Beefy Boxes and Bandwidth Generously Provided by pair Networks
There's more than one way to do things
 
PerlMonks  

Re: CGI Contact Form / Mailer

by merlyn (Sage)
on Feb 14, 2006 at 02:01 UTC ( [id://529993]=note: print w/replies, xml ) Need Help??


in reply to CGI Contact Form / Mailer

There's a potential spam issue, because your error checking is poor. However, since you don't provide a sample template, I can't be sure.

Your code: 

defined $from && $from =~ m/.+\@.+/

[download]
doesn't forbid a newline. If that newline is inserted into the header of the message, a spammer can create an arbitrary subject and sender, and then a blank line, permitting an arbitrary body. Sure, your added header and sender will be at the bottom of the message, but at that point, who cares?

Also, just being able to send a message to a recipient designated by a form field is considered very bad manners in this day and age. Please discontinue the promotion of your mailscript.

-- Randal L. Schwartz, Perl hacker
Be sure to read my standard disclaimer if this is a reply.

Replies are listed 'Best First'.
Re^2: CGI Contact Form / Mailer
by vladb (Vicar) on Feb 14, 2006 at 05:26 UTC
    Thanks for the catch, merlyn. But ...

    if you examine the script closer, it is not mandating the use of any form fields to determine the recepient. Instead, the script is relying on internal config to determine these values. There's only an option to include the form field that is available to the user. Although, I admit, I may have to include a disclaimer about potential risks involved in using such form field. Yet, I did use similar script on some of my clients' internal company servers for feedback collection, in which case, a hidden form field containing recepient email address wouldn't pose any threat. This does appear to be a case of an older feature making it's way to the final revision. Which, as you pointed out, may not be a good thing.

    In fact, the only form field "required" to run the script is the special _mf_ parameter. And even that may be omitted if the script is using the default config only. Also the parameter is retreived from the outside environment in a safe manner: 
        my $mf = $cgi->param('_mf_');
    $mf =~ s/\.\/\\//g; # remove . \ / chars
    $mf ||= "default";

    [download]
    The rest is and should be all configured via internal .conf files, further minimizing any outside tampering with the script. Additional security measure could be to taint check the rest of 'information' fields that are being sent along with the email.

    conf/default.conf 
    # smtp server
SMTP_HOST=mail.yourhost

SMTP_PORT=110

SMTP_TIMEOUT=60

# name form imputs which are lists (comma separated)
# FORM_INPUT_LISTS=

# recipient email
RECIPIENT=myemail@myhost.com

# sender field required
REQUIRE_SENDER=no

# sender field (from html form)
SENDER_FIELD=EMAIL

# subject (could contain html::template variables!)
SUBJECT=Contact From <TMPL_VAR NAME>, <TMPL_VAR COMPANY>

# mail template (to the recipient)
MAIL_TMPL=mail

#------------- CONFIRM ------------
# sender template (optional)
# mail to be sent to the sender
CONFIRM_MAIL_TMPL=mail_confirm

# subject of the confirmation email
CONFIRM_SUBJECT=Thank you for your interest in ...
# 
CONFIRM_REPLYTO=mycontact@myhost.com

#------------- OK -----------------
# redirect when mail was sent ok
#
REDIRECT_OK=/thankyou.shtml

# template to use on successful send
# (overrides redirect_ok)
# 
# TMPL_OK=<template path>

#------------- FAIL ---------------
# redirect when couldn't send mail and other non system errors
#
# REDIRECT_FAIL=<url path>

# template to use on failure
# (overrides redirect_fail)
#
TMPL_FAIL=fail

#----------- USER ERROR -----------
# template for usage error page
#
TMPL_USER_ERROR=user_error

# redirect url on user (usage) error
# (user_error_tmpl will be ignored)
#
# REDIRECT_USER_ERROR=<url path>

    [download]
    You are right on the other items though, and I admit script needs alittle rework around potential security holes.

    And yet, despite of all said, I am baffled that having made the effort to package and give the script away, I'm simply asked to fold it back. It truly is a disappointing loss of my time ...

    Please, don't take me wrong though. I do thoroughly appreciate the fact that unlike others who chose to -- this contribution, you actually made the effort and took some of your scarce time to include an explanation for doing so.


    _____________________
    "We've all heard that a million monkeys banging on a million typewriters will eventually reproduce
    the entire works of Shakespeare. Now, thanks to the Internet, we know this is not true."

    Robert Wilensky, University of California

[reply]
[d/l]
[select]
      And yet, despite of all said, I am baffled that having made the effort to package and give the script away, I'm simply asked to fold it back. It truly is a disappointing loss of my time ...
      I guess my statement regarding the world not needing yet another mailform program is driven by two things:
      • The damage done by Matt Wright with his buggy mailform script
      • The excellent work done by the NMS team to both recreate an upward compatible replacement, and continue to maintain and support the script for free
      If you were not aware of the NMS version of mailform, perhaps a bit more research on your part would have been advised. It would have saved you time and resources. You could have used that time to create something unique, instead of retreading a far-too-rewritten area, and poorly.

      -- Randal L. Schwartz, Perl hacker
      Be sure to read my standard disclaimer if this is a reply.

[reply]

In Section Code Catacombs

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://529993]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others pondering the Monastery: (5)
As of 2024-04-18 13:02 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found