On Tue, 30 Oct 2018 at 17:54, Craig Russell <apache....@gmail.com> wrote:
>
> This now happens on every request for a new account. I don't even see where
> the "from_addr" is set.
I think it's done in the template processing, i.e. here:
mail = Mail.new(template('acreq.erb'))
But when I had a look I could not work out how to untaint it.
> Is the bug that the from_addr is never set? Or is that done in Mail.new?
>
> ######################################################################
> # email root@ #
> ######################################################################
>
> task "email r...@apache.org" do
> # build mail from template
> mail = Mail.new(template('acreq.erb'))
>
> # adjust copy lists
> cc = ["#{@pubname.inspect} <#{@email}>"]
> cc << "private@#{@pmc.mail_list}.apache.org" if @pmc # copy pmc
> cc << @podling.private_mail_list if @podling # copy podling
> mail.cc = cc.uniq.map {|email| email.dup.untaint}
>
> # untaint to email addresses
> mail.to = mail.to.map {|email| email.dup.untaint}
>
> # echo email
> form do
> _message mail.to_s
> end
>
> # deliver mail
> complete do
> mail.deliver!
> end
> end
>
> #<SecurityError: tainted from_addr>
> /usr/local/rvm/rubies/ruby-2.4.1/lib/ruby/2.4.0/net/smtp.rb:835:in
> `mailfrom'
> /usr/local/rvm/rubies/ruby-2.4.1/lib/ruby/2.4.0/net/smtp.rb:658:in
> `send_message'
>
> /usr/local/rvm/gems/ruby-2.4.1/gems/mail-2.7.1/lib/mail/network/delivery_methods/smtp_connection.rb:54:in
> `deliver!'
>
> /usr/local/rvm/gems/ruby-2.4.1/gems/mail-2.7.1/lib/mail/network/delivery_methods/smtp.rb:101:in
> `block in deliver!'
> /usr/local/rvm/rubies/ruby-2.4.1/lib/ruby/2.4.0/net/smtp.rb:519:in `start'
>
> /usr/local/rvm/gems/ruby-2.4.1/gems/mail-2.7.1/lib/mail/network/delivery_methods/smtp.rb:109:in
> `start_smtp_session'
>
> /usr/local/rvm/gems/ruby-2.4.1/gems/mail-2.7.1/lib/mail/network/delivery_methods/smtp.rb:100:in
> `deliver!'
> /usr/local/rvm/gems/ruby-2.4.1/gems/mail-2.7.1/lib/mail/message.rb:276:in
> `deliver!'
> /x1/srv/whimsy/www/secretary/workbench/views/actions/icla.json.rb:250:in
> `block (2 levels) in _evaluate'
> /x1/srv/whimsy/www/secretary/workbench/tasks.rb:47:in `complete'
> /x1/srv/whimsy/www/secretary/workbench/views/actions/icla.json.rb:249:in
> `block in _evaluate'
> /x1/srv/whimsy/www/secretary/workbench/tasks.rb:12:in `task'
> /x1/srv/whimsy/www/secretary/workbench/views/actions/icla.json.rb:230:in
> `_evaluate'
> /x1/srv/whimsy/www/secretary/workbench/server.rb:92:in `block in <top
> (required)>'
> /x1/srv/whimsy/lib/whimsy/asf/rack.rb:223:in `call'
>
> /usr/local/rvm/gems/ruby-2.4.1/gems/passenger-5.1.12/src/ruby_supportlib/phusion_passenger/rack/out_of_band_gc.rb:48:in
> `call'
> /x1/srv/whimsy/lib/whimsy/asf/rack.rb:148:in `call'
> /x1/srv/whimsy/lib/whimsy/asf/rack.rb:79:in `call'
> /x1/srv/whimsy/lib/whimsy/asf/rack.rb:254:in `call'
>
> /usr/local/rvm/gems/ruby-2.4.1/gems/passenger-5.1.12/src/ruby_supportlib/phusion_passenger/rack/thread_handler_extension.rb:97:in
> `process_request'
>
> /usr/local/rvm/gems/ruby-2.4.1/gems/passenger-5.1.12/src/ruby_supportlib/phusion_passenger/request_handler/thread_handler.rb:160:in
> `accept_and_process_next_request'
>
> /usr/local/rvm/gems/ruby-2.4.1/gems/passenger-5.1.12/src/ruby_supportlib/phusion_passenger/request_handler/thread_handler.rb:113:in
> `main_loop'
>
> /usr/local/rvm/gems/ruby-2.4.1/gems/passenger-5.1.12/src/ruby_supportlib/phusion_passenger/request_handler.rb:416:in
> `block (3 levels) in start_threads'
>
> /usr/local/rvm/gems/ruby-2.4.1/gems/passenger-5.1.12/src/ruby_supportlib/phusion_passenger/utils.rb:113:in
> `block in create_thread_and_abort_on_exception'
> Craig L Russell
> Secretary, Apache Software Foundation
> c...@apache.org http://db.apache.org/jdo
>
