Asp Forum - Help with NET::SMTP

peter

3/11/2007 3:13:00 PM

I'm trying to use Net::SMTP which appears to do most everything I need
except for one thing. In the example below I need to replace
recipient@host.com with a variable based on the submitting users email
address #{email) but nothing I have tried works. In most cases I get a
tainted sender error. How can I use this and have a variable recipient?

Net::SMTP.start('mail', 25) do |smtp|
smtp.open_message_stream('sender@mail.com', ['recipient@host.com']) do |
f|
f.puts "From: sender sender@mail.com"
f.puts "To: #{name} #{email}"
f.puts "Subject: Test"
f.puts "Date: #{t}"
f.puts
f.puts "#{name}\n\nTest Email!\n\n"
end

Thanks in advance!

Peter

13 Answers

Rick DeNatale

3/11/2007 10:46:00 PM

On 3/11/07, peter <ruby@iwebsl.com> wrote:
> I'm trying to use Net::SMTP which appears to do most everything I need
> except for one thing. In the example below I need to replace
> recipient@host.com with a variable based on the submitting users email
> address #{email) but nothing I have tried works. In most cases I get a
> tainted sender error. How can I use this and have a variable recipient?
>
> Net::SMTP.start('mail', 25) do |smtp|
> smtp.open_message_stream('sender@mail.com', ['recipient@host.com']) do |
> f|
> f.puts "From: sender sender@mail.com"
> f.puts "To: #{name} #{email}"

It looks like the problem might be that the recipient email in the
header doesn't match the one you gave when you opened the stream.

Assuming that the email variable contains the real recipient , have you tried:
smtp.open_message_stream('sender@mail.com', [email]) do |
f|
f.puts "From: sender sender@mail.com"
f.puts "To: #{name} #{email}"
...

--
Rick DeNatale

My blog on Ruby
http://talklikeaduck.denh...

IPMS/USA Region 12 Coordinator
http://ipmsr12.denh...

Visit the Project Mercury Wiki Site
http://www.mercuryspace...

peter

3/12/2007 12:20:00 AM

Hi Rick
Thanks for the response. I tried it just to check but that does not
work . The var email comes from a web form and does match the To however
I think the real problem is that the to is in an array and the array
does not allow for a variable. This is very odd though because it would
be extremely limiting to not be able to set these values as vars.

On Mon, 2007-12-03 at 07:45 +0900, Rick DeNatale wrote:
> On 3/11/07, peter <ruby@iwebsl.com> wrote:
> > I'm trying to use Net::SMTP which appears to do most everything I need
> > except for one thing. In the example below I need to replace
> > recipient@host.com with a variable based on the submitting users email
> > address #{email) but nothing I have tried works. In most cases I get a
> > tainted sender error. How can I use this and have a variable recipient?
> >
> > Net::SMTP.start('mail', 25) do |smtp|
> > smtp.open_message_stream('sender@mail.com', ['recipient@host.com']) do |
> > f|
> > f.puts "From: sender sender@mail.com"
> > f.puts "To: #{name} #{email}"
>
> It looks like the problem might be that the recipient email in the
> header doesn't match the one you gave when you opened the stream.
>
> Assuming that the email variable contains the real recipient , have you tried:
> smtp.open_message_stream('sender@mail.com', [email]) do |
> f|
> f.puts "From: sender sender@mail.com"
> f.puts "To: #{name} #{email}"
> ...
>
>

Rick DeNatale

3/12/2007 12:47:00 PM

On 3/11/07, peter <ruby@iwebsl.com> wrote:
> Hi Rick
> Thanks for the response. I tried it just to check but that does not
> work . The var email comes from a web form and does match the To however
> I think the real problem is that the to is in an array and the array
> does not allow for a variable. This is very odd though because it would
> be extremely limiting to not be able to set these values as vars.

Can you show a bit more of your code.

I'm not sure what you mean by "I think the real problem is that the to
is in an array and the array does not allow for a variable."

In my suggested line:
smtp.open_message_stream('sender@mail.com', [email])

[email] will make and array containing one element which is the object
(presumably a String) referenced by the variable email. Now if email
ISN'T a string but is some other object, then perhaps [email.to_s]
would work.

I've never played with NET::SMTP, but this is basic Ruby stuff.

--
Rick DeNatale

My blog on Ruby
http://talklikeaduck.denh...

peter

3/12/2007 1:21:00 PM

Hi Rick

I was hoping I could use this as a simple form mailer but I'm starting
to think that that is not possible.

In the open_message_stream you need a from and to. In my case the to is
a variable in eruby #{email}. Everything I have tried either results in
tainted to or security error.

Bits of code.

require 'digest/md5'
require 'net/smtp'
require 'cgi'
email = cgi['email'].strip

Form posts to self. The variable is email.

