Mercurial > hg > mlmmj

view contrib/web/perl-user/mlmmj.cgi @ 693:1606ae6d900d

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Fixed injection in contrib/web/perl-user (Gerd von Egidy)
author mortenp
date Mon, 29 Dec 2008 07:03:46 +1100
parents 1180bcbc90d9
children
line wrap: on
line source

#!/usr/bin/perl

# Copyright (C) 2004 Morten K. Poulsen <morten at afdelingp.dk>
#
# $Id$
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to
# deal in the Software without restriction, including without limitation the
# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
# sell copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
# IN THE SOFTWARE.

use CGI qw(:standard);

require "config.pl";


# You might want to customize this function if you are not running the web
# server on the same host as the mail server running the lists, or if your
# lists are not in $topdir/list-name.
sub mlmmj_check_list {
	my $list = shift;

	if ($list !~ /^([a-z0-9-.]+)\@/) {
		return false;
	}

	if (!-f "$topdir/$1/control/listaddress") {
		return false;
	}

	open(FILE, "$topdir/$1/control/listaddress") or die('unable to open control/listaddress');
	$listaddr = readline(FILE);
	chomp($listaddr);
	if ($list ne $listaddr) {
		return false;
	}

	return true;
}


sub mlmmj_mail {
	my $from = shift;
	my $to = shift;
	my $subject = shift;
	my $body = shift;
	my $date = `/bin/date -R`;

	$mail = "Received: from " . $query->remote_addr()
		. " by " .  $query->server_name() . " with HTTP;\n"
		. "\t$date"
		. "X-Originating-IP: " . $query->remote_addr() . "\n"
		. "X-Mailer: mlmmj-webinterface powered by Perl\n"
		. "Date: $date"
		. "From: $from\n"
		. "To: $to\n"
		. "Subject: $subject\n"
		. "\n"
		. "$body\n";
	open(P, "|$sendmail -i -t") or die('unable to send mail');
	print(P $mail);
	close(P);
}


sub mlmmj_gen_to {
	my $list = shift;
	my $job = shift;

	if (($job ne 'subscribe') && ($job ne 'unsubscribe')) {
		return false;
	}
	($user, $domain) = split(/@/, $list);

	return sprintf("%s%s%s@%s", $user, $delimiter, $job, $domain);
}

sub check_email {
    my $addr = shift;

    if ($addr !~ /^[-!#$%&\'*+\.\/0-9=?A-Z^_a-z{|}~]+@[-0-9A-Za-z]+\.[-\.0-9A-Za-z]+$/) {
        return false;
    } else {
        return true;
    }
}

$query = new CGI;

$list = $query->param('mailinglist');
$job = $query->param('job');
$redirect_failure = $query->param('redirect_failure');
$redirect_success = $query->param('redirect_success');
$email = $query->param('email');

if (mlmmj_check_list($list) ne false && check_email($email) ne false)) {
	$to = mlmmj_gen_to($list, $job);
	if ($to ne false) {
		mlmmj_mail($email, $to, "$job to $list", $job);

		print $query->redirect($redirect_success);
		exit(0);
	}
}

print $query->redirect($redirect_failure);