Connecting Tech Pros Worldwide Forums | Help | Site Map
bytes > topic > python > answers

A email.cgi script

wonder
Guest
  
Posts: n/a
#1: Jul 18 '05
Hi,

I would like to write a python script that can be used in my website for
other people whoever browse my webside to send an email using my smtp
server. Is there any sample python script can do that?
Here is my python script, but it does not display To and From editbox in
the webpage for user type in their addresses:

#!/usr/bin/python

import smtplib, cgi, string

form = cgi.FieldStorage()

# Change the lines below to specify the TO and
# FROM addresses

toaddr = 'dest@abc.com'
fromaddr = ''

# Special form fields used by the email.cgi
# script

ack_url = form.getvalue('ack_url',None)
ack_text = form.getvalue('ack_text','Your submission was successful')
subject = form.getvalue('subject', '')

# form fields to skip
to_skip = ['ack_url', 'ack_text', 'subject', 'to']

# create the email headers

msg = "From: %s\r\nTo: %s\r\nSubject: %s\r\n\r\n" % (fromaddr, toaddr,
subject)

for key in form.keys():
if string.lower(key) in to_skip: continue
msg = msg + "%s: %s\n\n" % (key, form.getvalue(key))

server = smtplib.SMTP('mail.xyx.com')
server.set_debuglevel(0)
server.sendmail(fromaddr, toaddr, msg)
server.quit()

if ack_url:
print "Location: %s" % (ack_url)
print

else:
print "Content-type: text/html"
print
print ack_text

Tim Roberts
Guest
  
Posts: n/a
#2: Jul 18 '05

re: A email.cgi script

wonder <a@b.com> wrote:[color=blue]
>
>I would like to write a python script that can be used in my website for
> other people whoever browse my webside to send an email using my smtp
>server. Is there any sample python script can do that?[/color]

It looks lik you have one here.
[color=blue]
>Here is my python script, but it does not display To and From editbox in
>the webpage for user type in their addresses:[/color]

Well, then, add <input type=text name=to size=80> and <input type=text
name=from size=80> to your web page and fetch them here. The rest of this
looks fine.
--
- Tim Roberts, timr@probo.com
Providenza & Boekelheide, Inc.
dijk
Guest
  
Posts: n/a
#3: Jul 18 '05

re: A email.cgi script

wonder <a@b.com> wrote in message news:<cfni2i$j0f$1@news.hgc.com.hk>...[color=blue]
> Hi,
>
> I would like to write a python script that can be used in my website for
> other people whoever browse my webside to send an email using my smtp
> server. Is there any sample python script can do that?
> Here is my python script, but it does not display To and From editbox in
> the webpage for user type in their addresses:
>
> #!/usr/bin/python
>
> import smtplib, cgi, string
>
> form = cgi.FieldStorage()
>
> # Change the lines below to specify the TO and
> # FROM addresses
>
> toaddr = 'dest@abc.com'
> fromaddr = ''
>
> # Special form fields used by the email.cgi
> # script
>
> ack_url = form.getvalue('ack_url',None)
> ack_text = form.getvalue('ack_text','Your submission was successful')
> subject = form.getvalue('subject', '')
>
> # form fields to skip
> to_skip = ['ack_url', 'ack_text', 'subject', 'to']
>
> # create the email headers
>
> msg = "From: %s\r\nTo: %s\r\nSubject: %s\r\n\r\n" % (fromaddr, toaddr,
> subject)[/color]

I'm using almost the same syntax, but I'm not using '\r\n', only '\n'.

Hope this helps..
Andrew Clover
Guest
  
Posts: n/a
#4: Jul 18 '05

re: A email.cgi script

wonder <a@b.com> wrote:
[color=blue]
> Is there any sample python script can do that?[/color]

Not that I know of, but it's pretty simple. Your script seems to cover
it, except for some security issues:
[color=blue]
> msg = "From: %s\r\nTo: %s\r\nSubject: %s\r\n\r\n" % (fromaddr, toaddr,
> subject)[/color]

'subject' comes directly from a form submission but has not been
sanitised and can contain control characters. (Some form handling
software will remove them automatically for you, but the 'cgi' module
does not.)

So if an attacker inserts a '\n' into the subject field they can add
arbitrary headers and body content to the mail you are sending out.
You probably don't want that.
[color=blue]
> print "Content-type: text/html"
> print
> print ack_text[/color]

Here the text is not HTML-escaped. An attacker can send a user to the
form script with an ack_text parameter of
'<script>alert(document.cookie)</script>' or similar
cross-site-scripting exploits. If your site is not particularly
sensitive this might not be a problem for you, but's it's a bad idea
in general.
[color=blue]
> it does not display To and From editbox in the webpage for user type in
> their addresses[/color]

If you allow both the 'To' address and arbitrary message text to be
supplied, your script is very likely going to be spending most of its
life sending spam!

--
Andrew Clover
mailto:and@doxdesk.com
Closed Thread

« previous question | next question »

Similar Python bytes

/bytes/development

/bytes/it

Forums
Visit our community forums for general discussions and latest on Bytes

Our staff and community areas have moved to bytes.com/forums/

/bytes/about

We are a network of experts and professionals in IT and software development that help one another with answers to tough questions and share insights. Get the best answers to your questions from over 226,471 network members.

dev questions:
algorithms | asp | asp.net | c/c++ | coldfusion | c# | flash | html/css | java | javascript |
mobile dev | .net | perl | php | python | ruby | software dev | vb.net | visual basic | xml
it questions:
access | apache | careers | db2 | iis | macosx | mysql | networking | oracle | postgresql | sql server | unix | windows

About Bytes | Copyright 1995-2009 BYTES. All rights Reserved