[Nms-cgi-devel] Formmail is still fu*ked

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

FormMail.pl and wwwboard.pl are the real bogies as they are :

  A) used more than most of the other programs

  B) apparently more often attacked by crackers and spammers

I address FormMail.pl here as the other one makes me brane hert ..

A lot of stuff can  come from user supplied input via the form:

  my @fields = qw(
                  recipient
                  subject
                  email
                  realname
                  redirect
                  bgcolor
                  background
                  link_color
                  vlink_color
                  text_color
                  alink_color
                  title
                  sort
                  print_config
                  required
                  env_report
                  return_link_title
                  return_link_url
                  print_blank_fields
                  missing_fields_redirect
                 );

Yes, most of this is escaped and so forth but I dunno I get a worry that
maybe this is still a large bunch of stuff to be sure that it is checked
..

Firstly I am going to provide a means for the end user to override the use
of these in the code (in a backward compatible way), secondly are any of
the coverage guys on this list (Pony Man, Robin, Anyone ?) - it might be
useful to be able to track the use of variables with a separate tool that
can tell if (E.G.) escape_html() has been called on a variable before it
is interpolated into a string that is going to printed ?  Yeah sure I
could reconstruct it from the proposed magic for non-Y2K compliant uses of
(localtime)[5] but I can't be arsed ...  it gives me the CvGv's ;-}

On the whole though guys it's looking great ...

/J\
-- 
Jonathan Stowe                      |
<http://www.gellyfish.com>          |      This space for rent
                                    |