smtplib security risk
Simon Brunning
SBrunning at trisystems.co.uk
Wed Jun 20 09:42:26 EDT 2001
> From: Roman Suzi [SMTP:rnd at onego.ru]
> No. It's a security risk. Just ALWAYS check user inputs on
> CGI or other places. Strip "../" and other things, depeding
> on what you do with your data. Etc.
>
> Even if you are the only user of your CGI, make it a habit to
> check input. It's a good habit.
>
> And your mail template is exploitable, I guess, to spam the World,
> because you direct user input into it, checking nothing.
>
Eeek! Thanks for pointing this out!
What can be smuggled into the message parameter of a smtplib.SMTP's sendmail
method that I want to protect against?
Cheers,
Simon Brunning
TriSystems Ltd.
sbrunning at trisystems.co.uk
-----------------------------------------------------------------------
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorised. If you are not the intended recipient, any disclosure,
copying, distribution, or any action taken or omitted to be taken in
reliance on it, is prohibited and may be unlawful. TriSystems Ltd. cannot
accept liability for statements made which are clearly the senders own.
More information about the Python-list
mailing list