonville, FL 32202 * 1 (904) 632-3089
__ __ __ __ __
/ // /__ ____ ___ __ __ / // /__ _____/ /_____ ____
/ _ / _ `/ _ \/ _ \/ // / / _ / _ `/ __/ '_/ -_) __/
/_//_/\_,_/ .__/ .__/\_, / /_//_/\_,_/\__/_/\_\\__/_/
/_/ /_/ /___/
Running LinuxPPC RedHat 5.0 (Hurricane)
__ _ http://www.linuxppc.org
/ /(_)_ __ _ ___ __ http://www.apache.org
/ / | | '_ \| | | \ \/ / http://www.redhat.com
/ /__| | | | | |_| |> < http://www.perl.com
\____/_|_| |_|\__,_/_/\_\ http://www.gimp.org
==== Want to unsubscribe from this list?
==== Send mail with body "unsubscribe" to macperl-webcgi-request@macperl.org