Hello community, here is the log from the commit of package rubygem-mail for openSUSE:Factory checked in at 2017-07-10 11:06:49 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/rubygem-mail (Old) and /work/SRC/openSUSE:Factory/.rubygem-mail.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-mail" Mon Jul 10 11:06:49 2017 rev:12 rq:505378 version:2.6.6 Changes: -------- --- /work/SRC/openSUSE:Factory/rubygem-mail/rubygem-mail.changes 2017-06-08 15:01:26.828199119 +0200 +++ /work/SRC/openSUSE:Factory/.rubygem-mail.new/rubygem-mail.changes 2017-07-10 11:06:50.164940871 +0200 @@ -1,0 +2,14 @@ +Tue Jun 13 20:50:12 UTC 2017 - co...@suse.com + +- updated to version 2.6.6 + see installed CHANGELOG.rdoc + + == Version 2.6.6 - 2017-06-09 Jeremy Daer <jeremyd...@gmail.com> + + Security: + * #1097 – SMTP security: prevent command injection via To/From addresses. (jeremy) + + Bugs: + * #689 - Fix Exim delivery method broken by #477 in 2.5.4. (jethrogb) + +------------------------------------------------------------------- Old: ---- mail-2.6.5.gem New: ---- mail-2.6.6.gem ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rubygem-mail.spec ++++++ --- /var/tmp/diff_new_pack.RW01B8/_old 2017-07-10 11:06:50.788852762 +0200 +++ /var/tmp/diff_new_pack.RW01B8/_new 2017-07-10 11:06:50.792852198 +0200 @@ -24,7 +24,7 @@ # Name: rubygem-mail -Version: 2.6.5 +Version: 2.6.6 Release: 0 %define mod_name mail %define mod_full_name %{mod_name}-%{version} ++++++ mail-2.6.5.gem -> mail-2.6.6.gem ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/CHANGELOG.rdoc new/CHANGELOG.rdoc --- old/CHANGELOG.rdoc 2017-04-27 03:03:00.000000000 +0200 +++ new/CHANGELOG.rdoc 2017-06-09 22:59:24.000000000 +0200 @@ -1,3 +1,11 @@ +== Version 2.6.6 - 2017-06-09 Jeremy Daer <jeremyd...@gmail.com> + +Security: +* #1097 – SMTP security: prevent command injection via To/From addresses. (jeremy) + +Bugs: +* #689 - Fix Exim delivery method broken by #477 in 2.5.4. (jethrogb) + == Version 2.6.5 - 2017-04-26 Jeremy Daer <jeremyd...@gmail.com> Features: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/README.md new/README.md --- old/README.md 2017-04-27 03:03:00.000000000 +0200 +++ new/README.md 2017-06-09 22:59:24.000000000 +0200 @@ -42,25 +42,14 @@ Compatibility ------------- -Every Mail commit is tested by Travis on the [following platforms](https://github.com/mikel/mail/blob/master/.travis.yml) +Mail supports Ruby 1.8.7+, including JRuby and Rubinius. -* ruby-1.8.7 [ i686 ] -* ruby-1.9.2 [ x86_64 ] -* ruby-1.9.3 [ x86_64 ] -* ruby-2.0.0 [ x86_64 ] -* ruby-2.1.10 [ x86_64 ] -* ruby-2.2.6 [ x86_64 ] -* ruby-2.3.3 [ x86_64 ] -* ruby-head [ x86_64 ] -* jruby [ x86_64 ] -* jruby-9.1.6.0 [ x86_64 ] -* jruby-head [ x86_64 ] -* rbx-2 [ x86_64 ] +Every Mail commit is tested by Travis on [all supported Ruby versions](https://github.com/mikel/mail/blob/master/.travis.yml). -Testing a specific mime type (needed for 1.8.7 for example) can be done manually with: +Testing a specific version of mime-types (needed for Ruby 1.8.7, for example) can be done manually with: ```sh -BUNDLE_GEMFILE=gemfiles/mime_types_1.16.gemfile (bundle check || bundle) && rake +BUNDLE_GEMFILE=gemfiles/mime_types_1.16.gemfile bundle && rake ``` Discussion Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/mail/check_delivery_params.rb new/lib/mail/check_delivery_params.rb --- old/lib/mail/check_delivery_params.rb 2017-04-27 03:03:00.000000000 +0200 +++ new/lib/mail/check_delivery_params.rb 2017-06-09 22:59:24.000000000 +0200 @@ -1,21 +1,58 @@ # frozen_string_literal: true module Mail - module CheckDeliveryParams - def check_delivery_params(mail) - if Utilities.blank?(mail.smtp_envelope_from) - raise ArgumentError.new('An SMTP From address is required to send a message. Set the message smtp_envelope_from, return_path, sender, or from address.') + module CheckDeliveryParams #:nodoc: + class << self + def check(mail) + [ check_from(mail.smtp_envelope_from), + check_to(mail.smtp_envelope_to), + check_message(mail) ] end - if Utilities.blank?(mail.smtp_envelope_to) - raise ArgumentError.new('An SMTP To address is required to send a message. Set the message smtp_envelope_to, to, cc, or bcc address.') + def check_from(addr) + if Utilities.blank?