I'm trying to use Net::SMTP which appears to do most everything I need
except for one thing. In the example below I need to replace recipient@host.com with a variable based on the submitting users email
address #{email) but nothing I have tried works. In most cases I get a
tainted sender error. How can I use this and have a variable recipient?
Net::SMTP.start('mail', 25) do |smtp|
smtp.open_message_stream('sender@mail.com', ['recipient@host.com']) do |
f>
f.puts "From: sender sender@mail.com"
f.puts "To: #{name} #{email}"
f.puts "Subject: Test"
f.puts "Date: #{t}"
f.puts
f.puts "#{name}\n\nTest Email!\n\n"
end
It looks like the problem might be that the recipient email in the
header doesn't match the one you gave when you opened the stream.
Assuming that the email variable contains the real recipient , have you tried:
smtp.open_message_stream('sender@mail.com', [email]) do |
f>
f.puts "From: sender sender@mail.com"
f.puts "To: #{name} #{email}"
...
···
On 3/11/07, peter <ruby@iwebsl.com> wrote:
I'm trying to use Net::SMTP which appears to do most everything I need
except for one thing. In the example below I need to replace
recipient@host.com with a variable based on the submitting users email
address #{email) but nothing I have tried works. In most cases I get a
tainted sender error. How can I use this and have a variable recipient?
Net::SMTP.start('mail', 25) do |smtp|
smtp.open_message_stream('sender@mail.com', ['recipient@host.com']) do |
f>
f.puts "From: sender sender@mail.com"
f.puts "To: #{name} #{email}"
Hi Rick
Thanks for the response. I tried it just to check but that does not
work . The var email comes from a web form and does match the To however
I think the real problem is that the to is in an array and the array
does not allow for a variable. This is very odd though because it would
be extremely limiting to not be able to set these values as vars.
···
On Mon, 2007-12-03 at 07:45 +0900, Rick DeNatale wrote:
On 3/11/07, peter <ruby@iwebsl.com> wrote:
> I'm trying to use Net::SMTP which appears to do most everything I need
> except for one thing. In the example below I need to replace
> recipient@host.com with a variable based on the submitting users email
> address #{email) but nothing I have tried works. In most cases I get a
> tainted sender error. How can I use this and have a variable recipient?
>
> Net::SMTP.start('mail', 25) do |smtp|
> smtp.open_message_stream('sender@mail.com', ['recipient@host.com']) do |
> f>
> f.puts "From: sender sender@mail.com"
> f.puts "To: #{name} #{email}"
It looks like the problem might be that the recipient email in the
header doesn't match the one you gave when you opened the stream.
Assuming that the email variable contains the real recipient , have you tried:
smtp.open_message_stream('sender@mail.com', [email]) do |
f>
f.puts "From: sender sender@mail.com"
f.puts "To: #{name} #{email}"
...
I'm not sure what you mean by "I think the real problem is that the to
is in an array and the array does not allow for a variable."
In my suggested line:
smtp.open_message_stream('sender@mail.com', [email])
[email] will make and array containing one element which is the object
(presumably a String) referenced by the variable email. Now if email
ISN'T a string but is some other object, then perhaps [email.to_s]
would work.
I've never played with NET::SMTP, but this is basic Ruby stuff.
···
On 3/11/07, peter <ruby@iwebsl.com> wrote:
Hi Rick
Thanks for the response. I tried it just to check but that does not
work . The var email comes from a web form and does match the To however
I think the real problem is that the to is in an array and the array
does not allow for a variable. This is very odd though because it would
be extremely limiting to not be able to set these values as vars.
I was hoping I could use this as a simple form mailer but I'm starting
to think that that is not possible.
In the open_message_stream you need a from and to. In my case the to is
a variable in eruby #{email}. Everything I have tried either results in
tainted to or security error.
Net::SMTP.start('mail', 25) do |smtp|
smtp.open_message_stream('sender@mail.com', ['email']) do |
f>
f.puts "From: sender sender@mail.com"
f.puts "To: #{name} #{email}"
f.puts "Subject: Test"
f.puts "Date: #{t}"
f.puts
f.puts "#{name}\n\nTest Email!\n\n"
end
···
On Mon, 2007-12-03 at 21:47 +0900, Rick DeNatale wrote:
On 3/11/07, peter <ruby@iwebsl.com> wrote:
> Hi Rick
> Thanks for the response. I tried it just to check but that does not
> work . The var email comes from a web form and does match the To however
> I think the real problem is that the to is in an array and the array
> does not allow for a variable. This is very odd though because it would
> be extremely limiting to not be able to set these values as vars.
