http://www.perlmonks.org?node_id=306577


in reply to Re: Vetting a CGI script
in thread Vetting a CGI script

Perfect! That's exactly the kind of thing I was looking for.

So I would recommend the use of the sendmail '-i' option. Given that and the fact that all the email header data is hard-coded, is there any way to case grief with user data only going into the email body?

------------------------------------------------------------
"Perl is a mess and that's good because the
problem space is also a mess.
" - Larry Wall

Replies are listed 'Best First'.
Re: Re: Re: Vetting a CGI script
by idsfa (Vicar) on Nov 12, 2003 at 18:23 UTC

    I'd really recommend not doing that either. For one, the syntax for that call looks like:

    $message = "From: blah\nTo: blah\nSubject: blah\n\nmessage\n"; open (SENDMAIL,"|sendmail -i); print SENDMAIL $message; close(SENDMAIL);

    Updated:
    (Yes, I know it could be done with multiple print's, but I hate dribbling information through a pipe ...)

    Which is a bigger rewrite than moving to Net::SMTP:

    use Net::SMTP; $smtp = Net::SMTP->new('mailhost'); $smtp->mail($ENV{USER}); # print MAIL "MAIL FROM ..." $smtp->to('postmaster'); # print MAIL "RCPT TO ..." $smtp->data(); # print MAIL "DATA\n"; $smtp->datasend("line 1\n"); # print MAIL ... $smtp->datasend("line 2\n"); # print MAIL ... $smtp->datasend("line 3\n"); # print MAIL ... $smtp->dataend(); $smtp->quit;

    Updated: (duh ... typing "first" w/o a "second")
    Second, invoking a whole 'nother app (sendmail) when you've already got perl running is just a bunch more overhead on your server. You then also have any security holes in 'sendmail -i' to remember to look for.


    My parents just came back from a planet where the dominant life form had no
    bilateral symmetry, and all I got was this stupid F-Shirt.
      Quothe idsfa: "I'd really recommend not doing that either. For one, the syntax..." I'm missing something. What is wrong with solving the "\n.\n" issue by using the '-i' option in a pipe to sendmail. And what is syntactly bad about the example you gave.

      Same question regarding use of Net::SMTP. The boss is going to ask me "Why?". I need a better answer than, "Some helpful person on the web said it was better." Why is the Net::SMTP code you recommend more secure than piping to sendmail with the '-i' option and hard-coded email header data? I know there are issues about gracefully handling situations where sendmail is missing or in a non-standard place. I'll deal with that. But what sort of potential input would Net::SMTP handle more securely in this situation?

      BTW: I use standard modules all the time and will likely recommend Net::SMTP for use here. This is not a question of wanting to avoid their use. I just want to have a knowledgable rationalle to explain myself.

      ------------------------------------------------------------
      "Perl is a mess and that's good because the
      problem space is also a mess.
      " - Larry Wall