I'm using sendmail in a perl script, and would like to get the "To" address from the user who invoked the script.
In other words I would like the from and to address to be same. How do I do that ?
Thanks.
Given your code of
open(Mail, "|/usr/sbin/sendmail -t");
print MAIL "To: $to\n"
print MAIL $msg
close(MAIL)
I'll suggest adding in front of that
$to ||= $ENV{SUDO_USER} || $ENV{USERNAME} || $ENV{LOGNAME} || $ENV{USER} || getpwuid $<;
While I'm at it, I'll recommend you add an extra newline after your last header, so that if $msg just happens to start with something that might look like a header, it won't be used as a header. Unless that's actually behavior you're depending on... (But I'd recommend not depending on that behavior...)
There's not really an "email address" property of a user. If you're just going through a local MTA, the user's address is generally their username, which you can retrieve with scalar getpwuid $> on Unixlike systems.
Related
i try to send a mail from a bash script with the following code
notify_by_mail () {
echo "TEST BODY" | mail --attach=$LOG_PATH -aFROM:$1 -s "Borg backup failed" $2
}
The problem is, what I try to echo to mail is also handled as an attachment but I want to have it as the body. When I dont send an attachment it behaves like I would. Could anyone please tell me whats going wrong?
It tried around with mail and searched long for the options but I cant figure out what I do wrong.
Thanks a lot!
I have suffered injection in my website (from a search box in a KB system). I removed that KB system but have a Contact Form (with Google Captcha) where the user enters his name, email and message and I use PHP mail() to send me the message.
Is it possible that an attacker can get access to my website from a possible attack to that form? Or the worst scenario could just be that he uses it to send Spam?
This is my PHP code before calling "main()":
<?php
$fname = $_POST['contact-f-name'];
$lname = $_POST['contact-l-name'];
$email = $_POST['contact-email'];
$text = $_POST['contact-message'];
$companyname = $_POST['company-name'];
$subject = $_POST['subject'];
$address = "myemail#myemail.com";
$headers = "From: " . strip_tags($email) . "\r\n";
$headers .= "Reply-To: ". strip_tags($email) . "\r\n";
$headers .= "MIME-Version: 1.0\r\n";
$headers .= "Content-type:text/plain; Charset=UTF-8 \r\n";
$message = ."Name: ".strip_tags($fname)." ".strip_tags($lname)."\r\n"
."Email: ".strip_tags($email)."\r\n"
."Company Name: ".strip_tags($companyname)."\r\n"
."Subject: ".strip_tags($subject)."\r\n"
."Message: ".strip_tags($text)."\r\n";
if(#mail($address, $subject, $message, $headers)) { echo "true"; }
else { echo "false"; }
exit;
?>
TL;DR: Short answer: Maybe:
While I do not have the time right now to do a complete and exacting answer to this post; I will point you to some best practises, and lots of links to other more verbose answers to similar questions regarding making user inputted data safe.
How to make the inputs safer?
Disable certain dangerous PHP functions. Read the second answeer rathr than the "ticked" answer.
Use PHPs filter_var() to force input the their correct types, especially for emails:
$email = filter_var($_POST['contact-email'], FILTER_SANITIZE_EMAIL);
use preg_replace() (or str_replace() ) to remove unwanted characters from your values. This can most typically be backticks, quotes of any kind, forward slashes or backslashes. Example.
I recommend replacing mail() in your code with PHPMailer.
strip_tags is ok, but just ok. It has flaws (such as dealing with unclosed tags). be aware of that.
Your PHP should be suitably jailed so if someone can run exec(...) commands (Ohsh1tOhsh1tOhsh1t) you have not (literally) lost your server.
What else can I read?
This huge topic on how to deal with forms on PHP
This question about how to "sanitise" user input.
OWASP PHP filters for cleaning inputs.
Disable dangerous functions
PHP fitler_var sanitisation filter list
Securing user variables (database related mostly)
Further wise words on data sanitisation.
