[Nms-cgi-devel] Re: [Nms-cgi-commits] CVS Commit

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Fri, 2004-08-20 at 09:00, Jonathan Stowe wrote:
> uid=68026(gellyfish) gid=100(users) groups=100(users),40625(nms-cgi),7054(xmlxslt)
> tfmail README,1.28,1.29 TFmail.pl,1.25,1.26
> Fri Aug 20 01:00:16 PDT 2004
> Update of /cvsroot/nms-cgi/tfmail
> In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv15714
> 
> Modified Files:
> 	README TFmail.pl 
> Log Message:
> * Added recipient_input
> * Added no_content
> 

The intent of these changes is to allow TFmail to be used as a
"Recommend this Page" type of thing, this means that it needs to accept
an arbitrary address for the recipient, generally this would be a bad
thing.  What I have done is fix things so that if the recipient_input
field is defined in the .trc then all of the templating directives are
removed from the template for the main email (so attempting to use any
will give rise to an error), this will of course still allow TFmail to
be used to potentially mailbomb someone (but of course it could already
do that if the confirmation mail was being sent.) but it can't (or
shouldn't be able to) be used for sending a spammers content.

The second change is just so that it will emit a 204 status if
no_content is set to 1 so the page is not updated, I don't believe there
are any security considerations with this.

I would really like it if as many people as possible could cast their
eyes over the code and do some testing as I don't really want to do a
release unless we are fairly content that no new security holes have
been introduced.

While you are looking at the code, any refactoring would be welcome.  I
have been hacking on TFmail in the hotel bar while the battery holds out
which rather militates against elegance of design.

/J\