Can you show a bit more of your code.
I'm not sure what you mean by "I think the real problem is that the to
is in an array and the array does not allow for a variable."
In my suggested line:
smtp.open_message_stream('sender@mail.com', [email])
[email] will make and array containing one element which is the object
(presumably a String) referenced by the variable email. Now if email
ISN'T a string but is some other object, then perhaps [email.to_s]
would work.
I've never played with NET::SMTP, but this is basic Ruby stuff.
I was hoping I could use this as a simple form mailer but I'm starting
to think that that is not possible.
In the open_message_stream you need a from and to. In my case the to is
a variable in eruby #{email}. Everything I have tried either results in
tainted to or security error.
Net::SMTP.start('mail', 25) do |smtp|
smtp.open_message_stream('sender@mail.com', ['email']) do |
f>
f.puts "From: sender sender@mail.com"
f.puts "To: #{name} #{email}"
f.puts "Subject: Test"
f.puts "Date: #{t}"
f.puts
f.puts "#{name}\n\nTest Email!\n\n"
end
On Mon, 2007-12-03 at 21:47 +0900, Rick DeNatale wrote:
> On 3/11/07, peter <ruby@iwebsl.com> wrote:
> > Hi Rick
> > Thanks for the response. I tried it just to check but that does not
> > work . The var email comes from a web form and does match the To however
> > I think the real problem is that the to is in an array and the array
> > does not allow for a variable. This is very odd though because it would
> > be extremely limiting to not be able to set these values as vars.
>
> Can you show a bit more of your code.
>
> I'm not sure what you mean by "I think the real problem is that the to
> is in an array and the array does not allow for a variable."
>
> In my suggested line:
> smtp.open_message_stream('sender@mail.com', [email])
>
> [email] will make and array containing one element which is the object
> (presumably a String) referenced by the variable email. Now if email
> ISN'T a string but is some other object, then perhaps [email.to_s]
> would work.
>
> I've never played with NET::SMTP, but this is basic Ruby stuff.
>
Yes I understand that, removing the '' fails, as does adding "" or
anything I have tried. I can remove the () and and as long as I use a
proper email address instead of a var it works.
[Mon Mar 12 10:14:04 2007] [error] mod_ruby: error in ruby
[Mon Mar 12 10:14:04 2007] [error]
mod_ruby: /usr/lib/ruby/1.8/net/smtp.rb:540:in `send0': tainted to_addr
(SecurityError)
···
>
>
not:
smtp.open_message_stream('sender@mail.com', ['email']) do
but:
smtp.open_message_stream('sender@mail.com', [email]) do
Those quotes mean that you are making an array with the literal string 'email'
Okay, I finally realize that we have been chasing the wrong issue.
The problem isn't that you are using a variable vs. a literal, it's
that the email address you got from the form is marked as tainted and
you are running with $safe > 0
Here's the relevant code from Net:SMTP, it's in the send0 method which
is called by open_message_stream
if $SAFE > 0
raise SecurityError, 'tainted from_addr' if from_addr.tainted?
to_addrs.each do |to|
raise SecurityError, 'tainted to_addr' if to.tainted?
end
end
Web frameworks often do, and should, mark strings obtained from the
user as tainted, this avoids various security exposures.
You should try either:
smtp.open_message_stream('sender@mail.com', [email.untaint]) do
or
smtp.open_message_stream('sender@mail.com', email.untaint) do
You might want to apply various tests to email to see if it is a valid
email address, at least syntactically first, but this should get you
around the current problem.
···
On 3/12/07, peter <ruby@iwebsl.com> wrote:
Yes I understand that, removing the '' fails, as does adding "" or
anything I have tried. I can remove the () and and as long as I use a
proper email address instead of a var it works.
[Mon Mar 12 10:14:04 2007] [error] mod_ruby: error in ruby
[Mon Mar 12 10:14:04 2007] [error]
mod_ruby: /usr/lib/ruby/1.8/net/smtp.rb:540:in `send0': tainted to_addr
(SecurityError)
> >
>
> not:
> smtp.open_message_stream('sender@mail.com', ['email']) do
>
> but:
> smtp.open_message_stream('sender@mail.com', [email]) do
>
That did the trick and I will test thoroughly. I was suspecting it was a
security issue.
Many thanks!!
