Re: [solved, kinda] Re: Why does tmail stop my CGI script form working?

< ^ > P N |<>| ^ _>< --- | ~ ...Help
--+QahgC5+KEYLbs62
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Nov 18, 2008 at 03:45:37AM +0900, James Gray wrote:
> On Nov 17, 2008, at 11:38 AM, Chad Perrin wrote:
>=20
> >On Tue, Nov 18, 2008 at 01:20:16AM +0900, Jeremy McAnally wrote:
> >>Why not try mailfactory if you're just sending e-mail?  If it's just
> >>tmail screwing up.  I thought perhaps you were parsing e-mail or
> >>something.
> >
> >The problem actually appears to be one of something on the server =20
> >being
> >misconfigured so that I cannot properly install and `require` gems.
> >
> >Also . . . as someone pointed out to me off-list, I forgot to change a
> >set of single quotes in the `mail` command into double quotes.  The =20
> >line
> >in question should actually read:
> >
> >   `echo "#{body_c}" | mail -s "#{sub_c}" #{to_c}`
>=20
> I would prefer to just avoid passing the body through the shell:
>=20
>   open(%Q{| mail -s "#{sub_c}" #{to_c}}, "w") { |mail| mail << body_c }

That's an excellent point, and I wish I had thought of it.  I took your
advice.  The relevant code now looks like this:

    sent =3D open( %Q{| mail -s "#{sub_c}" #{to_c} }, 'w' ) do |msg|
      msg << body_c
    end

=2E . . and the sub_c variable just contains a non-interpolated string with
nothing but letters and spaces in it.  Since the to_c variable was
already just a non-interpolated string I defined within the script, I
think this means I'm no longer in need of input sanitizing.  I think.

>=20
> You could use mail's escapes to avoid passing the subject as well.  =20
> See the man page for details.

I pored over the man page for a little while, and didn't catch on to what
you meant by this.  The closest I found to it was the reference to the ~s
escape for the mail program, but I haven't figured out yet what you meant
should be done with it if that's your point.

However . . . having a user-supplied string in the actual email subject
line isn't really a critical necessity so, for the sake of moving
forward, I just made the subject line of sent emails static and
predefined in the script, then put the user-supplied subject string
within the body of the email the same way I did with the name and
telephone number fields.

If using a block rather than an echo command eliminates the need to
sanitize the text in the message body, it looks like the problem of input
sanitizing is solved for now, and I really appreciate your help.  Please
correct me if I'm wrong.

I'll probably put some more time into puzzling over `man mail` at a later
date to see if I can figure out what you meant about using mail's escapes
to avoid passing the subject to the shell.  That would surely be good to
know for the future, even if it isn't really critical to this particular
case.

--=20
Chad Perrin [ content licensed PDL: http://pdl.apotheon.org ]
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?

--+QahgC5+KEYLbs62
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (FreeBSD)

iEYEARECAAYFAkkhzNAACgkQ9mn/Pj01uKVk2wCfRFT12doImmyOi1k6TxqDNYn7
oIMAoN/7Ar0Tm6sMlBfdBqiA1Wc+DcYm
=1fCa
-----END PGP SIGNATURE-----

--+QahgC5+KEYLbs62--