John, et al -- [Been a while! How ya been?]
...and then John Holmes said...
%
% David T-G wrote:
%
% >I'd like some sanity checks on safely using input for sending mail. I'm
...
% >At the moment, I am running escapeshellcmd() on the From:, To:, Subject:,
...
% >his own bandwidth limits). Unfortunately, escapeshellcmd() also escapes
% >the ? and &s in the URL and breaks it; I think it will have to go away.
% >I'm also ready to believe that I've overlooked half a dozen other things.
% >
% >How would you guys tackle this?
%
% This isn't what escapeshellcmd() is for; not sure why you chose that one.
Noobness, I suppose :-) I wanted to avoid having problematic commands
fed in to break my script; perhaps that's only a DB-type exploit (though
an answer that simple doesn't seem likely).
%
% Are you sending this as an HTML or Text email? Either way, you control
% the body of the email (the page that's being sent), so you don't really
% have to worry about that.
Just text.
%
% If you're sending an HTML mail, then use htmlentities() on the text
% before putting it in the email. If you're sending a text email, then you
% can strip_tags() from it.
Ah; OK.
%
% The biggest thing to look our for is mail header injection. If you're
Indeed. I figured as much, but escapeshellcmd() is as far as I got.
% taking any user input and putting it into the headers (from, to,
% subject, etc), then newlines need to be stripped. You're allowing the
Ahhhhhh... That makes sense. Thanks.
% user to set the To: address, I assume (the recipients). If you're
% sticking that $to varable from the user directly into mail(), you could
% be vulnerable (same if you create a From: header or use user input in
% the subject).
Yep.
%
% For example, say you're collecting my email address for the From: header.
%
% $headers .= "From: {$_POST['email']}\r\n";
...
% So strip newlines from user input or reject input if it contains newlines.
%
% str_replace(array("\r","\n",'',$text)
For the archives, you need ^^^^ here a closing ) on your array :-)
%
% Is one way to do it.
%
% If I left anything out, I'm sure Chris will jump on it. :)
Good; thanks to all in advance!
%
% --
%
% ---John Holmes...
HAND
:-D
--
David T-G
[EMAIL PROTECTED]
http://justpickone.org/davidtg/ Shpx gur Pbzzhavpngvbaf Qrprapl Npg!
pgpKH5GWtNSzL.pgp
Description: PGP signature
