A email.cgi script

[Andrew Clover]

wonder <a at b.com> wrote:

> Is there any sample python script can do that?

Not that I know of, but it's pretty simple. Your script seems to cover
it, except for some security issues:

> msg = "From: %s\r\nTo: %s\r\nSubject: %s\r\n\r\n" % (fromaddr, toaddr, 
> subject)

'subject' comes directly from a form submission but has not been
sanitised and can contain control characters. (Some form handling
software will remove them automatically for you, but the 'cgi' module
does not.)

So if an attacker inserts a '\n' into the subject field they can add
arbitrary headers and body content to the mail you are sending out.
You probably don't want that.

>      print "Content-type: text/html"
>      print
>      print ack_text

Here the text is not HTML-escaped. An attacker can send a user to the
form script with an ack_text parameter of
'<script>alert(document.cookie)</script>' or similar
cross-site-scripting exploits. If your site is not particularly
sensitive this might not be a problem for you, but's it's a bad idea
in general.

> it does not display To and From editbox in the webpage for user type in
> their addresses

If you allow both the 'To' address and arbitrary message text to be
supplied, your script is very likely going to be spending most of its
life sending spam!

-- 
Andrew Clover
mailto:and at doxdesk.com