Re: Bug in secretary workbench -- tainted from_addr

Craig Russell Tue, 30 Oct 2018 12:28:00 -0700

# build mail from template
  mail = message.reply(
    subject: "ICLA for #{@pubname}",
    from: @from,
    to: "#{@pubname.inspect} <#{@email}>",
    cc: [
      ('secret...@apache.org' unless use_Bcc),
      ("private@#{@pmc.mail_list}.apache.org" if @pmc), # copy pmc
      (@podling.private_mail_list if @podling) # copy podling
    ],
    bcc: [ ('secret...@apache.org' if use_Bcc)],
    body: template(reply)
  )


Can it be as easy as 

from: @from.untaint? 

Or should the @from variable be untainted when it is created?

Craig

> On Oct 30, 2018, at 11:12 AM, sebb <seb...@gmail.com> wrote:
> 
> On Tue, 30 Oct 2018 at 17:54, Craig Russell <apache....@gmail.com> wrote:
>> 
>> This now happens on every request for a new account. I don't even see where 
>> the "from_addr" is set.
> 
> I think it's done in the template processing, i.e. here:
> 
> mail = Mail.new(template('acreq.erb'))
> 
> But when I had a look I could not work out how to untaint it.
> 
>> Is the bug that the from_addr is never set? Or is that done in Mail.new?
>> 
>>  ######################################################################
>>  #                          email root@                               #
>>  ######################################################################
>> 
>>  task "email r...@apache.org" do
>>    # build mail from template
>>    mail = Mail.new(template('acreq.erb'))
>> 
>>    # adjust copy lists
>>    cc = ["#{@pubname.inspect} <#{@email}>"]
>>    cc << "private@#{@pmc.mail_list}.apache.org" if @pmc # copy pmc
>>    cc << @podling.private_mail_list if @podling # copy podling
>>    mail.cc = cc.uniq.map {|email| email.dup.untaint}
>> 
>>    # untaint to email addresses
>>    mail.to = mail.to.map {|email| email.dup.untaint}
>> 
>>    # echo email
>>    form do
>>      _message mail.to_s
>>    end
>> 
>>    # deliver mail
>>    complete do
>>      mail.deliver!
>>    end
>>  end
>> 
>> #<SecurityError: tainted from_addr>
>>  /usr/local/rvm/rubies/ruby-2.4.1/lib/ruby/2.4.0/net/smtp.rb:835:in 
>> `mailfrom'
>>  /usr/local/rvm/rubies/ruby-2.4.1/lib/ruby/2.4.0/net/smtp.rb:658:in 
>> `send_message'
>>  
>> /usr/local/rvm/gems/ruby-2.4.1/gems/mail-2.7.1/lib/mail/network/delivery_methods/smtp_connection.rb:54:in
>>  `deliver!'
>>  
>> /usr/local/rvm/gems/ruby-2.4.1/gems/mail-2.7.1/lib/mail/network/delivery_methods/smtp.rb:101:in
>>  `block in deliver!'
>>  /usr/local/rvm/rubies/ruby-2.4.1/lib/ruby/2.4.0/net/smtp.rb:519:in `start'
>>  
>> /usr/local/rvm/gems/ruby-2.4.1/gems/mail-2.7.1/lib/mail/network/delivery_methods/smtp.rb:109:in
>>  `start_smtp_session'
>>  
>> /usr/local/rvm/gems/ruby-2.4.1/gems/mail-2.7.1/lib/mail/network/delivery_methods/smtp.rb:100:in
>>  `deliver!'
>>  /usr/local/rvm/gems/ruby-2.4.1/gems/mail-2.7.1/lib/mail/message.rb:276:in 
>> `deliver!'
>>  /x1/srv/whimsy/www/secretary/workbench/views/actions/icla.json.rb:250:in 
>> `block (2 levels) in _evaluate'
>>  /x1/srv/whimsy/www/secretary/workbench/tasks.rb:47:in `complete'
>>  /x1/srv/whimsy/www/secretary/workbench/views/actions/icla.json.rb:249:in 
>> `block in _evaluate'
>>  /x1/srv/whimsy/www/secretary/workbench/tasks.rb:12:in `task'
>>  /x1/srv/whimsy/www/secretary/workbench/views/actions/icla.json.rb:230:in 
>> `_evaluate'
>>  /x1/srv/whimsy/www/secretary/workbench/server.rb:92:in `block in <top 
>> (required)>'
>>  /x1/srv/whimsy/lib/whimsy/asf/rack.rb:223:in `call'
>>  
>> /usr/local/rvm/gems/ruby-2.4.1/gems/passenger-5.1.12/src/ruby_supportlib/phusion_passenger/rack/out_of_band_gc.rb:48:in
>>  `call'
>>  /x1/srv/whimsy/lib/whimsy/asf/rack.rb:148:in `call'
>>  /x1/srv/whimsy/lib/whimsy/asf/rack.rb:79:in `call'
>>  /x1/srv/whimsy/lib/whimsy/asf/rack.rb:254:in `call'
>>  
>> /usr/local/rvm/gems/ruby-2.4.1/gems/passenger-5.1.12/src/ruby_supportlib/phusion_passenger/rack/thread_handler_extension.rb:97:in
>>  `process_request'
>>  
>> /usr/local/rvm/gems/ruby-2.4.1/gems/passenger-5.1.12/src/ruby_supportlib/phusion_passenger/request_handler/thread_handler.rb:160:in
>>  `accept_and_process_next_request'
>>  
>> /usr/local/rvm/gems/ruby-2.4.1/gems/passenger-5.1.12/src/ruby_supportlib/phusion_passenger/request_handler/thread_handler.rb:113:in
>>  `main_loop'
>>  
>> /usr/local/rvm/gems/ruby-2.4.1/gems/passenger-5.1.12/src/ruby_supportlib/phusion_passenger/request_handler.rb:416:in
>>  `block (3 levels) in start_threads'
>>  
>> /usr/local/rvm/gems/ruby-2.4.1/gems/passenger-5.1.12/src/ruby_supportlib/phusion_passenger/utils.rb:113:in
>>  `block in create_thread_and_abort_on_exception'
>> Craig L Russell
>> Secretary, Apache Software Foundation
>> c...@apache.org http://db.apache.org/jdo
>> 

Craig L Russell
Secretary, Apache Software Foundation
c...@apache.org <mailto:c...@apache.org> http://db.apache.org/jdo 
<http://db.apache.org/jdo>

Re: Bug in secretary workbench -- tainted from_addr

Reply via email to