cgi security
Moshe Zadka
moshez at zadka.site.co.il
Wed Apr 4 03:00:46 EDT 2001
On Wed, 04 Apr 2001 06:16:53 GMT, Sheila King <sheila at spamcop.net> wrote:
> One thing, that seems to be important (?) is to check that at least the e-mail
> addresses input by users are in the correct e-mail format.
No it isn't. Neither important, not possible in general. Well, it is possible
but the best regex people have come up with is ~10k characters and still
doesn't deal with the corner cases.
You want to make sure you got a valid addy? Send mail to it.
> f = open(PathToSENDMAIL + ' -t', 'w')
> f.write(text)
> f.close()
>
> I'm thinking this should be fairly secure, since sendmail has already been
> told that the "text" that is coming next is a message, and not something that
> could possibly be executed?
As long as you get a secure /usr/lib/sendmail. Anyone trusting the
security of Eric Allman's sendmail is insane. Got exim, postfix or qmail.
> I suppose if I don't want that to bomb, I need to carefully check the composed
> message and make sure that it is formatted correctly?
No, you need to catch exceptions.
--
"I'll be ex-DPL soon anyway so I'm |LUKE: Is Perl better than Python?
looking for someplace else to grab power."|YODA: No...no... no. Quicker,
-- Wichert Akkerman (on debian-private)| easier, more seductive.
For public key, finger moshez at debian.org |http://www.{python,debian,gnu}.org
More information about the Python-list
mailing list