[PLUG] Re: can one email from within a program?
Randal L. Schwartz
merlyn at stonehenge.com
Thu May 10 10:17:10 UTC 2007
>>>>> "Carlos" == Carlos Konstanski <ckonstanski at pippiandcarlos.com> writes:
Carlos> Here's a perl function that will do as Rich suggested (i.e. opening a pipe
Carlos> to a mailer program). The body is passed in as a string. For tightest
Carlos> security, it is best to hardcode the recipient at minimum. If the
Carlos> recipient were a function argument, it would be more possible for a hacker
Carlos> to exploit the function as a mass mailer. With a hardcoded recipient, it
Carlos> can only spam one person.
Carlos> sub send_mail {
Carlos> my $body = pop(@_);
Carlos> my $to = $SENDER;
Carlos> my $from = $RECIPIENT;
Carlos> my $subject = $SUBJECT;
Carlos> my $sendmail = "/usr/lib/sendmail -t -oi -f $to";
Carlos> open(MAIL, " |$sendmail") || die "Can't start sendmail: $!";
Carlos> print MAIL "From: $from\n";
Carlos> print MAIL "To: $to\n";
Carlos> print MAIL "Subject: $subject\n";
Carlos> print MAIL $body;
Carlos> close(MAIL);
Carlos> }
As coded, if I can provide $SENDER or $SUBJECT, I can also spam people.
Please don't invoke sendmail this way. From Perl, there are safer
alternatives.
--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<merlyn at stonehenge.com> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
More information about the PLUG
mailing list