[dokuwiki] Re: Contact form plugin - my first one

From: Harry Fuecks <hfuecks@xxxxxxxxx>
> Second that: http://securephp.damonkohler.com/index.php/Email_Injection

Wow, now I see why I've been getting spam emails from myself -- from an email 
address I generally don't advertize.  PHPMailer does nothing to protect against 
injection attacks.

It sounds like the problem is specifically with LF or CR making it into the 
final message, not with the strings "%0A" and "%0D" making it through.  I 
assume those strings are only meaningful in HTTP GETs.

It's not entirely clear to me reading the above article, but would the 
following be sufficient?

- Reject messages with CR or LF in a header parameter.
- Convert CR or LF or any combination of these to a string (e.g. ##).

Where does this behavior belong?  Only the send_mail() caller knows whether 
this needs to be done, but multiple send_mail() callers might need to do it.  
In my case, I'm calling a phpmailer plugin from both within DokuWiki and 
outside of DokuWiki (but this is probably out of scope for us).

~joe
--
DokuWiki mailing list - more info at
http://wiki.splitbrain.org/wiki:mailinglist

Other related posts: