I’m surprised that Net::STMP lets you do that. It really should be set up so when taint checking is on, it won’t let you do that. Suffice to say that is very bad. You shouldn’t allow that to happen.
Anyone could change the cgi params on any page. Unless this data is in a server-stored session, this means you’ve basically got a web-gateway open relay. Great for enterprising spammers and kiddies.
In general, treat CGI form data as unsanitay biowaste 
I’m not sure about mailing multiple people and whatnot, but one person is enough.
···
---------- Original Message ----------------------------------
From: “John W. Long” ng@johnwlong.com
Reply-To: ruby-talk@ruby-lang.org
Date: Tue, 29 Jul 2003 04:20:12 +0900
We are using the following code to send email messages from an online form
on our web site:
Net::SMTP.start(‘localhost’, 25) {|smtp|
smtp.sendmail(message, @from, @to)
}
The values of @from and @to are taken directly from their cgi.params values
with basically no modification. Is it possible for someone to exploite this
as a security vulnerability? Could someone use it to send email to multiple
addresses?
–
John Long
http://www.wiseheartdesign.com
Free 20MB Web Site Hosting and Personalized E-mail Service!
Get It Now At Doteasy.com http://www.doteasy.com/et/
Hi
Although I have been using Ruby for quite a long time and I love it. I
still have a lot to learn. I have some newbie questions after reading
the post:
-
What is “taint checking”? I don’t quite understand what does “taint”
mean here. I remember someone said that String can not be “tainted” or
you can’t change the value of a String?
-
Unit Test. A lot of you talking about Unit Test. I have not seen one
in action. I really like to learn something about that, especially, as I
asked before, how can I catch a nil where a String is expected?
-
Design patterns. I don’t know if this is relevant. I have wrote a
socket program in delphi and one in ruby. I found that the ruby one is a
lot easier to manipulate, because it uses blocking socket, while the
delphi one uses event driven async mechanism. Is there a case that makes
async communication easier than blocking socket?
Thanks,
Shannon
···
On Tue, 29 Jul 2003 04:26:54 +0900 “David Fayram” kirindave@lensmen.net wrote:
I’m surprised that Net::STMP lets you do that. It really should be set up so when taint checking is on, it won’t let you do that. Suffice to say that is very bad. You shouldn’t allow that to happen.
I’m surprised that Net::STMP lets you do that. It really should be set up
so when taint checking is on, it won’t let you do that. Suffice to say that
is very bad. You shouldn’t allow that to happen.
I agree it’s somewhat interesting, but it seems to take whatever I enter in
and do some munging of it’s own on it. For example, if I enter in for an
email address:
"John"me@myemail.com;"Bill"bill@smith.com
it seems to convert this to something like:
"Johnme@myemail.com;Bill<bill"@smith.com
In other words it doesn’t seem to allow me to send to multiple email
addresses.
···
–
John Long
http://wiseheartdesign.com