Hello community,
here is the log from the commit of package rubygem-mail for openSUSE:Factory
checked in at 2017-07-10 11:06:49
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rubygem-mail (Old)
and /work/SRC/openSUSE:Factory/.rubygem-mail.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-mail"
Mon Jul 10 11:06:49 2017 rev:12 rq:505378 version:2.6.6
Changes:
--------
--- /work/SRC/openSUSE:Factory/rubygem-mail/rubygem-mail.changes
2017-06-08 15:01:26.828199119 +0200
+++ /work/SRC/openSUSE:Factory/.rubygem-mail.new/rubygem-mail.changes
2017-07-10 11:06:50.164940871 +0200
@@ -1,0 +2,14 @@
+Tue Jun 13 20:50:12 UTC 2017 - co...@suse.com
+
+- updated to version 2.6.6
+ see installed CHANGELOG.rdoc
+
+ == Version 2.6.6 - 2017-06-09 Jeremy Daer <jeremyd...@gmail.com>
+
+ Security:
+ * #1097 – SMTP security: prevent command injection via To/From addresses.
(jeremy)
+
+ Bugs:
+ * #689 - Fix Exim delivery method broken by #477 in 2.5.4. (jethrogb)
+
+-------------------------------------------------------------------
Old:
----
mail-2.6.5.gem
New:
----
mail-2.6.6.gem
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rubygem-mail.spec ++++++
--- /var/tmp/diff_new_pack.RW01B8/_old 2017-07-10 11:06:50.788852762 +0200
+++ /var/tmp/diff_new_pack.RW01B8/_new 2017-07-10 11:06:50.792852198 +0200
@@ -24,7 +24,7 @@
#
Name: rubygem-mail
-Version: 2.6.5
+Version: 2.6.6
Release: 0
%define mod_name mail
%define mod_full_name %{mod_name}-%{version}
++++++ mail-2.6.5.gem -> mail-2.6.6.gem ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/CHANGELOG.rdoc new/CHANGELOG.rdoc
--- old/CHANGELOG.rdoc 2017-04-27 03:03:00.000000000 +0200
+++ new/CHANGELOG.rdoc 2017-06-09 22:59:24.000000000 +0200
@@ -1,3 +1,11 @@
+== Version 2.6.6 - 2017-06-09 Jeremy Daer <jeremyd...@gmail.com>
+
+Security:
+* #1097 – SMTP security: prevent command injection via To/From addresses.
(jeremy)
+
+Bugs:
+* #689 - Fix Exim delivery method broken by #477 in 2.5.4. (jethrogb)
+
== Version 2.6.5 - 2017-04-26 Jeremy Daer <jeremyd...@gmail.com>
Features:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/README.md new/README.md
--- old/README.md 2017-04-27 03:03:00.000000000 +0200
+++ new/README.md 2017-06-09 22:59:24.000000000 +0200
@@ -42,25 +42,14 @@
Compatibility
-------------
-Every Mail commit is tested by Travis on the [following
platforms](https://github.com/mikel/mail/blob/master/.travis.yml)
+Mail supports Ruby 1.8.7+, including JRuby and Rubinius.
-* ruby-1.8.7 [ i686 ]
-* ruby-1.9.2 [ x86_64 ]
-* ruby-1.9.3 [ x86_64 ]
-* ruby-2.0.0 [ x86_64 ]
-* ruby-2.1.10 [ x86_64 ]
-* ruby-2.2.6 [ x86_64 ]
-* ruby-2.3.3 [ x86_64 ]
-* ruby-head [ x86_64 ]
-* jruby [ x86_64 ]
-* jruby-9.1.6.0 [ x86_64 ]
-* jruby-head [ x86_64 ]
-* rbx-2 [ x86_64 ]
+Every Mail commit is tested by Travis on [all supported Ruby
versions](https://github.com/mikel/mail/blob/master/.travis.yml).