When adding 'List-Unsubscribe' email headers, what kind of handling is required on the server-side for the callbacks?
It's possible to add both a mailto-link and a web-link to the header, in PHPMailer it could look like this:
$email->AddCustomHeader("List-Unsubscribe: <mailto:unsubscribe#example.com?subject=Unsubscribe>, <http://example.com/unsubscribe.php?unsubscribeid=$id>");
But does the mailto-address have to somehow automatically handle the unsubscription, or is it okay if the request just goes to an inbox that is frequently checked by a list administrator who manually processes the unsubscribe-requests?
And what about the web-link? Does it have to point to a script that will unsubscribe the recipient there and then, or can it just point to the webpage with an unsubscribe form?
You can handle this how you like, however, you should also be aware of the List-Unsubscribe-Post header (defined in RFC8058) too, as it makes you far less prone to accidental unsubscribes caused by mail scanners.
I'd really recommend processing these automatically. It's not that difficult. The URLs in list-unsubscribe should be entirely self-contained, that is, you should embed all the data you need (for example a hash of a unique user identifier, and a mailing list ID) into the URLs, so for HTTP you might use:
'<https://www.example.com/listunsub/' . $userid .'/' . $listid . '>'
You could configure a rewrite in your web server to map that URL pattern to appropriate vars in your PHP script and do the necessary database operations to remove them from the mailing list.
For email it's a bit different:
'<mailto:listunsub-' . userid . '-' . $listid . '#example.com .'>'
For this last format you would configure your mail server to spot the 'listunsub-' prefix and use that to pipe the message into a script which could extract the user and list IDs. Notice that you don't need a subject or a message body - the address itself contains all you need, and that means that a receiver doesn't have to write a message - their mail client can simply send an empty message to the address and you will have enough info to work with.
I'm struggling to find documentation that gives a clear example of how to enter a message in the rmail application.
I need to specify who the email is from, the subject of the email, and then follow that with some content. It's for a small school assignment where we are relaying "status updates" from imaginary machines on an imaginary factory floor.
This is the closest I've found, but it is not very clear: http://www.s-gms.ms.edus.si/cgi-bin/man-cgi?rmail+1
Can anyone give me an example of how I would send a message that looked like this? (obviously not including the comments...)
/* header stuff */
From: something#something.com
Subject: Status update for machine 5
/* message content */
Machine ID: 7
Status Reported: Machine going offline (status 6)
Status effective: 2012-06-02 12:30:23
I am opening rmail via software controlled pipe in my application without problems, I'm just not sure how to format the data I am feeding to it since I can't find any examples online.
Thanks!
You are probably interested in using /usr/bin/mail on most modern Unixes, not rmail.
You should read the man page, but generally, it would be sufficient to use the "-s" flag to set the subject of the mail, and input the content of the message on stdin. There is no need to set the From: line, as the system will do that for you (and in the general case, the system will not let you specify arbitrary from addresses to prevent forgeries.)
im searching for a simple method to "ping" a sip:user#ip and get back a status like "available for call" , "busy" , "not connected" if the first two require to make his phone ring, thats ok
(optionally if necessary to call them to see the status then it was nice to include a senders number so that i can identify my server on the phone display when its checking the status or to play a short signal .wav in case someone takes up, so that they know what it was)
.....something like sipsak -x 1200 -C random#ownip -s sip:adressee#hisip -vvv...
gives me "406 Not Acceptable without Contact header"
i did not try anything else yet
i already wonder if the sending call still needs to be logged in at an isp then?
You're probably looking for the OPTIONS message. The reply to an OPTIONS does two things - first, it tells you the capabilities of the remote party and second, more importantly, the Status-Code returned is the Status-Code you would get if you'd sent an INVITE.
According to sipsak's documentation you're looking for this:
sipsak -vv -s sip:nobody#foo.bar
SIMPLE will work, but it may be overkill for what you want to do. See http://en.wikipedia.org/wiki/SIMPLE
Of course, not all SIP phones support SIMPLE.