Re: Bug in secretary workbench -- tainted from_addr

Tue, 30 Oct 2018 19:07:49 -0700 

On Tue, 30 Oct 2018 at 19:27, Craig Russell <apache....@gmail.com> wrote:
>
> # build mail from template
>   mail = message.reply(
>     subject: "ICLA for #{@pubname}",
>     from: @from,
>     to: "#{@pubname.inspect} <#{@email}>",
>     cc: [
>       ('secret...@apache.org' unless use_Bcc),
>       ("private@#{@pmc.mail_list}.apache.org" if @pmc), # copy pmc
>       (@podling.private_mail_list if @podling) # copy podling
>     ],
>     bcc: [ ('secret...@apache.org' if use_Bcc)],
>     body: template(reply)
>   )
>
> Can it be as easy as
>
> from: @from.untaint?
>
> Or should the @from variable be untainted when it is created?

Yes, because its origin needs to be checked to see if it is safe to
untaint the value.

> Craig
>
> > On Oct 30, 2018, at 11:12 AM, sebb <seb...@gmail.com> wrote:
> >
> > On Tue, 30 Oct 2018 at 17:54, Craig Russell <apache....@gmail.com> wrote:
> >>
> >> This now happens on every request for a new account. I don't even see 
> >> where the "from_addr" is set.
> >
> > I think it's done in the template processing, i.e. here:
> >
> > mail = Mail.new(template('acreq.erb'))
> >
> > But when I had a look I could not work out how to untaint it.
> >
> >> Is the bug that the from_addr is never set? Or is that done in Mail.new?
> >>
> >>  ######################################################################
> >>  #                          email root@                               #
> >>  ######################################################################
> >>
> >>  task "email r...@apache.org" do
> >>    # build mail from template
> >>    mail = Mail.new(template('acreq.erb'))
> >>
> >>    # adjust copy lists
> >>    cc = ["#{@pubname.inspect} <#{@email}>"]
> >>    cc << "private@#{@pmc.mail_list}.apache.org" if @pmc # copy pmc
> >>    cc << @podling.private_mail_list if @podling # copy podling
> >>    mail.cc = cc.uniq.map {|email| email.dup.untaint}
> >>
> >>    # untaint to email addresses
> >>    mail.to = mail.to.map {|email| email.dup.untaint}
> >>
> >>    # echo email
> >>    form do
> >>      _message mail.to_s
> >>    end
> >>
> >>    # deliver mail
> >>    complete do
> >>      mail.deliver!
> >>    end
> >>  end
> >>
> >> #<SecurityError: tainted from_addr>
> >>  /usr/local/rvm/rubies/ruby-2.4.1/lib/ruby/2.4.0/net/smtp.rb:835:in 
> >> `mailfrom'
> >>  /usr/local/rvm/rubies/ruby-2.4.1/lib/ruby/2.4.0/net/smtp.rb:658:in 
> >> `send_message'
> >>  
> >> /usr/local/rvm/gems/ruby-2.4.1/gems/mail-2.7.1/lib/mail/network/delivery_methods/smtp_connection.rb:54:in
> >>  `deliver!'
> >>  
> >> /usr/local/rvm/gems/ruby-2.4.1/gems/mail-2.7.1/lib/mail/network/delivery_methods/smtp.rb:101:in
> >>  `block in deliver!'
> >>  /usr/local/rvm/rubies/ruby-2.4.1/lib/ruby/2.4.0/net/smtp.rb:519:in `start'
> >>  
> >> /usr/local/rvm/gems/ruby-2.4.1/gems/mail-2.7.1/lib/mail/network/delivery_methods/smtp.rb:109:in
> >>  `start_smtp_session'
> >>  
> >> /usr/local/rvm/gems/ruby-2.4.1/gems/mail-2.7.1/lib/mail/network/delivery_methods/smtp.rb:100:in
> >>  `deliver!'
> >>  /usr/local/rvm/gems/ruby-2.4.1/gems/mail-2.7.1/lib/mail/message.rb:276:in 
> >> `deliver!'
> >>  /x1/srv/whimsy/www/secretary/workbench/views/actions/icla.json.rb:250:in 
> >> `block (2 levels) in _evaluate'
> >>  /x1/srv/whimsy/www/secretary/workbench/tasks.rb:47:in `complete'
> >>  /x1/srv/whimsy/www/secretary/workbench/views/actions/icla.json.rb:249:in 
> >> `block in _evaluate'
> >>  /x1/srv/whimsy/www/secretary/workbench/tasks.rb:12:in `task'
> >>  /x1/srv/whimsy/www/secretary/workbench/views/actions/icla.json.rb:230:in 
> >> `_evaluate'
> >>  /x1/srv/whimsy/www/secretary/workbench/server.rb:92:in `block in <top 
> >> (required)>'
> >>  /x1/srv/whimsy/lib/whimsy/asf/rack.rb:223:in `call'
> >>  
> >> /usr/local/rvm/gems/ruby-2.4.1/gems/passenger-5.1.12/src/ruby_supportlib/phusion_passenger/rack/out_of_band_gc.rb:48:in
> >>  `call'
> >>  /x1/srv/whimsy/lib/whimsy/asf/rack.rb:148:in `call'
> >>  /x1/srv/whimsy/lib/whimsy/asf/rack.rb:79:in `call'
> >>  /x1/srv/whimsy/lib/whimsy/asf/rack.rb:254:in `call'
> >>  
> >> /usr/local/rvm/gems/ruby-2.4.1/gems/passenger-5.1.12/src/ruby_supportlib/phusion_passenger/rack/thread_handler_extension.rb:97:in
> >>  `process_request'
> >>  
> >> /usr/local/rvm/gems/ruby-2.4.1/gems/passenger-5.1.12/src/ruby_supportlib/phusion_passenger/request_handler/thread_handler.rb:160:in
> >>  `accept_and_process_next_request'
> >>  
> >> /usr/local/rvm/gems/ruby-2.4.1/gems/passenger-5.1.12/src/ruby_supportlib/phusion_passenger/request_handler/thread_handler.rb:113:in
> >>  `main_loop'
> >>  
> >> /usr/local/rvm/gems/ruby-2.4.1/gems/passenger-5.1.12/src/ruby_supportlib/phusion_passenger/request_handler.rb:416:in
> >>  `block (3 levels) in start_threads'
> >>  
> >> /usr/local/rvm/gems/ruby-2.4.1/gems/passenger-5.1.12/src/ruby_supportlib/phusion_passenger/utils.rb:113:in
> >>  `block in create_thread_and_abort_on_exception'
> >> Craig L Russell
> >> Secretary, Apache Software Foundation
> >> c...@apache.org http://db.apache.org/jdo
> >>
>
> Craig L Russell
> Secretary, Apache Software Foundation
> c...@apache.org <mailto:c...@apache.org> http://db.apache.org/jdo 
> <http://db.apache.org/jdo>

Reply via email to