svn commit: samba-web r217 - in trunk/news: . style
abartlet at samba.org
Sun Aug 8 04:14:10 GMT 2004
On Sat, 2004-08-07 at 20:41, deryck at samba.org wrote:
> Author: deryck
> Date: 2004-08-08 03:41:41 +0000 (Sun, 08 Aug 2004)
> New Revision: 217
> WebSVN: http://websvn.samba.org/websvn/changeset.php?rep=samba-web&path=/trunk/news&rev=217&nolog=1
> This sets everything for using a form-mail cgi script. The submitted
> form will return a "success" page.
> I have the script, which is a verion of the much used "Matt's Script
> Archive" FormMail.cgi, with some added security features.
> Jerry, et al., can check out the quality/secureness of the
> script when we move to the new design tomorrow, and if approved,
> we can add it to the cgi-bin then.
I think we should use a form-mail script *specific* (ie, hard-coded
values) to this page. In particular, I don't like the user specifying
where the redirect is to - that is one of the usual security-fun
From a XSS (Cross Site Scripting) point of view, there should be no
input returned to the user, if possible. (Saves having to think of
every possible attack and sanitise it).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20040807/7b8ffc29/attachment.bin
More information about the samba-technical