Re: Bug in secretary workbench -- tainted from_addr

Seems to work. Craig > On Nov 6, 2018, at 2:52 AM, Sam Ruby wrote: > > I don't know what changed, and I'm traveling at the moment, but I > added a call to untaint. > > - Sam Ruby > On Mon, Nov 5, 2018 at 3:40 PM Craig Russell > wrote: >> >> Can we please take an

Re: Bug in secretary workbench -- tainted from_addr

I don't know what changed, and I'm traveling at the moment, but I added a call to untaint. - Sam Ruby On Mon, Nov 5, 2018 at 3:40 PM Craig Russell wrote: > > Can we please take another look at this issue? I'm afraid it might start to > affect account creation since no email with the vote result

Re: Bug in secretary workbench -- tainted from_addr

Can we please take another look at this issue? I'm afraid it might start to affect account creation since no email with the vote result is being sent to root. Thanks, Craig > On Oct 30, 2018, at 8:00 PM, Sam Ruby wrote: > > On Tue, Oct 30, 2018 at 10:43 PM Sam Ruby wrote: >> >> It would be

Re: Bug in secretary workbench -- tainted from_addr

> On Oct 30, 2018, at 7:43 PM, Sam Ruby wrote: > > On Tue, Oct 30, 2018 at 1:54 PM Craig Russell wrote: >> >> This now happens on every request for a new account. I don't even see where >> the "from_addr" is set. > > I wonder what has changed. > >> Is the bug that the from_addr is never se

Re: Bug in secretary workbench -- tainted from_addr

On Tue, Oct 30, 2018 at 10:43 PM Sam Ruby wrote: > > It would be safe to do something like the following, however: > > @from.untaint if @from =~ /\A\w+@apache\.org\z/ Looks like it may be worth adding or @from =~ /\A"?[\s\w]+"?\s+<\w+@apache\.org>\z/ > - Sam Ruby

Re: Bug in secretary workbench -- tainted from_addr

On Tue, Oct 30, 2018 at 1:54 PM Craig Russell wrote: > > This now happens on every request for a new account. I don't even see where > the "from_addr" is set. I wonder what has changed. > Is the bug that the from_addr is never set? Or is that done in Mail.new? Looks to me that it is in a diffe

Re: Bug in secretary workbench -- tainted from_addr

On Tue, 30 Oct 2018 at 19:27, Craig Russell wrote: > > # build mail from template > mail = message.reply( > subject: "ICLA for #{@pubname}", > from: @from, > to: "#{@pubname.inspect} <#{@email}>", > cc: [ > ('secret...@apache.org' unless use_Bcc), > ("private@#{@pmc.m

Re: Bug in secretary workbench -- tainted from_addr

# build mail from template mail = message.reply( subject: "ICLA for #{@pubname}", from: @from, to: "#{@pubname.inspect} <#{@email}>", cc: [ ('secret...@apache.org' unless use_Bcc), ("private@#{@pmc.mail_list}.apache.org" if @pmc), # copy pmc (@podling.private_mai

Re: Bug in secretary workbench -- tainted from_addr

On Tue, 30 Oct 2018 at 17:54, Craig Russell wrote: > > This now happens on every request for a new account. I don't even see where > the "from_addr" is set. I think it's done in the template processing, i.e. here: mail = Mail.new(template('acreq.erb')) But when I had a look I could not work ou

Bug in secretary workbench -- tainted from_addr

This now happens on every request for a new account. I don't even see where the "from_addr" is set. Is the bug that the from_addr is never set? Or is that done in Mail.new? ## # email root@