Beefy Boxes and Bandwidth Generously Provided by pair Networks
No such thing as a small change
 
PerlMonks  

Re: Re: Re: Vetting a CGI script

by idsfa (Vicar)
on Nov 12, 2003 at 18:23 UTC ( #306582=note: print w/ replies, xml ) Need Help??


in reply to Re: Re: Vetting a CGI script
in thread Vetting a CGI script

I'd really recommend not doing that either. For one, the syntax for that call looks like:

$message = "From: blah\nTo: blah\nSubject: blah\n\nmessage\n"; open (SENDMAIL,"|sendmail -i); print SENDMAIL $message; close(SENDMAIL);

Updated:
(Yes, I know it could be done with multiple print's, but I hate dribbling information through a pipe ...)

Which is a bigger rewrite than moving to Net::SMTP:

use Net::SMTP; $smtp = Net::SMTP->new('mailhost'); $smtp->mail($ENV{USER}); # print MAIL "MAIL FROM ..." $smtp->to('postmaster'); # print MAIL "RCPT TO ..." $smtp->data(); # print MAIL "DATA\n"; $smtp->datasend("line 1\n"); # print MAIL ... $smtp->datasend("line 2\n"); # print MAIL ... $smtp->datasend("line 3\n"); # print MAIL ... $smtp->dataend(); $smtp->quit;

Updated: (duh ... typing "first" w/o a "second")
Second, invoking a whole 'nother app (sendmail) when you've already got perl running is just a bunch more overhead on your server. You then also have any security holes in 'sendmail -i' to remember to look for.


My parents just came back from a planet where the dominant life form had no
bilateral symmetry, and all I got was this stupid F-Shirt.


Comment on Re: Re: Re: Vetting a CGI script
Select or Download Code
Re: Re: Re: Re: Vetting a CGI script
by dvergin (Monsignor) on Nov 12, 2003 at 18:49 UTC
    Quothe idsfa: "I'd really recommend not doing that either. For one, the syntax..." I'm missing something. What is wrong with solving the "\n.\n" issue by using the '-i' option in a pipe to sendmail. And what is syntactly bad about the example you gave.

    Same question regarding use of Net::SMTP. The boss is going to ask me "Why?". I need a better answer than, "Some helpful person on the web said it was better." Why is the Net::SMTP code you recommend more secure than piping to sendmail with the '-i' option and hard-coded email header data? I know there are issues about gracefully handling situations where sendmail is missing or in a non-standard place. I'll deal with that. But what sort of potential input would Net::SMTP handle more securely in this situation?

    BTW: I use standard modules all the time and will likely recommend Net::SMTP for use here. This is not a question of wanting to avoid their use. I just want to have a knowledgable rationalle to explain myself.

    ------------------------------------------------------------
    "Perl is a mess and that's good because the
    problem space is also a mess.
    " - Larry Wall

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://306582]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others perusing the Monastery: (6)
As of 2015-07-03 18:09 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    The top three priorities of my open tasks are (in descending order of likelihood to be worked on) ...









    Results (55 votes), past polls