# build mail from template
mail = message.reply(
subject: "ICLA for #{@pubname}",
from: @from,
to: "#{@pubname.inspect} <#{@email}>",
cc: [
('[email protected]' unless use_Bcc),
("private@#{@pmc.mail_list}.apache.org" if @pmc), # copy pmc
(@podling.private_mail_list if @podling) # copy podling
],
bcc: [ ('[email protected]' if use_Bcc)],
body: template(reply)
)
Can it be as easy as
from: @from.untaint?
Or should the @from variable be untainted when it is created?
Craig
> On Oct 30, 2018, at 11:12 AM, sebb <[email protected]> wrote:
>
> On Tue, 30 Oct 2018 at 17:54, Craig Russell <[email protected]> wrote:
>>
>> This now happens on every request for a new account. I don't even see where
>> the "from_addr" is set.
>
> I think it's done in the template processing, i.e. here:
>
> mail = Mail.new(template('acreq.erb'))
>
> But when I had a look I could not work out how to untaint it.
>
>> Is the bug that the from_addr is never set? Or is that done in Mail.new?
>>
>> ######################################################################
>> # email root@ #
>> ######################################################################
>>
>> task "email [email protected]" do
>> # build mail from template
>> mail = Mail.new(template('acreq.erb'))
>>
>> # adjust copy lists
>> cc = ["#{@pubname.inspect} <#{@email}>"]
>> cc << "private@#{@pmc.mail_list}.apache.org" if @pmc # copy pmc
>> cc << @podling.private_mail_list if @podling # copy podling
>> mail.cc = cc.uniq.map {|email| email.dup.untaint}
>>
>> # untaint to email addresses
>> mail.to = mail.to.map {|email| email.dup.untaint}
>>
>> # echo email
>> form do
>> _message mail.to_s
>> end
>>
>> # deliver mail
>> complete do
>> mail.deliver!
>> end
>> end
>>
>> #<SecurityError: tainted from_addr>
>> /usr/local/rvm/rubies/ruby-2.4.1/lib/ruby/2.4.0/net/smtp.rb:835:in
>> `mailfrom'
>> /usr/local/rvm/rubies/ruby-2.4.1/lib/ruby/2.4.0/net/smtp.rb:658:in
>> `send_message'
>>
>> /usr/local/rvm/gems/ruby-2.4.1/gems/mail-2.7.1/lib/mail/network/delivery_methods/smtp_connection.rb:54:in
>> `deliver!'
>>
>> /usr/local/rvm/gems/ruby-2.4.1/gems/mail-2.7.1/lib/mail/network/delivery_methods/smtp.rb:101:in
>> `block in deliver!'
>> /usr/local/rvm/rubies/ruby-2.4.1/lib/ruby/2.4.0/net/smtp.rb:519:in `start'
>>
>> /usr/local/rvm/gems/ruby-2.4.1/gems/mail-2.7.1/lib/mail/network/delivery_methods/smtp.rb:109:in
>> `start_smtp_session'
>>
>> /usr/local/rvm/gems/ruby-2.4.1/gems/mail-2.7.1/lib/mail/network/delivery_methods/smtp.rb:100:in
>> `deliver!'
>> /usr/local/rvm/gems/ruby-2.4.1/gems/mail-2.7.1/lib/mail/message.rb:276:in
>> `deliver!'
>> /x1/srv/whimsy/www/secretary/workbench/views/actions/icla.json.rb:250:in
>> `block (2 levels) in _evaluate'
>> /x1/srv/whimsy/www/secretary/workbench/tasks.rb:47:in `complete'
>> /x1/srv/whimsy/www/secretary/workbench/views/actions/icla.json.rb:249:in
>> `block in _evaluate'
>> /x1/srv/whimsy/www/secretary/workbench/tasks.rb:12:in `task'
>> /x1/srv/whimsy/www/secretary/workbench/views/actions/icla.json.rb:230:in
>> `_evaluate'
>> /x1/srv/whimsy/www/secretary/workbench/server.rb:92:in `block in <top
>> (required)>'
>> /x1/srv/whimsy/lib/whimsy/asf/rack.rb:223:in `call'
>>
>> /usr/local/rvm/gems/ruby-2.4.1/gems/passenger-5.1.12/src/ruby_supportlib/phusion_passenger/rack/out_of_band_gc.rb:48:in
>> `call'
>> /x1/srv/whimsy/lib/whimsy/asf/rack.rb:148:in `call'
>> /x1/srv/whimsy/lib/whimsy/asf/rack.rb:79:in `call'
>> /x1/srv/whimsy/lib/whimsy/asf/rack.rb:254:in `call'
>>
>> /usr/local/rvm/gems/ruby-2.4.1/gems/passenger-5.1.12/src/ruby_supportlib/phusion_passenger/rack/thread_handler_extension.rb:97:in
>> `process_request'
>>
>> /usr/local/rvm/gems/ruby-2.4.1/gems/passenger-5.1.12/src/ruby_supportlib/phusion_passenger/request_handler/thread_handler.rb:160:in
>> `accept_and_process_next_request'
>>
>> /usr/local/rvm/gems/ruby-2.4.1/gems/passenger-5.1.12/src/ruby_supportlib/phusion_passenger/request_handler/thread_handler.rb:113:in
>> `main_loop'
>>
>> /usr/local/rvm/gems/ruby-2.4.1/gems/passenger-5.1.12/src/ruby_supportlib/phusion_passenger/request_handler.rb:416:in
>> `block (3 levels) in start_threads'
>>
>> /usr/local/rvm/gems/ruby-2.4.1/gems/passenger-5.1.12/src/ruby_supportlib/phusion_passenger/utils.rb:113:in
>> `block in create_thread_and_abort_on_exception'
>> Craig L Russell
>> Secretary, Apache Software Foundation
>> [email protected] http://db.apache.org/jdo
>>
Craig L Russell
Secretary, Apache Software Foundation
[email protected] <mailto:[email protected]> http://db.apache.org/jdo
<http://db.apache.org/jdo>