(addr) + raise ArgumentError, "SMTP From address may not be blank: #{addr.inspect}" + end + + check_addr 'From', addr + end + + def check_to(addrs) + if Utilities.blank?(addrs) + raise ArgumentError, "SMTP To address may not be blank: #{addrs.inspect}" + end + + Array(addrs).map do |addr| + check_addr 'To', addr + end end - message = mail.encoded if mail.respond_to?(:encoded) - if Utilities.blank?(message) - raise ArgumentError.new('An encoded message is required to send an email') + def check_addr(addr_name, addr) + validate_smtp_addr addr do |error_message| + raise ArgumentError, "SMTP #{addr_name} address #{error_message}: #{addr.inspect}" + end end - [mail.smtp_envelope_from, mail.smtp_envelope_to, message] + def validate_smtp_addr(addr) + if addr.bytesize > 2048 + yield 'may not exceed 2kB' + end + + if /[\r\n]/ =~ addr + yield 'may not contain CR or LF line breaks' + end + + addr + end + + def check_message(message) + message = message.encoded if message.respond_to?(:encoded) + + if Utilities.blank?(message) + raise ArgumentError, 'An encoded message is required to send an email' + end + + message + end end end end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/mail/network/delivery_methods/exim.rb new/lib/mail/network/delivery_methods/exim.rb --- old/lib/mail/network/delivery_methods/exim.rb 2017-04-27 03:03:00.000000000 +0200 +++ new/lib/mail/network/delivery_methods/exim.rb 2017-06-09 22:59:24.000000000 +0200 @@ -37,17 +37,13 @@ # # mail.deliver! class Exim < Sendmail - def initialize(values) - self.settings = { :location => '/usr/sbin/exim', - :arguments => '-i -t' }.merge(values) - end + DEFAULTS = { + :location => '/usr/sbin/exim', + :arguments => '-i -t' + } - def self.call(path, arguments, destinations, mail) - popen "#{path} #{arguments}" do |io| - io.puts ::Mail::Utilities.to_lf(mail.encoded) - io.flush - end + def self.call(path, arguments, destinations, encoded_message) + super path, arguments, nil, encoded_message end - end end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/mail/network/delivery_methods/file_delivery.rb new/lib/mail/network/delivery_methods/file_delivery.rb --- old/lib/mail/network/delivery_methods/file_delivery.rb 2017-04-27 03:03:00.000000000 +0200 +++ new/lib/mail/network/delivery_methods/file_delivery.rb 2017-06-09 22:59:24.000000000 +0200 @@ -2,7 +2,6 @@ require 'mail/check_delivery_params' module Mail - # FileDelivery class delivers emails into multiple files based on the destination # address. Each file is appended to if it already exists. # @@ -14,22 +13,20 @@ # Make sure the path you specify with :location is writable by the Ruby process # running Mail. class FileDelivery - include Mail::CheckDeliveryParams - if RUBY_VERSION >= '1.9.1' require 'fileutils' else require 'ftools' end + attr_accessor :settings + def initialize(values) self.settings = { :location => './mails' }.merge!(values) end - - attr_accessor :settings - + def deliver!(mail) - check_delivery_params(mail) + Mail::CheckDeliveryParams.check(mail) if ::File.respond_to?(:makedirs) ::File.makedirs settings[:location] @@ -41,6 +38,5 @@ ::File.open(::File.join(settings[:location], File.basename(to.to_s)), 'a') { |f| "#{f.write(mail.encoded)}\r\n\r\n" } end end - end end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/mail/network/delivery_methods/sendmail.rb new/lib/mail/network/delivery_methods/sendmail.rb --- old/lib/mail/network/delivery_methods/sendmail.rb 2017-04-27 03:03:00.000000000 +0200 +++ new/lib/mail/network/delivery_methods/sendmail.rb 2017-06-09 22:59:24.000000000 +0200 @@ -38,17 +38,19 @@ # # mail.deliver! class Sendmail - include Mail::CheckDeliveryParams + DEFAULTS = { + :location => '/usr/sbin/sendmail', + :arguments => '-i' + } + + attr_accessor :settings def initialize(values) - self.settings = { :location => '/usr/sbin/sendmail', - :arguments => '-i' }.merge(values) + self.settings = self.class::DEFAULTS.merge(values) end - attr_accessor :settings - def deliver!