Smtp.sendmail security

We are using the following code to send email messages from an online form
on our web site:

Net::SMTP.start(‘localhost’, 25) {|smtp|
smtp.sendmail(message, @from, @to)
}

The values of @from and @to are taken directly from their cgi.params values
with basically no modification. Is it possible for someone to exploite this
as a security vulnerability? Could someone use it to send email to multiple
addresses?

Hi,

						matz.

Yukihiro Matsumoto wrote:

We are using the following code to send email messages from an online form
on our web site:

Net::SMTP.start(‘localhost’, 25) {|smtp|
smtp.sendmail(message, @from, @to)
}

The values of @from and @to are taken directly from their cgi.params values
with basically no modification. Is it possible for someone to exploite this
as a security vulnerability? Could someone use it to send email to multiple
addresses?

Check will be added. Thank you.

Can you elaborate on what this addition will do? I frequently use
smtp.sendmail with multiple ‘to’ addresses.

Can you elaborate on what this addition will do? I frequently use
smtp.sendmail with multiple 'to' addresses.

        * lib/net/smtp.rb (Net::SMTP::send0): add taint check.

svg% cat b.rb
#!/usr/bin/ruby -T1
require 'net/smtp'
Net::SMTP.start('localhost', 25) {|smtp|
   smtp.sendmail('message', 'ts', ARGV)
}
svg%

svg% b.rb ts
/usr/local/lib/ruby/1.8/net/smtp.rb:495:in `send0': tainted to_addr (SecurityError)
        from /usr/local/lib/ruby/1.8/net/smtp.rb:494:in `each'
        from /usr/local/lib/ruby/1.8/net/smtp.rb:494:in `send0'
        from /usr/local/lib/ruby/1.8/net/smtp.rb:472:in `sendmail'
        from ./b.rb:4
        from ./b.rb:3:in `start'
        from /usr/local/lib/ruby/1.8/net/smtp.rb:408:in `start'
        from ./b.rb:3
svg%

Guy Decoux