-Testing a specific mime type (needed for 1.8.7 for example) can be done
manually with:
+Testing a specific version of mime-types (needed for Ruby 1.8.7, for example)
can be done manually with:
```sh
-BUNDLE_GEMFILE=gemfiles/mime_types_1.16.gemfile (bundle check || bundle) &&
rake
+BUNDLE_GEMFILE=gemfiles/mime_types_1.16.gemfile bundle && rake
```
Discussion
Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/mail/check_delivery_params.rb
new/lib/mail/check_delivery_params.rb
--- old/lib/mail/check_delivery_params.rb 2017-04-27 03:03:00.000000000
+0200
+++ new/lib/mail/check_delivery_params.rb 2017-06-09 22:59:24.000000000
+0200
@@ -1,21 +1,58 @@
# frozen_string_literal: true
module Mail
- module CheckDeliveryParams
- def check_delivery_params(mail)
- if Utilities.blank?(mail.smtp_envelope_from)
- raise ArgumentError.new('An SMTP From address is required to send a
message. Set the message smtp_envelope_from, return_path, sender, or from
address.')
+ module CheckDeliveryParams #:nodoc:
+ class << self
+ def check(mail)
+ [ check_from(mail.smtp_envelope_from),
+ check_to(mail.smtp_envelope_to),
+ check_message(mail) ]
end
- if Utilities.blank?(mail.smtp_envelope_to)
- raise ArgumentError.new('An SMTP To address is required to send a
message. Set the message smtp_envelope_to, to, cc, or bcc address.')
+ def check_from(addr)
+ if Utilities.blank?(addr)
+ raise ArgumentError, "SMTP From address may not be blank:
#{addr.inspect}"
+ end
+
+ check_addr 'From', addr
+ end
+
+ def check_to(addrs)
+ if Utilities.blank?(addrs)
+ raise ArgumentError, "SMTP To address may not be blank:
#{addrs.inspect}"
+ end
+
+ Array(addrs).map do |addr|
+ check_addr 'To', addr
+ end
end
- message = mail.encoded if mail.respond_to?(:encoded)
- if Utilities.blank?(message)
- raise ArgumentError.new('An encoded message is required to send an
email')
+ def check_addr(addr_name, addr)
+ validate_smtp_addr addr do |error_message|
+ raise ArgumentError, "SMTP #{addr_name} address #{error_message}:
#{addr.inspect}"
+ end
end
- [mail.smtp_envelope_from, mail.smtp_envelope_to, message]
+ def validate_smtp_addr(addr)
+ if addr.bytesize > 2048
+ yield 'may not exceed 2kB'
+ end
+
+ if /[\r\n]/ =~ addr
+ yield 'may not contain CR or LF line breaks'
+ end
+
+ addr
+ end
+
+ def check_message(message)
+ message = message.encoded if message.respond_to?(:encoded)
+
+ if Utilities.blank?(message)
+ raise ArgumentError, 'An encoded message is required to send an
email'
+ end
+
+ message
+ end
end
end
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/mail/network/delivery_methods/exim.rb
