Beefy Boxes and Bandwidth Generously Provided by pair Networks
laziness, impatience, and hubris

Dangers of rolling your own mail script

by swiftone (Curate)
on Oct 14, 2002 at 16:37 UTC ( #205148=note: print w/replies, xml ) Need Help??

in reply to Re: Re: Re: Eliminating useless server information
in thread Eliminating useless server information

Many thanks to those in the chatterbox that pointed out some of these comments, particularly perrin and merlyn. This comment should be considered a combined comment.

There are many dangers inherent in rolling your own mail script. (Matt Wright managed to expose almost all of them, so you can search perlmonks and/or the web and newsgroups if you want excrutiating detail.)

merlyn correctly pointed out that your script is ripe for spam abuse. And don't think they won't use it.

First, there is a project called NMS that creates solid "simple" scripts like this that are audited by the community for security holes. I'd recommend looking there first in the future. In particular, look at their formmail script. The code is well documented, and it can prevent the spam relay concerns, as well as others.

Second, while you module makes use of the CGI module, you don't use any of the Mail::* modules. I recommend using a module for this sort of thing: It increases portability, and centralizes the functionality so it easy to upgrade security holes if/when they are discovered.

Third, you don't make use of taint checking. While all CGI scripts should arguably use taint checking, scripts that pass said data to other programs need it all the more.

  • Comment on Dangers of rolling your own mail script

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://205148]
and all is quiet...

How do I use this? | Other CB clients
Other Users?
Others wandering the Monastery: (9)
As of 2018-06-19 15:21 GMT
Find Nodes?
    Voting Booth?
    Should cpanminus be part of the standard Perl release?

    Results (114 votes). Check out past polls.