>>>>> "Will" == Will Bontrager <[EMAIL PROTECTED]> writes:
Will> exit if $FORM{email} =~ /[EMAIL PROTECTED]@/s;
Once again, a bad regex for checking an address. A "local part"
of an email (the part to the left of the '@') *can* have an "@"
as well. This is a legal address, if I recall correctly:
[EMAIL PROTECTED]@stonehenge.com
Will> Another method is to target any form field that will be used in any
Will> email header line (name, email, subject, whatever). The form field
Will> contains a junk value plus a line feed plus Cc: or Bcc: plus a whole
Will> list of email addresses, plus two line feeds, plus the hijacker's
Will> email body message. The following line can detect line feeds in a form
Will> field value:
Will> exit if $FORM{subject} =~ /(?:[\n\r]|\%0[ad])+/si;
Uh, by the time you process your form element, there shouldn't
*be* any %0a or %0d there. Also, % doesn't need to be backwhacked.
This regex looks cargo-culted... {sigh}.
--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<[EMAIL PROTECTED]> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
<http://learn.perl.org/> <http://learn.perl.org/first-response>
