Re: FB, CGI and the nms offerings

Looks like nms formmail was packaged for sarge but not for etch. I know next to nothing about about Debian, so I don't know why this is.

nms formmail is deliberately rather simple. It does nothing more that what Matt's formmail did (tho' hopefully in a better written and more secure manner). If you want something that is a bit more flexible, then you should look at the tfmail program (also from the nms project).

Should you use the nms programs in preference to your own? Well, that's up to you. We wrote the nms programs partly so there was a better alternative to Matt's Script Archives, but also so there were some popular examples of well-written Perl programs out there for people to learn from.

In the nms project we deliberately target an older version of Perl (5.004_04) as when we started the project, that was still common on rented web space and we didn't want to give anyone an excuse to use Matt's scripts instead of ours. We also didn't use any CPAN modules for the same reasons. If you're working in an environment without those restrictions, then it's certainly possible to create code that is just as secure as ours using various CPAN modules.

But please take a look at our code at least, and understand the security decisions that we have taken. If you have any questions then feel free to ask them on our mailing list.

See the Copyright notice on my home node.

"The first rule of Perl club is you do not talk about Perl club." -- Chip Salzenberg

Comment on Re: FB, CGI and the nms offerings

Replies are listed 'Best First'.
Re^2: FB, CGI and the nms offerings by LesleyB (Friar) on Jul 29, 2008 at 13:44 UTC
Thank you for this information. I am just at the stage of working out the ways to untaint my data of which there may be many. I got that there shouldn't be any mail headers allowed and banned ':' from any field except the message body, plus HTML escaping any data input including that in the message body. I now plan to include exclusion of newline characters in all but the message body as well. My problem now resolves to how to untaint the message body but I will look at the nms code to pick up further clues and improvements	[reply]
Re^2: FB, CGI and the nms offerings by DrHyde (Prior) on Jul 30, 2008 at 10:07 UTC
Looks like nms formmail was packaged for sarge but not for etch. Provided that you're willing to resolve the dependencies by hand, you should be able to download a sarge package and install it on etch. Download packages from here. Install them with `dpkg -i $filename`. Any dependencies aside from the various bits of nms-cgi can be installed using apt-get as usual. And as an aside, whenever you meet one of the Debian Cabal, smash him over the head with a heavy blunt implement while screaming USE VERSION NUMBERS INSTEAD OF CUTESY NAMES YOU CRETIN. Because unless you spend far too much time playing with your OS (as opposed to using it) you have no idea what the current version is called, and whether it comes before FluffyBunny or after IckleBabyLamb.	[reply] [d/l]
Re^3: FB, CGI and the nms offerings by ajt (Prior) on Jul 30, 2008 at 13:35 UTC
You know as well as I, that Debian releases have code names and version numbers just like other operating systems. I will admit that people tend to use the names more than the numbers but the same could also be said of ubuntu and Mac. Which OS X "cat" are you currently running? Sarge = 3.1, Etch = 4.0 and Lenny will be 5.0. Indeed the code name is mostly used before the release (before a number has been allocated), once released the release number is used in official documents and the code name in quotes or parentheses if at all. -- ajt	[reply]
Re^4: FB, CGI and the nms offerings by DrHyde (Prior) on Jul 31, 2008 at 10:39 UTC
Yes, I know that they use cutesy names and version numbers, but they try really hard to keep the version numbers hidden. I'm running 10.4, hope that helps :-)	[reply]
Re^2: FB, CGI and the nms offerings by ajt (Prior) on Jul 30, 2008 at 13:16 UTC
It looks like the maintainer asked for them to be removed: nms-* -- RoM; not used much, no added value in Debian. Sometimes when a maintainer runs out of spare time code gets dropped, or as in this case it's easier to just install the tarball than bother with an official package. -- ajt	[reply]


Perl-Sensitive Sunglasses
	PerlMonks