Re: Sendmail query

I'm not sure if you're writing from scratch or modifying one of those "bad" CGI scripts that are out there (or even one of those "good" scripts that use perl -T and cgi.pm). But a couple points couldn't hurt.

The command line flags you give to sendmail will be important for security. You will probably need to use -t and -i. The -t just tells sendmail to get the "To" and "Cc" information out of the headers of the mail you are sending. Unless you are root, you have to have a truthful "From", so that will be determined by the setup on the web server. The -i is very important. It tells sendmail that it should ignore any periods that are sitting on a line by themselves (this is the normal way to end an email in Unix) and wait until it receives the end of the input stream instead.

The reasoning here is that if you are in a CGI environment, an evil user might put a period alone on a line inside of a comment section, for instance, and then the remaining characters are being thrown at the OS (and being possibly executed, depending on how things are set up). The -i will avoid this dangerous situation.

According to the Module Reviews, the Mail::Sendmail module will work in both Windows and Unix, and may thus solve your dilemma.

Comment on Re: Sendmail query

Replies are listed 'Best First'.
Re: Re: Sendmail query by costas (Scribe) on May 31, 2001 at 17:55 UTC
Is sendmail a perl module or is it a part of unix os	[reply]
Re: Re: Re: Sendmail query by mpolo (Chaplain) on May 31, 2001 at 17:59 UTC
sendmail is a BSD program that is widely (though not exclusively) used as a mail transport agent in the nix world. The module Mail::Sendmail is misnamed, as it doesn't use sendmail on a Windows box. Some nix machines will use qmail instead of sendmail, for instance. Update: I just read the Mail::Sendmail docs myself, and it sends out by SMTP if it can't find a local mailer. (The SMTP interface is not as advanced as in Net::SMTP.)	[reply]


XP is just a number
	PerlMonks