16f6c0aecf
Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in.
66 lines
1.4 KiB
Plaintext
66 lines
1.4 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
== Recommended Secure Coding Practices
|
|
|
|
* Use an email library which sanitizes headers (Flask-Mail or django.core.mail).
|
|
* Use html escape functions to sanitize every piece of data used to in the email body.
|
|
* Verify application logic to make sure that email base feature can not be abuse to:
|
|
** Send arbitrary email for spamming or fishing
|
|
** Disclose sensitive email content
|
|
|
|
== Sensitive Code Example
|
|
|
|
smtplib
|
|
|
|
----
|
|
import smtplib
|
|
|
|
def send(from_email, to_email, msg):
|
|
server = smtplib.SMTP('localhost', 1025)
|
|
server.sendmail(from_email, to_email, msg) # Sensitive
|
|
----
|
|
Django
|
|
|
|
----
|
|
from django.core.mail import send_mail
|
|
|
|
def send(subject, msg, from_email, to_email):
|
|
send_mail(subject, msg, from_email, [to_email]) # Sensitive
|
|
----
|
|
Flask-Mail
|
|
|
|
----
|
|
from flask import Flask
|
|
from flask_mail import Mail, Message
|
|
|
|
app = Flask(__name__)
|
|
|
|
def send(subject, msg, from_email, to_email):
|
|
mail = Mail(app)
|
|
msg = Message(subject, [to_email], body, sender=from_email)
|
|
mail.send(msg) # Sensitive{code}
|
|
----
|
|
|
|
include::../see.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::../message.adoc[]
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
=== on 28 Oct 2019, 07:42:43 Alexandre Gigleux wrote:
|
|
LGTM
|
|
|
|
include::../comments-and-links.adoc[]
|
|
|
|
endif::env-github,rspecator-view[]
|