Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > Python > A email.cgi script

Reply
Thread Tools

A email.cgi script

 
 
wonder
Guest
Posts: n/a
 
      08-15-2004
Hi,

I would like to write a python script that can be used in my website for
other people whoever browse my webside to send an email using my smtp
server. Is there any sample python script can do that?
Here is my python script, but it does not display To and From editbox in
the webpage for user type in their addresses:

#!/usr/bin/python

import smtplib, cgi, string

form = cgi.FieldStorage()

# Change the lines below to specify the TO and
# FROM addresses

toaddr = '(E-Mail Removed)'
fromaddr = ''

# Special form fields used by the email.cgi
# script

ack_url = form.getvalue('ack_url',None)
ack_text = form.getvalue('ack_text','Your submission was successful')
subject = form.getvalue('subject', '')

# form fields to skip
to_skip = ['ack_url', 'ack_text', 'subject', 'to']

# create the email headers

msg = "From: %s\r\nTo: %s\r\nSubject: %s\r\n\r\n" % (fromaddr, toaddr,
subject)

for key in form.keys():
if string.lower(key) in to_skip: continue
msg = msg + "%s: %s\n\n" % (key, form.getvalue(key))

server = smtplib.SMTP('mail.xyx.com')
server.set_debuglevel(0)
server.sendmail(fromaddr, toaddr, msg)
server.quit()

if ack_url:
print "Location: %s" % (ack_url)
print

else:
print "Content-type: text/html"
print
print ack_text
 
Reply With Quote
 
 
 
 
Tim Roberts
Guest
Posts: n/a
 
      08-16-2004
wonder <(E-Mail Removed)> wrote:
>
>I would like to write a python script that can be used in my website for
> other people whoever browse my webside to send an email using my smtp
>server. Is there any sample python script can do that?


It looks lik you have one here.

>Here is my python script, but it does not display To and From editbox in
>the webpage for user type in their addresses:


Well, then, add <input type=text name=to size=80> and <input type=text
name=from size=80> to your web page and fetch them here. The rest of this
looks fine.
--
- Tim Roberts, http://www.velocityreviews.com/forums/(E-Mail Removed)
Providenza & Boekelheide, Inc.
 
Reply With Quote
 
 
 
 
dijk
Guest
Posts: n/a
 
      08-16-2004
wonder <(E-Mail Removed)> wrote in message news:<cfni2i$j0f$(E-Mail Removed)>...
> Hi,
>
> I would like to write a python script that can be used in my website for
> other people whoever browse my webside to send an email using my smtp
> server. Is there any sample python script can do that?
> Here is my python script, but it does not display To and From editbox in
> the webpage for user type in their addresses:
>
> #!/usr/bin/python
>
> import smtplib, cgi, string
>
> form = cgi.FieldStorage()
>
> # Change the lines below to specify the TO and
> # FROM addresses
>
> toaddr = '(E-Mail Removed)'
> fromaddr = ''
>
> # Special form fields used by the email.cgi
> # script
>
> ack_url = form.getvalue('ack_url',None)
> ack_text = form.getvalue('ack_text','Your submission was successful')
> subject = form.getvalue('subject', '')
>
> # form fields to skip
> to_skip = ['ack_url', 'ack_text', 'subject', 'to']
>
> # create the email headers
>
> msg = "From: %s\r\nTo: %s\r\nSubject: %s\r\n\r\n" % (fromaddr, toaddr,
> subject)


I'm using almost the same syntax, but I'm not using '\r\n', only '\n'.

Hope this helps..
 
Reply With Quote
 
Andrew Clover
Guest
Posts: n/a
 
      08-16-2004
wonder <(E-Mail Removed)> wrote:

> Is there any sample python script can do that?


Not that I know of, but it's pretty simple. Your script seems to cover
it, except for some security issues:

> msg = "From: %s\r\nTo: %s\r\nSubject: %s\r\n\r\n" % (fromaddr, toaddr,
> subject)


'subject' comes directly from a form submission but has not been
sanitised and can contain control characters. (Some form handling
software will remove them automatically for you, but the 'cgi' module
does not.)

So if an attacker inserts a '\n' into the subject field they can add
arbitrary headers and body content to the mail you are sending out.
You probably don't want that.

> print "Content-type: text/html"
> print
> print ack_text


Here the text is not HTML-escaped. An attacker can send a user to the
form script with an ack_text parameter of
'<script>alert(document.cookie)</script>' or similar
cross-site-scripting exploits. If your site is not particularly
sensitive this might not be a problem for you, but's it's a bad idea
in general.

> it does not display To and From editbox in the webpage for user type in
> their addresses


If you allow both the 'To' address and arbitrary message text to be
supplied, your script is very likely going to be spending most of its
life sending spam!

--
Andrew Clover
(E-Mail Removed)
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to execute a script from another script and other script does notdo busy wait. Rajat Python 3 01-08-2010 02:05 PM
RE: How to execute a script from another script and other script doesnotdo busy wait. VYAS ASHISH M-NTB837 Python 2 01-07-2010 08:18 PM
<script>alert();</script> =?Utf-8?B?PHNjcmlwdD5hbGVydCgpOzwvc2NyaXB0Pg==?= alert Microsoft Certification 0 04-13-2004 06:36 AM
Perl Help - Windows Perl script accessing a Unix perl Script dpackwood Perl 3 09-30-2003 02:56 AM
How to make Perl Script "POST" call from another Perl Script??? Wet Basement Perl 1 07-15-2003 10:25 PM



Advertisments