cgi security
Sheila King
sheila at spamcop.net
Wed Apr 4 03:15:19 EDT 2001
On Wed, 04 Apr 2001 09:00:46 +0200, Moshe Zadka <moshez at zadka.site.co.il>
wrote about Re: cgi security:
:On Wed, 04 Apr 2001 06:16:53 GMT, Sheila King <sheila at spamcop.net> wrote:
:
:> One thing, that seems to be important (?) is to check that at least the e-mail
:> addresses input by users are in the correct e-mail format.
:
:No it isn't. Neither important, not possible in general. Well, it is possible
:but the best regex people have come up with is ~10k characters and still
:doesn't deal with the corner cases.
:You want to make sure you got a valid addy? Send mail to it.
Sweet. Sounds good to me.
:> f = open(PathToSENDMAIL + ' -t', 'w')
:> f.write(text)
:> f.close()
:>
:> I'm thinking this should be fairly secure, since sendmail has already been
:> told that the "text" that is coming next is a message, and not something that
:> could possibly be executed?
:
:As long as you get a secure /usr/lib/sendmail. Anyone trusting the
:security of Eric Allman's sendmail is insane. Got exim, postfix or qmail.
Well, actually the system is using qmail. See, here's a header from the e-mail
you sent:
Received: (qmail 29671 invoked from network); 4 Apr 2001 07:05:38 -0000
;)
There's just a "sendmail wrapper" around qmail, so that scripts can be run in
the customary way.
:> I suppose if I don't want that to bomb, I need to carefully check the composed
:> message and make sure that it is formatted correctly?
:
:No, you need to catch exceptions.
OK, great, I'm already doing that. Thanks. I guess I'm on the right path,
then.
--
Sheila King
http://www.thinkspot.net/sheila/
http://www.k12groups.org/
More information about the Python-list
mailing list