A email.cgi script

Discussion in 'Python' started by wonder, Aug 15, 2004.

  1. wonder

    wonder Guest

    Hi,

    I would like to write a python script that can be used in my website for
    other people whoever browse my webside to send an email using my smtp
    server. Is there any sample python script can do that?
    Here is my python script, but it does not display To and From editbox in
    the webpage for user type in their addresses:

    #!/usr/bin/python

    import smtplib, cgi, string

    form = cgi.FieldStorage()

    # Change the lines below to specify the TO and
    # FROM addresses

    toaddr = ''
    fromaddr = ''

    # Special form fields used by the email.cgi
    # script

    ack_url = form.getvalue('ack_url',None)
    ack_text = form.getvalue('ack_text','Your submission was successful')
    subject = form.getvalue('subject', '')

    # form fields to skip
    to_skip = ['ack_url', 'ack_text', 'subject', 'to']

    # create the email headers

    msg = "From: %s\r\nTo: %s\r\nSubject: %s\r\n\r\n" % (fromaddr, toaddr,
    subject)

    for key in form.keys():
    if string.lower(key) in to_skip: continue
    msg = msg + "%s: %s\n\n" % (key, form.getvalue(key))

    server = smtplib.SMTP('mail.xyx.com')
    server.set_debuglevel(0)
    server.sendmail(fromaddr, toaddr, msg)
    server.quit()

    if ack_url:
    print "Location: %s" % (ack_url)
    print

    else:
    print "Content-type: text/html"
    print
    print ack_text
     
    wonder, Aug 15, 2004
    #1
    1. Advertising

  2. wonder

    Tim Roberts Guest

    wonder <> wrote:
    >
    >I would like to write a python script that can be used in my website for
    > other people whoever browse my webside to send an email using my smtp
    >server. Is there any sample python script can do that?


    It looks lik you have one here.

    >Here is my python script, but it does not display To and From editbox in
    >the webpage for user type in their addresses:


    Well, then, add <input type=text name=to size=80> and <input type=text
    name=from size=80> to your web page and fetch them here. The rest of this
    looks fine.
    --
    - Tim Roberts,
    Providenza & Boekelheide, Inc.
     
    Tim Roberts, Aug 16, 2004
    #2
    1. Advertising

  3. wonder

    dijk Guest

    wonder <> wrote in message news:<cfni2i$j0f$>...
    > Hi,
    >
    > I would like to write a python script that can be used in my website for
    > other people whoever browse my webside to send an email using my smtp
    > server. Is there any sample python script can do that?
    > Here is my python script, but it does not display To and From editbox in
    > the webpage for user type in their addresses:
    >
    > #!/usr/bin/python
    >
    > import smtplib, cgi, string
    >
    > form = cgi.FieldStorage()
    >
    > # Change the lines below to specify the TO and
    > # FROM addresses
    >
    > toaddr = ''
    > fromaddr = ''
    >
    > # Special form fields used by the email.cgi
    > # script
    >
    > ack_url = form.getvalue('ack_url',None)
    > ack_text = form.getvalue('ack_text','Your submission was successful')
    > subject = form.getvalue('subject', '')
    >
    > # form fields to skip
    > to_skip = ['ack_url', 'ack_text', 'subject', 'to']
    >
    > # create the email headers
    >
    > msg = "From: %s\r\nTo: %s\r\nSubject: %s\r\n\r\n" % (fromaddr, toaddr,
    > subject)


    I'm using almost the same syntax, but I'm not using '\r\n', only '\n'.

    Hope this helps..
     
    dijk, Aug 16, 2004
    #3
  4. wonder <> wrote:

    > Is there any sample python script can do that?


    Not that I know of, but it's pretty simple. Your script seems to cover
    it, except for some security issues:

    > msg = "From: %s\r\nTo: %s\r\nSubject: %s\r\n\r\n" % (fromaddr, toaddr,
    > subject)


    'subject' comes directly from a form submission but has not been
    sanitised and can contain control characters. (Some form handling
    software will remove them automatically for you, but the 'cgi' module
    does not.)

    So if an attacker inserts a '\n' into the subject field they can add
    arbitrary headers and body content to the mail you are sending out.
    You probably don't want that.

    > print "Content-type: text/html"
    > print
    > print ack_text


    Here the text is not HTML-escaped. An attacker can send a user to the
    form script with an ack_text parameter of
    '<script>alert(document.cookie)</script>' or similar
    cross-site-scripting exploits. If your site is not particularly
    sensitive this might not be a problem for you, but's it's a bad idea
    in general.

    > it does not display To and From editbox in the webpage for user type in
    > their addresses


    If you allow both the 'To' address and arbitrary message text to be
    supplied, your script is very likely going to be spending most of its
    life sending spam!

    --
    Andrew Clover
    mailto:
     
    Andrew Clover, Aug 16, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. praba kar

    Python-cgi or Perl-cgi script doubt

    praba kar, Jul 30, 2005, in forum: Python
    Replies:
    1
    Views:
    803
    Michael Sparks
    Jul 30, 2005
  2. Amir  Michail

    cgi relay for python cgi script

    Amir Michail, Oct 4, 2005, in forum: Python
    Replies:
    7
    Views:
    488
    Michael Ekstrand
    Oct 4, 2005
  3. Muzammil
    Replies:
    1
    Views:
    1,273
    red floyd
    Aug 28, 2008
  4. Gavri Savio Fernandez

    cgi = CGI.new causes the script to hang

    Gavri Savio Fernandez, Nov 30, 2003, in forum: Ruby
    Replies:
    2
    Views:
    278
    Ara.T.Howard
    Dec 1, 2003
  5. kath
    Replies:
    4
    Views:
    803
    J. Gleixner
    Apr 9, 2007
Loading...

Share This Page