且构网

分享程序员开发的那些事...
且构网 - 分享程序员编程开发的那些事

电子邮件正文中是否存在注入漏洞?

更新时间:2022-12-03 09:41:21

如果您要对邮件服务器使用本机SMTP,则正文中可能会有注入.

There's a possible injection in the body text if you're speaking native SMTP to the mail server.

一个单独的.会终止SMTP中的当前正文,因此理论上您可以让用户提供这样的输入:

A single . on its own terminates the current body in SMTP, so in theory you could have user supplied input like this:

some body text
.
MAIL FROM: <...>
RCPT TO: <...>
DATA
Subject: here's some spam

here's a new body

并且SMTP服务器可能允许第二条消息通过.

and the SMTP server might allow the second message through.

可以将某些SMTP服务器配置为通过不允许SMTP命令流水线来防止这种情况(即要求客户端在允许下一条命令之前先读取响应).

Some SMTP servers can be configured to prevent this by not allowing SMTP commands to be pipelined (i.e. requiring the client to read the response before permitting the next command).