httpd-modules-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Kew <n...@webthing.com>
Subject Re: Sending email from an Apache content generator
Date Thu, 31 May 2007 15:15:55 GMT
On Thu, 31 May 2007 10:01:06 -0500
"Frank Jones" <jonesf11@gmail.com> wrote:


> I should add some details. First, this is a pre-existing module in C,
> not new development. I need to look up a value in a database and then
> send a standard response email.

OK.  Well, a few bulletpoints to improve security in what you wrote:
 * Don't call "mail".  Always call external programs by their full path.
 * But make that path configurable by the sysop.
 * Set up your process environment explicitly before forking a process.

>   There is no user input in the email so
> my security concerns are not what they might be otherwise.

>   Second, I
> don't know anything at all about perl,

In that case, scrap the idea of using it to prototype this.
The great virtue of perl's taint checking is that it will simply
refuse to run "mail" without securing your call to it.  That
makes it a great teacher!

-- 
Nick Kew

Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/

Mime
View raw message