A email.cgi script

[wonder]

Hi,

I would like to write a python script that can be used in my website for
other people whoever browse my webside to send an email using my smtp
server. Is there any sample python script can do that?
Here is my python script, but it does not display To and From editbox in
the webpage for user type in their addresses:

#!/usr/bin/python

import smtplib, cgi, string

form = cgi.FieldStorage()

# Change the lines below to specify the TO and
# FROM addresses

toaddr = '(e-mail address removed)'
fromaddr = ''

# Special form fields used by the email.cgi
# script

ack_url = form.getvalue('ack_url',None)
ack_text = form.getvalue('ack_text','Your submission was successful')
subject = form.getvalue('subject', '')

# form fields to skip
to_skip = ['ack_url', 'ack_text', 'subject', 'to']

# create the email headers

msg = "From: %s\r\nTo: %s\r\nSubject: %s\r\n\r\n" % (fromaddr, toaddr,
subject)

for key in form.keys():
if string.lower(key) in to_skip: continue
msg = msg + "%s: %s\n\n" % (key, form.getvalue(key))

server = smtplib.SMTP('mail.xyx.com')
server.set_debuglevel(0)
server.sendmail(fromaddr, toaddr, msg)
server.quit()

if ack_url:
print "Location: %s" % (ack_url)
print

else:
print "Content-type: text/html"
print
print ack_text

 

[Tim Roberts]

I would like to write a python script that can be used in my website for
other people whoever browse my webside to send an email using my smtp
server. Is there any sample python script can do that?

It looks lik you have one here.

Here is my python script, but it does not display To and From editbox in
the webpage for user type in their addresses:

Well, then, add <input type=text name=to size=80> and <input type=text
name=from size=80> to your web page and fetch them here. The rest of this
looks fine.

 

[dijk]

Hi,

I would like to write a python script that can be used in my website for
other people whoever browse my webside to send an email using my smtp
server. Is there any sample python script can do that?
Here is my python script, but it does not display To and From editbox in
the webpage for user type in their addresses:

#!/usr/bin/python

import smtplib, cgi, string

form = cgi.FieldStorage()

# Change the lines below to specify the TO and
# FROM addresses

toaddr = '(e-mail address removed)'
fromaddr = ''

# Special form fields used by the email.cgi
# script

ack_url = form.getvalue('ack_url',None)
ack_text = form.getvalue('ack_text','Your submission was successful')
subject = form.getvalue('subject', '')

# form fields to skip
to_skip = ['ack_url', 'ack_text', 'subject', 'to']

# create the email headers

msg = "From: %s\r\nTo: %s\r\nSubject: %s\r\n\r\n" % (fromaddr, toaddr,
subject)

I'm using almost the same syntax, but I'm not using '\r\n', only '\n'.

Hope this helps..

 

[Andrew Clover]

Is there any sample python script can do that?

Not that I know of, but it's pretty simple. Your script seems to cover
it, except for some security issues:

msg = "From: %s\r\nTo: %s\r\nSubject: %s\r\n\r\n" % (fromaddr, toaddr,
subject)

'subject' comes directly from a form submission but has not been
sanitised and can contain control characters. (Some form handling
software will remove them automatically for you, but the 'cgi' module
does not.)

So if an attacker inserts a '\n' into the subject field they can add
arbitrary headers and body content to the mail you are sending out.
You probably don't want that.

print "Content-type: text/html"
print
print ack_text

Here the text is not HTML-escaped. An attacker can send a user to the
form script with an ack_text parameter of
'<script>alert(document.cookie)</script>' or similar
cross-site-scripting exploits. If your site is not particularly
sensitive this might not be a problem for you, but's it's a bad idea
in general.

it does not display To and From editbox in the webpage for user type in
their addresses

If you allow both the 'To' address and arbitrary message text to be
supplied, your script is very likely going to be spending most of its
life sending spam!