> On Oct 30, 2018, at 7:43 PM, Sam Ruby <ru...@intertwingly.net> wrote: > > On Tue, Oct 30, 2018 at 1:54 PM Craig Russell <apache....@gmail.com> wrote: >> >> This now happens on every request for a new account. I don't even see where >> the "from_addr" is set. > > I wonder what has changed. > >> Is the bug that the from_addr is never set? Or is that done in Mail.new? > > Looks to me that it is in a different place than you are looking. > >> #<SecurityError: tainted from_addr> >> /usr/local/rvm/rubies/ruby-2.4.1/lib/ruby/2.4.0/net/smtp.rb:835:in >> `mailfrom' >> /usr/local/rvm/rubies/ruby-2.4.1/lib/ruby/2.4.0/net/smtp.rb:658:in >> `send_message' >> >> /usr/local/rvm/gems/ruby-2.4.1/gems/mail-2.7.1/lib/mail/network/delivery_methods/smtp_connection.rb:54:in >> `deliver!' >> >> /usr/local/rvm/gems/ruby-2.4.1/gems/mail-2.7.1/lib/mail/network/delivery_methods/smtp.rb:101:in >> `block in deliver!' >> /usr/local/rvm/rubies/ruby-2.4.1/lib/ruby/2.4.0/net/smtp.rb:519:in `start' >> >> /usr/local/rvm/gems/ruby-2.4.1/gems/mail-2.7.1/lib/mail/network/delivery_methods/smtp.rb:109:in >> `start_smtp_session' >> >> /usr/local/rvm/gems/ruby-2.4.1/gems/mail-2.7.1/lib/mail/network/delivery_methods/smtp.rb:100:in >> `deliver!' >> /usr/local/rvm/gems/ruby-2.4.1/gems/mail-2.7.1/lib/mail/message.rb:276:in >> `deliver!' >> /x1/srv/whimsy/www/secretary/workbench/views/actions/icla.json.rb:250:in >> `block (2 levels) in _evaluate' > > From this stack trace, icla.json.rb calls the mail gem which calls the > smtp gem which calls the mail gem which issues a callback to the smtp > gem. Eventually the variable is named from_addr, which probably > matches the from value in icla.json.rb. > > From is set to @from which is retrieved from a post argument, so it is > truly unsafe.
Mail to root is the only mail that fails. Mail to ack an icla, ccla, grant, or to complain about unsigned, incomplete, missing public key all work fine. What is the difference here? And what is the post argument? Does it come from a cookie set when I log in? > > It would be safe to do something like the following, however: > > @from.untaint if @from =~ /\A\w+@apache\.org\z/ Hasn't the @from been validated already based on one of the authorized users logging in? Craig > > - Sam Ruby Craig L Russell Secretary, Apache Software Foundation c...@apache.org <mailto:c...@apache.org> http://db.apache.org/jdo <http://db.apache.org/jdo>
