«

Hi,

I would like to write a python script that can be used in my website for
other people whoever browse my webside to send an email using my smtp
server. Is there any sample python script can do that?
Here is my python script, but it does not display To and From editbox in
the webpage for user type in their addresses:

#!/usr/bin/python

import smtplib, cgi, string

form = cgi.FieldStorage()

# Change the lines below to specify the TO and
# FROM addresses

toaddr = ''
fromaddr = ''

# Special form fields used by the email.cgi
# script

ack_url = form.getvalue('ack_url',None)
ack_text = form.getvalue('ack_text','Your submission was successful')
subject = form.getvalue('subject', '')

# form fields to skip
to_skip = ['ack_url', 'ack_text', 'subject', 'to']

# create the email headers

msg = "From: %s\r\nTo: %s\r\nSubject: %s\r\n\r\n" % (fromaddr, toaddr,
subject)

for key in form.keys():
if string.lower(key) in to_skip: continue
msg = msg + "%s: %s\n\n" % (key, form.getvalue(key))

server = smtplib.SMTP('mail.xyx.com')
server.set_debuglevel(0)
server.sendmail(fromaddr, toaddr, msg)
server.quit()

if ack_url:
print "Location: %s" % (ack_url)
print

else:
print "Content-type: text/html"
print
print ack_text

wonder <> wrote:
>
>I would like to write a python script that can be used in my website for
> other people whoever browse my webside to send an email using my smtp
>server. Is there any sample python script can do that?

It looks lik you have one here.

>Here is my python script, but it does not display To and From editbox in
>the webpage for user type in their addresses:

Well, then, add <input type=text name=to size=80> and <input type=text
name=from size=80> to your web page and fetch them here. The rest of this
looks fine.
--
- Tim Roberts,
Providenza & Boekelheide, Inc.

wonder <> wrote in message news:<cfni2i$j0f$>...
> Hi,
>
> I would like to write a python script that can be used in my website for
> other people whoever browse my webside to send an email using my smtp
> server. Is there any sample python script can do that?
> Here is my python script, but it does not display To and From editbox in
> the webpage for user type in their addresses:
>
> #!/usr/bin/python
>
> import smtplib, cgi, string
>
> form = cgi.FieldStorage()
>
> # Change the lines below to specify the TO and
> # FROM addresses
>
> toaddr = ''
> fromaddr = ''
>
> # Special form fields used by the email.cgi
> # script
>
> ack_url = form.getvalue('ack_url',None)
> ack_text = form.getvalue('ack_text','Your submission was successful')
> subject = form.getvalue('subject', '')
>
> # form fields to skip
> to_skip = ['ack_url', 'ack_text', 'subject', 'to']
>
> # create the email headers
>
> msg = "From: %s\r\nTo: %s\r\nSubject: %s\r\n\r\n" % (fromaddr, toaddr,
> subject)

I'm using almost the same syntax, but I'm not using '\r\n', only '\n'.

Hope this helps..

wonder <> wrote:

> Is there any sample python script can do that?

Not that I know of, but it's pretty simple. Your script seems to cover
it, except for some security issues:

> msg = "From: %s\r\nTo: %s\r\nSubject: %s\r\n\r\n" % (fromaddr, toaddr,
> subject)

'subject' comes directly from a form submission but has not been
sanitised and can contain control characters. (Some form handling
software will remove them automatically for you, but the 'cgi' module
does not.)

So if an attacker inserts a '\n' into the subject field they can add
arbitrary headers and body content to the mail you are sending out.
You probably don't want that.

> print "Content-type: text/html"
> print
> print ack_text

Here the text is not HTML-escaped. An attacker can send a user to the
form script with an ack_text parameter of
'<script>alert(document.cookie)</script>' or similar
cross-site-scripting exploits. If your site is not particularly
sensitive this might not be a problem for you, but's it's a bad idea
in general.

> it does not display To and From editbox in the webpage for user type in
> their addresses

If you allow both the 'To' address and arbitrary message text to be
supplied, your script is very likely going to be spending most of its
life sending spam!

--
Andrew Clover
private.php?do=newpm&u=