On Mon, 26 Jul 1999, Peter Lister wrote:
> So it's possible to substitute any CGI env var anywhere in the
> template email. However, the note above and From: are explicitly
> overridden by the script
I know that we have drifted far from the topic, but what Pete didn't say
is that his script allows for users to create their own email template
files for each from. So an email template file like
To: my@???
Subject: mailform response from --HTTP_REFERER--
X-Mailfrom-Submit-IP: --HTTP_REMOTE_ADDRESS--
Reply-To: --email--
This message was generated by someone submiting the form at
--HTTP_REFERER--
They provided the email address
--email--
There is no assurence that the email address provided is correct.
A reply to this message will be directed to that address.
...
As Pete said, users can specify lots of headers in the template, but any
From: is politely ignored. (Also the program adds in some headers of its
own about itself and who to complain to if it is somehow used badly). In
writing this, I now recognize that I should also ensure that people can't
add Received: headers.
Anyway, the point is the to use the information from the submitted form
for the Reply-To but the From and envelope sender in NOT supplied by the
agent submitting the form.
Despite the fact that the system allows any of our thousands of users to
set up their own reply forms (using templates like the above), it has
proved remarkably abuse resistant.
-j
--
Jeffrey Goldberg +44 (0)1234 750 111 x 2826
Cranfield Computer Centre FAX 751 814
J.Goldberg@??? http://WWW.Cranfield.ac.uk/public/cc/cc047/
Relativism is the triumph of authority over truth, convention over justice.