new/lib/mail/network/delivery_methods/exim.rb
--- old/lib/mail/network/delivery_methods/exim.rb 2017-04-27
03:03:00.000000000 +0200
+++ new/lib/mail/network/delivery_methods/exim.rb 2017-06-09
22:59:24.000000000 +0200
@@ -37,17 +37,13 @@
#
# mail.deliver!
class Exim < Sendmail
- def initialize(values)
- self.settings = { :location => '/usr/sbin/exim',
- :arguments => '-i -t' }.merge(values)
- end
+ DEFAULTS = {
+ :location => '/usr/sbin/exim',
+ :arguments => '-i -t'
+ }
- def self.call(path, arguments, destinations, mail)
- popen "#{path} #{arguments}" do |io|
- io.puts ::Mail::Utilities.to_lf(mail.encoded)
- io.flush
- end
+ def self.call(path, arguments, destinations, encoded_message)
+ super path, arguments, nil, encoded_message
end
-
end
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/mail/network/delivery_methods/file_delivery.rb
new/lib/mail/network/delivery_methods/file_delivery.rb
--- old/lib/mail/network/delivery_methods/file_delivery.rb 2017-04-27
03:03:00.000000000 +0200
+++ new/lib/mail/network/delivery_methods/file_delivery.rb 2017-06-09
22:59:24.000000000 +0200
@@ -2,7 +2,6 @@
require 'mail/check_delivery_params'
module Mail
-
# FileDelivery class delivers emails into multiple files based on the
destination
# address. Each file is appended to if it already exists.
#
@@ -14,22 +13,20 @@
# Make sure the path you specify with :location is writable by the Ruby
process
# running Mail.
class FileDelivery
- include Mail::CheckDeliveryParams
-
if RUBY_VERSION >= '1.9.1'
require 'fileutils'
else
require 'ftools'
end
+ attr_accessor :settings
+
def initialize(values)
self.settings = { :location => './mails' }.merge!(values)
end
-
- attr_accessor :settings
-
+
def deliver!(mail)
- check_delivery_params(mail)
+ Mail::CheckDeliveryParams.check(mail)
if ::File.respond_to?(:makedirs)
::File.makedirs settings[:location]
@@ -41,6 +38,5 @@
::File.open(::File.join(settings[:location], File.basename(to.to_s)),
'a') { |f| "#{f.write(mail.encoded)}\r\n\r\n" }
end
end
-
end
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/mail/network/delivery_methods/sendmail.rb
new/lib/mail/network/delivery_methods/sendmail.rb
--- old/lib/mail/network/delivery_methods/sendmail.rb 2017-04-27
03:03:00.000000000 +0200
+++ new/lib/mail/network/delivery_methods/sendmail.rb 2017-06-09
22:59:24.000000000 +0200
@@ -38,17 +38,19 @@
#
# mail.deliver!
class Sendmail
- include Mail::CheckDeliveryParams
+ DEFAULTS = {
+ :location => '/usr/sbin/sendmail',
+ :arguments => '-i'
+ }
+
+ attr_accessor :settings
def initialize(values)
- self.settings = { :location => '/usr/sbin/sendmail',
- :arguments => '-i' }.merge(values)
+ self.settings = self.class::DEFAULTS.merge(values)
end
- attr_accessor :settings
-
def deliver!(mail)
- smtp_from, smtp_to, message = check_delivery_params(mail)
+ smtp_from, smtp_to, message = Mail::CheckDeliveryParams.check(mail)
from = "-f #{self.class.shellquote(smtp_from)}"
to = smtp_to.map { |_to| self.class.shellquote(_to) }.join(' ')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/mail/network/delivery_methods/smtp.rb
new/lib/mail/network/delivery_methods/smtp.rb
--- old/lib/mail/network/delivery_methods/smtp.rb 2017-04-27
03:03:00.000000000 +0200
+++ new/lib/mail/network/delivery_methods/smtp.rb 2017-06-09
22:59:24.000000000 +0200
@@ -75,7 +75,7 @@
#
# mail.deliver!
class SMTP
- include Mail::CheckDeliveryParams
+ attr_accessor :settings
def initialize(values)
self.settings = { :address => "localhost",
@@ -91,12 +91,10 @@
}.merge!(values)
end
- attr_accessor :settings
-
# Send the message via SMTP.
# The from and to attributes are optional. If not set, they are retrieve
from the Message.