Net::SMTP.start('mail', 25) do |smtp|
smtp.open_message_stream('sender@mail.com', ['email']) do |
f|
f.puts "From: sender sender@mail.com"
f.puts "To: #{name} #{email}"
f.puts "Subject: Test"
f.puts "Date: #{t}"
f.puts
f.puts "#{name}\n\nTest Email!\n\n"
end

On Mon, 2007-12-03 at 21:47 +0900, Rick DeNatale wrote:
> On 3/11/07, peter <ruby@iwebsl.com> wrote:
> > Hi Rick
> > Thanks for the response. I tried it just to check but that does not
> > work . The var email comes from a web form and does match the To however
> > I think the real problem is that the to is in an array and the array
> > does not allow for a variable. This is very odd though because it would
> > be extremely limiting to not be able to set these values as vars.
>
> Can you show a bit more of your code.
>
> I'm not sure what you mean by "I think the real problem is that the to
> is in an array and the array does not allow for a variable."
>
> In my suggested line:
> smtp.open_message_stream('sender@mail.com', [email])
>
> [email] will make and array containing one element which is the object
> (presumably a String) referenced by the variable email. Now if email
> ISN'T a string but is some other object, then perhaps [email.to_s]
> would work.
>
> I've never played with NET::SMTP, but this is basic Ruby stuff.
>

Rick DeNatale

3/12/2007 1:33:00 PM

On 3/12/07, peter <ruby@iwebsl.com> wrote:
> Hi Rick
>
> I was hoping I could use this as a simple form mailer but I'm starting
> to think that that is not possible.
>
> In the open_message_stream you need a from and to. In my case the to is
> a variable in eruby #{email}. Everything I have tried either results in
> tainted to or security error.
>
> Bits of code.
>
> require 'digest/md5'
> require 'net/smtp'
> require 'cgi'
> email = cgi['email'].strip
>
> Form posts to self. The variable is email.
>
> Net::SMTP.start('mail', 25) do |smtp|
> smtp.open_message_stream('sender@mail.com', ['email']) do |
> f|
> f.puts "From: sender sender@mail.com"
> f.puts "To: #{name} #{email}"
> f.puts "Subject: Test"
> f.puts "Date: #{t}"
> f.puts
> f.puts "#{name}\n\nTest Email!\n\n"
> end
>
>
> On Mon, 2007-12-03 at 21:47 +0900, Rick DeNatale wrote:
> > On 3/11/07, peter <ruby@iwebsl.com> wrote:
> > > Hi Rick
> > > Thanks for the response. I tried it just to check but that does not
> > > work . The var email comes from a web form and does match the To however
> > > I think the real problem is that the to is in an array and the array
> > > does not allow for a variable. This is very odd though because it would
> > > be extremely limiting to not be able to set these values as vars.
> >
> > Can you show a bit more of your code.
> >
> > I'm not sure what you mean by "I think the real problem is that the to
> > is in an array and the array does not allow for a variable."
> >
> > In my suggested line:
> > smtp.open_message_stream('sender@mail.com', [email])
> >
> > [email] will make and array containing one element which is the object
> > (presumably a String) referenced by the variable email. Now if email
> > ISN'T a string but is some other object, then perhaps [email.to_s]
> > would work.
> >
> > I've never played with NET::SMTP, but this is basic Ruby stuff.
> >
>
>
>

not:
smtp.open_message_stream('sender@mail.com', ['email']) do

but:
smtp.open_message_stream('sender@mail.com', [email]) do

Those quotes mean that you are making an array with the literal string 'email'

email="joe.blow@somedomain.com"
['email'] => [ 'email']

[email] => ["joe.blow@somedomain.com"]

--
Rick DeNatale

My blog on Ruby
http://talklikeaduck.denh...

peter

3/12/2007 2:34:00 PM

Yes I understand that, removing the '' fails, as does adding "" or
anything I have tried. I can remove the () and [] and as long as I use a
proper email address instead of a var it works.

[Mon Mar 12 10:14:04 2007] [error] mod_ruby: error in ruby
[Mon Mar 12 10:14:04 2007] [error]
mod_ruby: /usr/lib/ruby/1.8/net/smtp.rb:540:in `send0': tainted to_addr
(SecurityError)

> >
> >
>
> not:
> smtp.open_message_stream('sender@mail.com', ['email']) do
>
>
> but:
> smtp.open_message_stream('sender@mail.com', [email]) do
>
> Those quotes mean that you are making an array with the literal string 'email'
>
> email="joe.blow@somedomain.com"
> ['email'] => [ 'email']
>
> [email] => ["joe.blow@somedomain.com"]
>

Rick DeNatale

3/12/2007 3:19:00 PM

On 3/12/07, peter <ruby@iwebsl.com> wrote:
>
>
> Yes I understand that, removing the '' fails, as does adding "" or
> anything I have tried. I can remove the () and [] and as long as I use a
> proper email address instead of a var it works.
>
>
> [Mon Mar 12 10:14:04 2007] [error] mod_ruby: error in ruby
> [Mon Mar 12 10:14:04 2007] [error]
> mod_ruby: /usr/lib/ruby/1.8/net/smtp.rb:540:in `send0': tainted to_addr
> (SecurityError)
>
>
>
>
> > >
> > >
> >
> > not:
> > smtp.open_message_stream('sender@mail.com', ['email']) do
> >
> >
> > but:
> > smtp.open_message_stream('sender@mail.com', [email]) do
> >

Okay, I finally realize that we have been chasing the wrong issue.

