[dokuwiki] Re: Contact form plugin - my first one

  • From: Chris Smith <chris@xxxxxxxxxxxxx>
  • To: dokuwiki@xxxxxxxxxxxxx
  • Date: Thu, 27 Oct 2005 17:29:42 +0100

Joe Lapp wrote:

From: Harry Fuecks <hfuecks@xxxxxxxxx>
Second that: http://securephp.damonkohler.com/index.php/Email_Injection

Wow, now I see why I've been getting spam emails from myself -- from an 
email address I generally don't advertize.  PHPMailer does nothing to protect 
against injection attacks.

Where does this behavior belong?
Its not a really a mailer issue. Its a incoming data validation/cleansing issue. If data for any of to, from or subject fields contains unexpected data it should be discarded. iirc, for mail injection that means strings which contain new lines. But there is no reason not to be testing for other data which has no place in those fields. Dokuwiki already contains routines to validate some forms of data, investigate those before deciding if you need to write your own.

The %xx you see if a mechanism for passing characters in URLs which are otherwise not allowed. They are normally converted into the appropriate character. See php manual entries for urlencode, urldecode, rawurlencode, rawurldecode.

Also if you are echoing any of this data back to the browser, you need to take care with html attacks. At a minimum filter through htmlspecialchars or htmlentities.

Chris Shiflett (shiflett.org) is a pretty good source of information on security and php, although his site is getting more commercial and its becoming more difficult to find the good stuff.

Cheers,

Chris
--
DokuWiki mailing list - more info at
http://wiki.splitbrain.org/wiki:mailinglist

Other related posts:

  1. Home
  2. dokuwiki
  3. Archive
  4. 10-2005