peter
3/12/2007 3:32:00 PM
That did the trick and I will test thoroughly. I was suspecting it was a
security issue.
Many thanks!!
On Tue, 2007-13-03 at 00:18 +0900, Rick DeNatale wrote:
> On 3/12/07, peter <ruby@iwebsl.com> wrote:
> >
> >
> > Yes I understand that, removing the '' fails, as does adding "" or
> > anything I have tried. I can remove the () and [] and as long as I use a
> > proper email address instead of a var it works.
> >
> >
> > [Mon Mar 12 10:14:04 2007] [error] mod_ruby: error in ruby
> > [Mon Mar 12 10:14:04 2007] [error]
> > mod_ruby: /usr/lib/ruby/1.8/net/smtp.rb:540:in `send0': tainted to_addr
> > (SecurityError)
> >
> >
> >
> >
> > > >
> > > >
> > >
> > > not:
> > > smtp.open_message_stream('sender@mail.com', ['email']) do
> > >
> > >
> > > but:
> > > smtp.open_message_stream('sender@mail.com', [email]) do
> > >
>
> Okay, I finally realize that we have been chasing the wrong issue.
>
> The problem isn't that you are using a variable vs. a literal, it's
> that the email address you got from the form is marked as tainted and
> you are running with $safe > 0
>
> Here's the relevant code from Net:SMTP, it's in the send0 method which
> is called by open_message_stream
>
> if $SAFE > 0
> raise SecurityError, 'tainted from_addr' if from_addr.tainted?
> to_addrs.each do |to|
> raise SecurityError, 'tainted to_addr' if to.tainted?
> end
> end
>
> Web frameworks often do, and should, mark strings obtained from the
> user as tainted, this avoids various security exposures.
>
> You should try either:
>
> smtp.open_message_stream('sender@mail.com', [email.untaint]) do
>
> or
>
> smtp.open_message_stream('sender@mail.com', email.untaint) do
>
> You might want to apply various tests to email to see if it is a valid
> email address, at least syntactically first, but this should get you
> around the current problem.
>