···
On Tue, 2007-13-03 at 00:18 +0900, Rick DeNatale wrote:
On 3/12/07, peter <ruby@iwebsl.com> wrote:
>
>
> Yes I understand that, removing the '' fails, as does adding "" or
> anything I have tried. I can remove the () and and as long as I use a
> proper email address instead of a var it works.
>
>
> [Mon Mar 12 10:14:04 2007] [error] mod_ruby: error in ruby
> [Mon Mar 12 10:14:04 2007] [error]
> mod_ruby: /usr/lib/ruby/1.8/net/smtp.rb:540:in `send0': tainted to_addr
> (SecurityError)
>
>
>
>
> > >
> > >
> >
> > not:
> > smtp.open_message_stream('sender@mail.com', ['email']) do
> >
> >
> > but:
> > smtp.open_message_stream('sender@mail.com', [email]) do
> >
Okay, I finally realize that we have been chasing the wrong issue.
The problem isn't that you are using a variable vs. a literal, it's
that the email address you got from the form is marked as tainted and
you are running with $safe > 0
Here's the relevant code from Net:SMTP, it's in the send0 method which
is called by open_message_stream
if $SAFE > 0
raise SecurityError, 'tainted from_addr' if from_addr.tainted?
to_addrs.each do |to|
raise SecurityError, 'tainted to_addr' if to.tainted?
end
end
Web frameworks often do, and should, mark strings obtained from the
user as tainted, this avoids various security exposures.
You should try either:
smtp.open_message_stream('sender@mail.com', [email.untaint]) do
or
smtp.open_message_stream('sender@mail.com', email.untaint) do
You might want to apply various tests to email to see if it is a valid
email address, at least syntactically first, but this should get you
around the current problem.
(SecurityError)
>
> but:
> smtp.open_message_stream('sender@mail.com', [email]) do
>
Okay, I finally realize that we have been chasing the wrong issue.
The problem isn't that you are using a variable vs. a literal, it's
that the email address you got from the form is marked as tainted and
you are running with $safe > 0
Web frameworks often do, and should, mark strings obtained from the
user as tainted, this avoids various security exposures.
You should try either:
smtp.open_message_stream('sender@mail.com', [email.untaint]) do
or
smtp.open_message_stream('sender@mail.com', email.untaint) do
You might want to apply various tests to email to see if it is a valid
email address, at least syntactically first, but this should get you
around the current problem.
Yeah, you may do this and create yet another web based mailer that will
allow everyone to send the email to anyone. The email variable contents
were tainted for a reason! "Solving" the issue by blind untaining is not
the brightest thing to do. You should validate the email first and (if
at all possible) make sure it's one of the allowed addresses or at least
that it's in the allowed domain(s).
Which is what I suggested. We do try to be a little gentle in our
suggestions in ruby-talk.
Being able to send an e-mail is the first pre-requisite to building a
verification system. In general you want to have a policy such as
verifying e-mail addresses before, say subscribing someone, and only
using that address again after it's been verified by a reply or a link
back via http or the like, but in order to do that you need to be able
to send that verification email, the rest moves from mechanism to
policy, and as I understand the OPs problem he was having trouble
figuring out the mechanism.
···
On 3/12/07, Jenda Krynicky <jenda@cpan.org> wrote:
Rick Denatale wrote:
> You should try either:
>
> smtp.open_message_stream('sender@mail.com', [email.untaint]) do
>
> or
>
> smtp.open_message_stream('sender@mail.com', email.untaint) do
>
> You might want to apply various tests to email to see if it is a valid
> email address, at least syntactically first, but this should get you
> around the current problem.
Yeah, you may do this and create yet another web based mailer that will
allow everyone to send the email to anyone. The email variable contents
were tainted for a reason! "Solving" the issue by blind untaining is not
the brightest thing to do. You should validate the email first and (if
at all possible) make sure it's one of the allowed addresses or at least
that it's in the allowed domain(s).
Cool article. That guy you mentioned sounds familiar;)
I'm not a programmer I'm simply using ruby as an alternative to php on
my web site. Doing so has taught me a lot and its been a great deal of
fun.
Watch out you might become one I guess it is a great chance to
learn Ruby as one's first programming language I envy you.
Cheers
Robert
···
On 3/12/07, peter <ruby@iwebsl.com> wrote:
--
We have not succeeded in answering all of our questions.
In fact, in some ways, we are more confused than ever.
But we feel we are confused on a higher level and about more important things.
-Anonymous