44 lines
1.1 KiB
Plaintext
44 lines
1.1 KiB
Plaintext
![]() |
include::../description.adoc[]
|
||
|
|
||
|
include::../ask-yourself.adoc[]
|
||
|
|
||
|
== Recommended Secure Coding Practices
|
||
|
|
||
|
* Use an email library which sanitizes headers (Flask-Mail or django.core.mail).
|
||
|
* Use html escape functions to sanitize every piece of data used to in the email body.
|
||
|
* Verify application logic to make sure that email base feature can not be abuse to:
|
||
|
** Send arbitrary email for spamming or fishing
|
||
|
** Disclose sensitive email content
|
||
|
|
||
|
== Sensitive Code Example
|
||
|
|
||
|
smtplib
|
||
|
----
|
||
|
import smtplib
|
||
|
|
||
|
def send(from_email, to_email, msg):
|
||
|
server = smtplib.SMTP('localhost', 1025)
|
||
|
server.sendmail(from_email, to_email, msg) # Sensitive
|
||
|
----
|
||
|
Django
|
||
|
----
|
||
|
from django.core.mail import send_mail
|
||
|
|
||
|
def send(subject, msg, from_email, to_email):
|
||
|
send_mail(subject, msg, from_email, [to_email]) # Sensitive
|
||
|
----
|
||
|
Flask-Mail
|
||
|
----
|
||
|
from flask import Flask
|
||
|
from flask_mail import Mail, Message
|
||
|
|
||
|
app = Flask(__name__)
|
||
|
|
||
|
def send(subject, msg, from_email, to_email):
|
||
|
mail = Mail(app)
|
||
|
msg = Message(subject, [to_email], body, sender=from_email)
|
||
|
mail.send(msg) # Sensitive{code}
|
||
|
----
|
||
|
|
||
|
include::../see.adoc[]
|