[320] in WWW Security List Archive
Re: GE Break-in: via HTTPD?
daemon@ATHENA.MIT.EDU (Brian Behlendorf)
Mon Jan 16 20:19:10 1995
Date: Mon, 16 Jan 1995 13:41:36 -0800 (PST)
From: Brian Behlendorf <brian@wired.com>
To: www-security@ns2.rutgers.edu
In-Reply-To: <Pine.3.89.9501161234.A14378-0100000@sdcc8.ucsd.edu>
Reply-To: www-security@ns2.rutgers.edu
On Mon, 16 Jan 1995, Paul Phillips wrote:
> Consider a form mail script that takes a user supplied variable and
> passes it to mail like so:
>
> system("/usr/ucb/mail -s $to_whoever");
If you have to do this, you can protect yourself by running the
user-supplied email address through a regular expression which
double-checks its validity. While I don't pass user-supplied variables
to the shell anywhere (nor to an eval() in Perl, equally dangerous), I do
use the following regular expression to check for valid email addresses:
/^\s*[A-Za-z0-9#%_=+\.\-]+@[A-Za-z0-9_\.\-]+\s*$/
There are more letters used in some email addresses, like !, {, and }
before the @ and [ and ] afterward, use them if you need to serve UUCP
and X400 hosts I suppose, but I can't guarantee they'd be safe on the
unix prompt.
Brian
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
brian@hotwired.com brian@hyperreal.com http://www.hotwired.com/Staff/brian/
