更新时间:2022-12-03 09:41:21
如果您要对邮件服务器使用本机SMTP,则正文中可能会有注入.
There's a possible injection in the body text if you're speaking native SMTP to the mail server.
一个单独的.
会终止SMTP中的当前正文,因此理论上您可以让用户提供这样的输入:
A single .
on its own terminates the current body in SMTP, so in theory you could have user supplied input like this:
some body text
.
MAIL FROM: <...>
RCPT TO: <...>
DATA
Subject: here's some spam
here's a new body
并且SMTP服务器可能允许第二条消息通过.
and the SMTP server might allow the second message through.
可以将某些SMTP服务器配置为通过不允许SMTP命令流水线来防止这种情况(即要求客户端在允许下一条命令之前先读取响应).
Some SMTP servers can be configured to prevent this by not allowing SMTP commands to be pipelined (i.e. requiring the client to read the response before permitting the next command).