The problem isn't that you are using a variable vs. a literal, it's
that the email address you got from the form is marked as tainted and
you are running with $safe > 0

Here's the relevant code from Net:SMTP, it's in the send0 method which
is called by open_message_stream

if $SAFE > 0
raise SecurityError, 'tainted from_addr' if from_addr.tainted?
to_addrs.each do |to|
raise SecurityError, 'tainted to_addr' if to.tainted?
end
end

Web frameworks often do, and should, mark strings obtained from the
user as tainted, this avoids various security exposures.

You should try either:

smtp.open_message_stream('sender@mail.com', [email.untaint]) do

or

smtp.open_message_stream('sender@mail.com', email.untaint) do

You might want to apply various tests to email to see if it is a valid
email address, at least syntactically first, but this should get you
around the current problem.

--
Rick DeNatale

My blog on Ruby
http://talklikeaduck.denh...

peter

3/12/2007 3:32:00 PM

That did the trick and I will test thoroughly. I was suspecting it was a
security issue.

Many thanks!!

On Tue, 2007-13-03 at 00:18 +0900, Rick DeNatale wrote:
> On 3/12/07, peter <ruby@iwebsl.com> wrote:
> >
> >
> > Yes I understand that, removing the '' fails, as does adding "" or
> > anything I have tried. I can remove the () and [] and as long as I use a
> > proper email address instead of a var it works.
> >
> >
> > [Mon Mar 12 10:14:04 2007] [error] mod_ruby: error in ruby
> > [Mon Mar 12 10:14:04 2007] [error]
> > mod_ruby: /usr/lib/ruby/1.8/net/smtp.rb:540:in `send0': tainted to_addr
> > (SecurityError)
> >
> >
> >
> >
> > > >
> > > >
> > >
> > > not:
> > > smtp.open_message_stream('sender@mail.com', ['email']) do
> > >
> > >
> > > but:
> > > smtp.open_message_stream('sender@mail.com', [email]) do
> > >
>
> Okay, I finally realize that we have been chasing the wrong issue.
>
> The problem isn't that you are using a variable vs. a literal, it's
> that the email address you got from the form is marked as tainted and
> you are running with $safe > 0
>
> Here's the relevant code from Net:SMTP, it's in the send0 method which
> is called by open_message_stream
>
> if $SAFE > 0
> raise SecurityError, 'tainted from_addr' if from_addr.tainted?
> to_addrs.each do |to|
> raise SecurityError, 'tainted to_addr' if to.tainted?
> end
> end
>
> Web frameworks often do, and should, mark strings obtained from the
> user as tainted, this avoids various security exposures.
>
> You should try either:
>
> smtp.open_message_stream('sender@mail.com', [email.untaint]) do
>
> or
>
> smtp.open_message_stream('sender@mail.com', email.untaint) do
>
> You might want to apply various tests to email to see if it is a valid
> email address, at least syntactically first, but this should get you
> around the current problem.
>

Jenda Krynicky

3/12/2007 4:25:00 PM

Rick Denatale wrote:
> On 3/12/07, peter <ruby@iwebsl.com> wrote:
>> (SecurityError)
>> >
>> > but:
>> > smtp.open_message_stream('sender@mail.com', [email]) do
>> >
>
> Okay, I finally realize that we have been chasing the wrong issue.
>
> The problem isn't that you are using a variable vs. a literal, it's
> that the email address you got from the form is marked as tainted and
> you are running with $safe > 0
>
> Web frameworks often do, and should, mark strings obtained from the
> user as tainted, this avoids various security exposures.
>
> You should try either:
>
> smtp.open_message_stream('sender@mail.com', [email.untaint]) do
>
> or
>
> smtp.open_message_stream('sender@mail.com', email.untaint) do
>
> You might want to apply various tests to email to see if it is a valid
> email address, at least syntactically first, but this should get you
> around the current problem.

Yeah, you may do this and create yet another web based mailer that will
allow everyone to send the email to anyone. The email variable contents
were tainted for a reason! "Solving" the issue by blind untaining is not
the brightest thing to do. You should validate the email first and (if
at all possible) make sure it's one of the allowed addresses or at least
that it's in the allowed domain(s).

Jenda

--
Posted via http://www.ruby-....

Rick DeNatale

3/12/2007 5:46:00 PM

On 3/12/07, peter <ruby@iwebsl.com> wrote:
> That did the trick and I will test thoroughly. I was suspecting it was a
> security issue.

This prompted me to post about the debugging mind-traps, something
I've been wanting to do for a few days.

http://talklikeaduck.denh...articles/2007/03/12/are-you-aiming-at-the...

--
Rick DeNatale

My blog on Ruby
http://talklikeaduck.denh...

comp.lang.ruby

Help with NET::SMTP

peter

Rick DeNatale

peter

Rick DeNatale

peter

Rick DeNatale

peter

Rick DeNatale

peter

Jenda Krynicky

Rick DeNatale

x Login to ForumsZone