Jan Pieter Cornet wrote:
The best protection is to look for embedded CR or LF characters in
a field that should not contain such characters, like the Subject,
To, From or any other field that would end up in a header. If there
are any, just reject with an error.
You might want to ignore newlines just before the end of string to work
around some buggy browsers.
What I did on the form handlers I audited after all this started was go
through and remove everything after the first CR or LF in any field that
might be used in a header.
In Perl-speak, that's
$field =~ s/[\r\n].*//;
To test it, I created copies of the forms with all text inputs and
hidden inputs replaced with textareas.
If you use a hidden field, dropdown, or user input for the recipient and
rely on your handler to verify that it matches your domain... don't
forget to verify that it's only got one address. I was seeing things
where they'd changed the recipient from "[EMAIL PROTECTED]" to
"[EMAIL PROTECTED],[EMAIL PROTECTED]" -- which would still match
/[EMAIL PROTECTED]/
--
Kelson Vibber
SpeedGate Communications <www.speed.net>
_______________________________________________
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
