smtplib security risk
Roman Suzi
rnd at onego.ru
Wed Jun 20 09:59:28 EDT 2001
On Wed, 20 Jun 2001, Simon Brunning wrote:
> > From: Roman Suzi [SMTP:rnd at onego.ru]
> > No. It's a security risk. Just ALWAYS check user inputs on
> > CGI or other places. Strip "../" and other things, depeding
> > on what you do with your data. Etc.
> >
> > Even if you are the only user of your CGI, make it a habit to
> > check input. It's a good habit.
> >
> > And your mail template is exploitable, I guess, to spam the World,
> > because you direct user input into it, checking nothing.
> >
> Eeek! Thanks for pointing this out!
>
> What can be smuggled into the message parameter of a smtplib.SMTP's sendmail
> method that I want to protect against?
I'm not sure. Probably EndOfLine + some other field, broken <, >, ",, too
lenghty field.
But mostly ENDOFLINE and length. Other errors, I think, smtplib will
catch.
My advice was not based on certain knowledge. It's just my experience that
raw input in some cases could do harm.
> Cheers,
> Simon Brunning
> TriSystems Ltd.
> sbrunning at trisystems.co.uk
Sincerely yours, Roman A.Suzi
--
- Petrozavodsk - Karelia - Russia - mailto:rnd at onego.ru -
More information about the Python-list
mailing list