svn commit: samba-web r217 - in trunk/news: . style
Andrew Bartlett
abartlet at samba.org
Sun Aug 8 04:14:10 GMT 2004
On Sat, 2004-08-07 at 20:41, deryck at samba.org wrote:
> Author: deryck
> Date: 2004-08-08 03:41:41 +0000 (Sun, 08 Aug 2004)
> New Revision: 217
> WebSVN: http://websvn.samba.org/websvn/changeset.php?rep=samba-web&path=/trunk/news&rev=217&nolog=1
> Log:
>
> This sets everything for using a form-mail cgi script. The submitted
> form will return a "success" page.
>
> I have the script, which is a verion of the much used "Matt's Script
> Archive" FormMail.cgi, with some added security features.
> Jerry, et al., can check out the quality/secureness of the
> script when we move to the new design tomorrow, and if approved,
> we can add it to the cgi-bin then.
I think we should use a form-mail script *specific* (ie, hard-coded
values) to this page. In particular, I don't like the user specifying
where the redirect is to - that is one of the usual security-fun
starting points.
From a XSS (Cross Site Scripting) point of view, there should be no
input returned to the user, if possible. (Saves having to think of
every possible attack and sanitise it).
Andrew Bartlett
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20040807/7b8ffc29/attachment.bin
More information about the samba-technical
mailing list