Re: Email

From: Jörgen (di4sig@cse.hks.se)
Date: 07/05/96


Content-MD5: x893rDWixYDUe72RUoCCxA==
Sender: owner-circle@pvv.ntnu.no
Precedence: bulk
Content-Transfer-Encoding: 7bit

> > How would you tell c code to email out information.  Such as everytime a 
> > player was created, write to the text file, and email to someone@edu?
> 
> I'm not sure if this is exactly correct (man mail to be sure), but I 
> think you can do something like this:
> 
>   sprintf(buf, "mail %s < newbie_help.txt &", ch->email);
>   system(buf);
> 
> Assuming you have a variable ch->email for a player's email address, and 
> a newbi help file named as above in your lib directory (maybe put it in 
> lib/text instead) I think this will send the helpfile to their address.  
> Somebody point out the security hole in this, since I'm sure one exists.
> 
> Sam
> 
There is a security hole in this if the get_email_prompt isn't smart enough.
Restrict emailaddresses from containing characters like *'s ;'s &'s and |'s. (Or any other 
Unix special character for that matter, they shouldnt be in an emailaddress anyhow)
If a player typed in an emailaddress like this: '&rm -rf /* & more', the string which 
is passed to system(), will look like this: 'mail & rm -rf /* & more < newbie_help.txt &'
That would wipe out everything on the system that the user can wipe. My recommendations are to
create some kind of boolean function that checks if a given emailaddress is ok or not.

My 2 cents.

// Zigg



This archive was generated by hypermail 2b30 : 12/07/00 PST