zsdc wrote:
Camilo Gonzalez wrote:My concern is to prevent a spammer from sending BCC messages using the email field of my contact form. I figure if I can prevent him from sending a line with more than one asterisk and/or a slash followed by an n, I can prevent him from sending BCC messages.
zsdc wrote:
Tracy Hurley wrote:Seems like a tad bit of overkill for my purpose. Thanks for the caveat about other unsafe characters and I'll keep the CGI::Untaint module in mind in the future.
Camilo,
I don't think you need to put $email in quotes to do the check, but it works if you do. Try this:
if $email =~/@.*@/g || $email =~ /\n/s;
It still might not be secure depanding on how $email is being used later. Is it used in a system() call? In open()? In backticks? What about the whitespace? What if there is "\r" in $email? What about ";"? "\0"?
I would suggest to match safe characters, not the unsafe ones, because it's easy to overlook something. Camilo, it's very good that you use the taint mode here. Check out CGI::Untaint::email, this is exactly what you need:
http://search.cpan.org/search?module=CGI::Untaint::email http://search.cpan.org/search?module=CGI::Untaint
It's used like this:
use CGI::Untaint; my $untaint = CGI::Untaint->new($cgiobj->Vars); my $email = $untaint->extract(-as_email => 'email');
You should do the same with other parameters, like name and address. You might need to write your own handler, but it's very easy. Here's an example from the CGI::Untaint documentation, to match a single digit:
package Mysite::CGI::Untaint::digit; use base 'CGI::Untaint::object'; sub _untaint_re { qr/^(\d)$/ } 1;
It seems I needed to escape the backslash in '\n'. Here'smy new code
#!/usr/local/bin/perl -wT use CGI::Carp qw(fatalsToBrowser); use strict; use CGI; my $cgiobj = new CGI; $ENV{PATH} = "";
#Get parameters my $name = $cgiobj->param('name'); my $address = $cgiobj->param('address'); my $email = $cgiobj->param('email'); die &Print_Error if $email =~ /@.*@|\\n|;|\0|,/gs;
My advise about unsafe characters was to match _safe_ characters instead of unsafe ones, i.e.:
die unless $email =~ /$ safe pattern ^/;
and never:
die if $email =~ /$ unsafe pattern ^/;
I haven't even showed every potentially dangerous character, those were only few examples. To be honest I can't understand why this is an overkill:
use CGI::Untaint; my $untaint = CGI::Untaint->new($cgiobj->Vars); my $email = $untaint->extract(-as_email => 'email');
while this isn't:
my $email = $cgiobj->param('email'); die &Print_Error if $email =~ /@.*@|\\n|;|\0|,/gs;
especially when your regular expression has to be much longer, because it still is unsafe. (By the way, it doesn't match a newline, only a backslash followed by "n").
How do you use the $mail variable later in your program? How do you actually send the email? I'll tell you how it can be dangerous, but only when I know how it is used.
Unfortunately, that is not the case.
> I realise there are lots
more dangerous characters out there but frankly, I'm too damn lazy to look for them. I truly do appreciate your help and I apoligize if you've taken umbrage with anything I've said, but TMTOWTDO, man. Chill.
OK, no problem. -- ZSDC
-- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] <http://learn.perl.org/> <http://learn.perl.org/first-response>
