|Keep It Simple, Stupid|
Re^2: CGI Contact Form / Mailerby vladb (Vicar)
|on Feb 14, 2006 at 05:26 UTC||Need Help??|
Thanks for the catch, merlyn. But ...
if you examine the script closer, it is not mandating the use of any form fields to determine the recepient. Instead, the script is relying on internal config to determine these values. There's only an option to include the form field that is available to the user. Although, I admit, I may have to include a disclaimer about potential risks involved in using such form field. Yet, I did use similar script on some of my clients' internal company servers for feedback collection, in which case, a hidden form field containing recepient email address wouldn't pose any threat. This does appear to be a case of an older feature making it's way to the final revision. Which, as you pointed out, may not be a good thing.
In fact, the only form field "required" to run the script is the special _mf_ parameter. And even that may be omitted if the script is using the default config only. Also the parameter is retreived from the outside environment in a safe manner:
The rest is and should be all configured via internal .conf files, further minimizing any outside tampering with the script. Additional security measure could be to taint check the rest of 'information' fields that are being sent along with the email.
You are right on the other items though, and I admit script needs alittle rework around potential security holes.
And yet, despite of all said, I am baffled that having made the effort to package and give the script away, I'm simply asked to fold it back. It truly is a disappointing loss of my time ...
Please, don't take me wrong though. I do thoroughly appreciate the fact that unlike others who chose to -- this contribution, you actually made the effort and took some of your scarce time to include an explanation for doing so.
"We've all heard that a million monkeys banging on a million typewriters will eventually reproduce
the entire works of Shakespeare. Now, thanks to the Internet, we know this is not true."
Robert Wilensky, University of California