def deliver!(mail)
- smtp_from, smtp_to, message = check_delivery_params(mail)
+ smtp_from, smtp_to, message = Mail::CheckDeliveryParams.check(mail)
smtp = Net::SMTP.new(settings[:address], settings[:port])
if settings[:tls] || settings[:ssl]
@@ -120,7 +118,6 @@
self
end
end
-
private
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/mail/network/delivery_methods/smtp_connection.rb
new/lib/mail/network/delivery_methods/smtp_connection.rb
--- old/lib/mail/network/delivery_methods/smtp_connection.rb 2017-04-27
03:03:00.000000000 +0200
+++ new/lib/mail/network/delivery_methods/smtp_connection.rb 2017-06-09
22:59:24.000000000 +0200
@@ -38,7 +38,7 @@
#
# mail.deliver!
class SMTPConnection
- include Mail::CheckDeliveryParams
+ attr_accessor :smtp, :settings
def initialize(values)
raise ArgumentError.new('A Net::SMTP object is required for this
delivery method') if values[:connection].nil?
@@ -46,17 +46,13 @@
self.settings = values
end
- attr_accessor :smtp
- attr_accessor :settings
-
# Send the message via SMTP.
# The from and to attributes are optional. If not set, they are retrieve
from the Message.
def deliver!(mail)
- smtp_from, smtp_to, message = check_delivery_params(mail)
+ smtp_from, smtp_to, message = Mail::CheckDeliveryParams.check(mail)
response = smtp.sendmail(message, smtp_from, smtp_to)
settings[:return_response] ? response : self
end
-
end
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/mail/network/delivery_methods/test_mailer.rb
new/lib/mail/network/delivery_methods/test_mailer.rb
--- old/lib/mail/network/delivery_methods/test_mailer.rb 2017-04-27
03:03:00.000000000 +0200
+++ new/lib/mail/network/delivery_methods/test_mailer.rb 2017-06-09
22:59:24.000000000 +0200
@@ -8,10 +8,8 @@
# It also provides a template of the minimum methods you require to implement
# if you want to make a custom mailer for Mail
class TestMailer
- include Mail::CheckDeliveryParams
-
# Provides a store of all the emails sent with the TestMailer so you can
check them.
- def TestMailer.deliveries
+ def self.deliveries
@@deliveries ||= []
end
@@ -26,20 +24,19 @@
# * length
# * size
# * and other common Array methods
- def TestMailer.deliveries=(val)
+ def self.deliveries=(val)
@@deliveries = val
end
+ attr_accessor :settings
+
def initialize(values)
@settings = values.dup
end
-
- attr_accessor :settings
def deliver!(mail)
- check_delivery_params(mail)
+ Mail::CheckDeliveryParams.check(mail)
Mail::TestMailer.deliveries << mail
end
-
end
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/mail/version.rb new/lib/mail/version.rb
--- old/lib/mail/version.rb 2017-04-27 03:03:01.000000000 +0200
+++ new/lib/mail/version.rb 2017-06-09 22:59:25.000000000 +0200
@@ -4,7 +4,7 @@
MAJOR = 2
MINOR = 6
- PATCH = 5
+ PATCH = 6
BUILD = nil
STRING = [MAJOR, MINOR, PATCH, BUILD].compact.join('.')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/metadata new/metadata
--- old/metadata 2017-04-27 03:03:00.000000000 +0200
+++ new/metadata 2017-06-09 22:59:24.000000000 +0200
@@ -1,14 +1,14 @@
--- !ruby/object:Gem::Specification
name: mail
version: !ruby/object:Gem::Version
- version: 2.6.5
+ version: 2.6.6
platform: ruby
authors:
- Mikel Lindsaar
autorequire:
bindir: bin
cert_chain: []
-date: 2017-04-27 00:00:00.000000000 Z
+date: 2017-06-09 00:00:00.000000000 Z
dependencies:
- !ruby/object:Gem::Dependency
name: mime-types
@@ -269,7 +269,7 @@
version: '0'
requirements: []
rubyforge_project:
-rubygems_version: 2.6.10
+rubygems_version: 2.6.11
signing_key:
specification_version: 4
summary: Mail provides a nice Ruby DSL for making, sending and reading emails.