(mail) - smtp_from, smtp_to, message = check_delivery_params(mail) + smtp_from, smtp_to, message = Mail::CheckDeliveryParams.check(mail) from = "-f #{self.class.shellquote(smtp_from)}" to = smtp_to.map { |_to| self.class.shellquote(_to) }.join(' ') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/mail/network/delivery_methods/smtp.rb new/lib/mail/network/delivery_methods/smtp.rb --- old/lib/mail/network/delivery_methods/smtp.rb 2017-04-27 03:03:00.000000000 +0200 +++ new/lib/mail/network/delivery_methods/smtp.rb 2017-06-09 22:59:24.000000000 +0200 @@ -75,7 +75,7 @@ # # mail.deliver! class SMTP - include Mail::CheckDeliveryParams + attr_accessor :settings def initialize(values) self.settings = { :address => "localhost", @@ -91,12 +91,10 @@ }.merge!(values) end - attr_accessor :settings - # Send the message via SMTP. # The from and to attributes are optional. If not set, they are retrieve from the Message. def deliver!(mail) - smtp_from, smtp_to, message = check_delivery_params(mail) + smtp_from, smtp_to, message = Mail::CheckDeliveryParams.check(mail) smtp = Net::SMTP.new(settings[:address], settings[:port]) if settings[:tls] || settings[:ssl] @@ -120,7 +118,6 @@ self end end - private diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/mail/network/delivery_methods/smtp_connection.rb new/lib/mail/network/delivery_methods/smtp_connection.rb --- old/lib/mail/network/delivery_methods/smtp_connection.rb 2017-04-27 03:03:00.000000000 +0200 +++ new/lib/mail/network/delivery_methods/smtp_connection.rb 2017-06-09 22:59:24.000000000 +0200 @@ -38,7 +38,7 @@ # # mail.deliver! class SMTPConnection - include Mail::CheckDeliveryParams + attr_accessor :smtp, :settings def initialize(values) raise ArgumentError.new('A Net::SMTP object is required for this delivery method') if values[:connection].nil? @@ -46,17 +46,13 @@ self.settings = values end - attr_accessor :smtp - attr_accessor :settings - # Send the message via SMTP. # The from and to attributes are optional. If not set, they are retrieve from the Message. def deliver!(mail) - smtp_from, smtp_to, message = check_delivery_params(mail) + smtp_from, smtp_to, message = Mail::CheckDeliveryParams.check(mail) response = smtp.sendmail(message, smtp_from, smtp_to) settings[:return_response] ? response : self end - end end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/mail/network/delivery_methods/test_mailer.rb new/lib/mail/network/delivery_methods/test_mailer.rb --- old/lib/mail/network/delivery_methods/test_mailer.rb 2017-04-27 03:03:00.000000000 +0200 +++ new/lib/mail/network/delivery_methods/test_mailer.rb 2017-06-09 22:59:24.000000000 +0200 @@ -8,10 +8,8 @@ # It also provides a template of the minimum methods you require to implement # if you want to make a custom mailer for Mail class TestMailer - include Mail::CheckDeliveryParams - # Provides a store of all the emails sent with the TestMailer so you can check them. - def TestMailer.deliveries + def self.deliveries @@deliveries ||= [] end @@ -26,20 +24,19 @@ # * length # * size # * and other common Array methods - def TestMailer.deliveries=(val) + def self.deliveries=(val) @@deliveries = val end + attr_accessor :settings + def initialize(values) @settings = values.dup end - - attr_accessor :settings def deliver!(mail) - check_delivery_params(mail) + Mail::CheckDeliveryParams.check(mail) Mail::TestMailer.deliveries << mail end - end end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lib/mail/version.rb new/lib/mail/version.rb --- old/lib/mail/version.rb 2017-04-27 03:03:01.000000000 +0200 +++ new/lib/mail/version.rb 2017-06-09 22:59:25.000000000 +0200 @@ -4,7 +4,7 @@ MAJOR = 2 MINOR = 6 - PATCH = 5 + PATCH = 6 BUILD = nil STRING = [MAJOR, MINOR, PATCH, BUILD].compact.join('.') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/metadata new/metadata --- old/metadata 2017-04-27 03:03:00.000000000 +0200 +++ new/metadata 2017-06-09 22:59:24.000000000 +0200 @@ -1,14 +1,14 @@ --- !ruby/object:Gem::Specification name: mail version: !ruby/object:Gem::Version - version: 2.6.5 + version: 2.6.6 platform: ruby authors: - Mikel Lindsaar autorequire: bindir: bin cert_chain: [] -date: 2017-04-27 00:00:00.000000000 Z +date: 2017-06-09 00:00:00.000000000 Z dependencies: - !ruby/object:Gem::Dependency name: mime-types @@ -269,7 +269,7 @@ version: '0' requirements: [] rubyforge_project: -rubygems_version: 2.6.10 +rubygems_version: 2.6.11 signing_key: specification_version: 4 summary: Mail provides a nice Ruby DSL for making, sending and reading emails.