On Tue, Oct 30, 2018 at 1:54 PM Craig Russell <apache....@gmail.com> wrote: > > This now happens on every request for a new account. I don't even see where > the "from_addr" is set.
I wonder what has changed. > Is the bug that the from_addr is never set? Or is that done in Mail.new? Looks to me that it is in a different place than you are looking. > #<SecurityError: tainted from_addr> > /usr/local/rvm/rubies/ruby-2.4.1/lib/ruby/2.4.0/net/smtp.rb:835:in > `mailfrom' > /usr/local/rvm/rubies/ruby-2.4.1/lib/ruby/2.4.0/net/smtp.rb:658:in > `send_message' > > /usr/local/rvm/gems/ruby-2.4.1/gems/mail-2.7.1/lib/mail/network/delivery_methods/smtp_connection.rb:54:in > `deliver!' > > /usr/local/rvm/gems/ruby-2.4.1/gems/mail-2.7.1/lib/mail/network/delivery_methods/smtp.rb:101:in > `block in deliver!' > /usr/local/rvm/rubies/ruby-2.4.1/lib/ruby/2.4.0/net/smtp.rb:519:in `start' > > /usr/local/rvm/gems/ruby-2.4.1/gems/mail-2.7.1/lib/mail/network/delivery_methods/smtp.rb:109:in > `start_smtp_session' > > /usr/local/rvm/gems/ruby-2.4.1/gems/mail-2.7.1/lib/mail/network/delivery_methods/smtp.rb:100:in > `deliver!' > /usr/local/rvm/gems/ruby-2.4.1/gems/mail-2.7.1/lib/mail/message.rb:276:in > `deliver!' > /x1/srv/whimsy/www/secretary/workbench/views/actions/icla.json.rb:250:in > `block (2 levels) in _evaluate' >From this stack trace, icla.json.rb calls the mail gem which calls the smtp gem which calls the mail gem which issues a callback to the smtp gem. Eventually the variable is named from_addr, which probably matches the from value in icla.json.rb. >From is set to @from which is retrieved from a post argument, so it is truly unsafe. It would be safe to do something like the following, however: @from.untaint if @from =~ /\A\w+@apache\.org\z/ - Sam Ruby
