Is there away some could hijack my script, if so how, or is this sys. adm. not living in the real world?
Yes, this script can be hijacked =/ Sorry.
print MAIL "TO: [EMAIL PROTECTED]";
print MAIL "From: $name <$email>\n";
print MAIL "Subject: $subject\n\n";
Here is how -
There is no RFC822 requirement for Mail Headers be in any particular order - therefore when you accept $mail you assume the poster entered it correctly -- they could have injected MORE To: <RCPT-TO commands> abd other lines, etc.
Here is a LONG R/E to prevent that...
YMMV:
# # Code to build a regex to match an internet email address, # from Chapter 7 of _Mastering Regular Expressions_ (Friedl / O'Reilly) # (http://www.ora.com/catalog/regexp/) # # Optimized version. # # Copyright 1997 O'Reilly & Associates, Inc. #
# Some things for avoiding backslashitis later on.
my $esc = '\\\\'; my $Period = '\.';
my $space = '\040'; my $tab = '\t';
my $OpenBR = '\['; my $CloseBR = '\]';
my $OpenParen = '\('; my $CloseParen = '\)';
my $NonASCII = '\x80-\xff'; my $ctrl = '\000-\037';
my $CRlist = '\n\015'; # note: this should really be only \015.# Items 19, 20, 21 my $qtext = qq/[^$esc$NonASCII$CRlist\"]/; # for within "..." my $dtext = qq/[^$esc$NonASCII$CRlist$OpenBR$CloseBR]/; # for within [...] my $quoted_pair = qq< $esc [^$NonASCII] >; # an escaped character
##############################################################################
# Items 22 and 23, comment.
# Impossible to do properly with a regex, I make do by allowing at most one level of nesting.
my $ctext = qq< [^$esc$NonASCII$CRlist()] >;
# $Cnested matches one non-nested comment.
# It is unrolled, with normal of $ctext, special of $quoted_pair.
$Cnested = qq<
$OpenParen # (
$ctext* # normal*
(?: $quoted_pair $ctext* )* # (special normal*)*
$CloseParen # )
>;# $comment allows one level of nested parentheses
# It is unrolled, with normal of $ctext, special of ($quoted_pair|$Cnested)
$comment = qq<
$OpenParen # (
$ctext* # normal*
(?: # (
(?: $quoted_pair | $Cnested ) # special
$ctext* # normal*
)* # )*
$CloseParen # )
>;##############################################################################
# $X is optional whitespace/comments. $X = qq< [$space$tab]* # Nab whitespace. (?: $comment [$space$tab]* )* # If comment found, allow more spaces. >;
# Item 10: atom
$atom_char = qq/[^($space)<>\@,;:\".$esc$OpenBR$CloseBR$ctrl$NonASCII]/;
$atom = qq<
$atom_char+ # some number of atom characters...
(?!$atom_char) # ..not followed by something that could be part of an atom
>;
# Item 11: doublequoted string, unrolled.
$quoted_str = qq<
\" # "
$qtext * # normal
(?: $quoted_pair $qtext * )* # ( special normal* )*
\" # "
>;# Item 7: word is an atom or quoted string
$word = qq<
(?:
$atom # Atom
| # or
$quoted_str # Quoted string
)
>;# Item 12: domain-ref is just an atom $domain_ref = $atom;
# Item 13: domain-literal is like a quoted string, but [...] instead of "..."
$domain_lit = qq<
$OpenBR # [
(?: $dtext | $quoted_pair )* # stuff
$CloseBR # ]
>;
# Item 9: sub-domain is a domain-ref or domain-literal
$sub_domain = qq<
(?:
$domain_ref
|
$domain_lit
)
$X # optional trailing comments
>;# Item 6: domain is a list of subdomains separated by dots.
$domain = qq<
$sub_domain
(?:
$Period $X $sub_domain
)*
>;# Item 8: a route. A bunch of "@ $domain" separated by commas, followed by a colon.
$route = qq<
\@ $X $domain
(?: , $X \@ $X $domain )* # additional domains
:
$X # optional trailing comments
>;
# Item 6: local-part is a bunch of $word separated by periods
$local_part = qq<
$word $X
(?:
$Period $X $word $X # additional words
)*
>;# Item 2: addr-spec is [EMAIL PROTECTED] $addr_spec = qq< $local_part \@ $X $domain >;
# Item 4: route-addr is <route? addr-spec>
$route_addr = qq[
< $X # <
(?: $route )? # optional route
$addr_spec # address spec
> # >
];# Item 3: phrase........ $phrase_ctrl = '\000-\010\012-\037'; # like ctrl, but without tab
# Like atom-char, but without listing space, and uses phrase_ctrl.
# Since the class is negated, this matches the same as atom-char plus space and tab
$phrase_char =
qq/[^()<>\@,;:\".$esc$OpenBR$CloseBR$NonASCII$phrase_ctrl]/;
# We've worked it so that $word, $comment, and $quoted_str to not consume trailing $X
# because we take care of it manually.
$phrase = qq<
$word # leading word
$phrase_char * # "normal" atoms and/or spaces
(?:
(?: $comment | $quoted_str ) # "special" comment or quoted string
$phrase_char * # more "normal"
)*
>;
## Item #1: mailbox is an addr_spec or a phrase/route_addr
my $mailbox = qq<
$X # optional leading comment
(?:
$addr_spec # address
| # or
$phrase $route_addr # name and address
)
>;# End of Copyright 1997 O'Reilly & Associates, Inc. # End of Copyrighted code section...
See this code at work in an OLD script I wrote at:
http://backpan.cpan.org/authors/id/S/SN/SNEEX/autoRespdr.EMail.Filter_v4.11N
(Its actually somewhat embarrassing; I try really hard to not program that way. :)
-Sx-
-- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] <http://learn.perl.org/> <http://learn.perl.org/first-response>
