Eitan Adler <li...@eitanadler.com> wrote: > I wrote a program to fetch email from a IMAP account, look to see if I > sent it, if yes execute any commands in the email and email the results > back to via a SMTP server. [...] > 2) Secondly since this program executes commands from a potentially > insecure source I'd like to know if you find any security issues with > my code. I used Mail::IMAPClient::get_header($_,"From") to verify > that I'm sending myself commands-- is this safe? [...]
No. Mail headers are easily forged. You should probably be using PGP or S/MIME to authenticate your request. The request body should also include a request seqeuence number that you could use to guard against a replay-attack where an attacker would resend an old valid mail. Cheers, Thomas
