CodeSOD: Strongly Bad Emails


If you want to send emails from a Java program, you might be tempted to use the javax.mail package, which contains objects for doing exactly that. It’s a relatively straightforward API, and while it’s a bit verbose, that’s hardly unusual for Java. You just wrap it up in a convenience function based on how you need to call it, and reuse that, right?

Well, PHP, an obviously superior language, already did that work. There’s a built-in mail function, which sends emails. It uses your php.ini file to figure out what SMTP service to use, making the parameters to the function more “obvious”.

Chris had a co-worker that really loved the… elegance… of PHP’s solution to this problem, and thus, when they needed to send emails from Java, they did it this way:

public static void sendEmail(String log, String status) throws Exception {
        String host = "altered.host";
        //run wget
        String url = "http://" +host +"/atcoEmail.php?subject=TIS REPORT - " + status + "&body=" + log;
        String newUrl = url.replace(" ", "~");
        System.out.println(newUrl);
        Runtime.getRuntime().exec("wget -O - ".concat(newUrl).concat("> /dev/null 2>&1"));
}

And don’t worry about security, this program was being run as root. What could go wrong?


[Advertisement] Manage IT infrastructure as code across all environments with Puppet. Puppet Enterprise now offers more control and insight, with role-based access control, activity logging and all-new Puppet Apps. Start your free trial today!

http://ift.tt/2pcrxnv

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s