Menu
▾
▴
[Nms-cgi-devel] Formmail is still fu*ked
|
From: Jonathan S. <gel...@ge...> - 2001-11-26 22:44:18
|
FormMail.pl and wwwboard.pl are the real bogies as they are :
A) used more than most of the other programs
B) apparently more often attacked by crackers and spammers
I address FormMail.pl here as the other one makes me brane hert ..
A lot of stuff can come from user supplied input via the form:
my @fields = qw(
recipient
subject
email
realname
redirect
bgcolor
background
link_color
vlink_color
text_color
alink_color
title
sort
print_config
required
env_report
return_link_title
return_link_url
print_blank_fields
missing_fields_redirect
);
Yes, most of this is escaped and so forth but I dunno I get a worry that
maybe this is still a large bunch of stuff to be sure that it is checked
..
Firstly I am going to provide a means for the end user to override the use
of these in the code (in a backward compatible way), secondly are any of
the coverage guys on this list (Pony Man, Robin, Anyone ?) - it might be
useful to be able to track the use of variables with a separate tool that
can tell if (E.G.) escape_html() has been called on a variable before it
is interpolated into a string that is going to printed ? Yeah sure I
could reconstruct it from the proposed magic for non-Y2K compliant uses of
(localtime)[5] but I can't be arsed ... it gives me the CvGv's ;-}
On the whole though guys it's looking great ...
/J\
--
Jonathan Stowe |
<http://www.gellyfish.com> | This space for rent
|
|