Help with NET::SMTP


#1

I’m trying to use Net::SMTP which appears to do most everything I need
except for one thing. In the example below I need to replace
removed_email_address@domain.invalid with a variable based on the submitting users email
address #{email) but nothing I have tried works. In most cases I get a
tainted sender error. How can I use this and have a variable recipient?

Net::SMTP.start(‘mail’, 25) do |smtp|
smtp.open_message_stream(‘removed_email_address@domain.invalid’, [‘removed_email_address@domain.invalid’]) do |
f|
f.puts “From: sender removed_email_address@domain.invalid”
f.puts “To: #{name} #{email}”
f.puts “Subject: Test”
f.puts “Date: #{t}”
f.puts
f.puts “#{name}\n\nTest Email!\n\n”
end

Thanks in advance!

Peter


#2

On 3/11/07, peter removed_email_address@domain.invalid wrote:

f.puts “To: #{name} #{email}”
It looks like the problem might be that the recipient email in the
header doesn’t match the one you gave when you opened the stream.

Assuming that the email variable contains the real recipient , have you
tried:
smtp.open_message_stream(‘removed_email_address@domain.invalid’, [email]) do |
f|
f.puts “From: sender removed_email_address@domain.invalid”
f.puts “To: #{name} #{email}”


Rick DeNatale

My blog on Ruby
http://talklikeaduck.denhaven2.com/

IPMS/USA Region 12 Coordinator
http://ipmsr12.denhaven2.com/

Visit the Project Mercury Wiki Site
http://www.mercuryspacecraft.com/


#3

Hi Rick
Thanks for the response. I tried it just to check but that does not
work . The var email comes from a web form and does match the To however
I think the real problem is that the to is in an array and the array
does not allow for a variable. This is very odd though because it would
be extremely limiting to not be able to set these values as vars.


#4

On 3/11/07, peter removed_email_address@domain.invalid wrote:

Hi Rick
Thanks for the response. I tried it just to check but that does not
work . The var email comes from a web form and does match the To however
I think the real problem is that the to is in an array and the array
does not allow for a variable. This is very odd though because it would
be extremely limiting to not be able to set these values as vars.

Can you show a bit more of your code.

I’m not sure what you mean by “I think the real problem is that the to
is in an array and the array does not allow for a variable.”

In my suggested line:
smtp.open_message_stream(‘removed_email_address@domain.invalid’, [email])

[email] will make and array containing one element which is the object
(presumably a String) referenced by the variable email. Now if email
ISN’T a string but is some other object, then perhaps [email.to_s]
would work.

I’ve never played with NET::SMTP, but this is basic Ruby stuff.


Rick DeNatale

My blog on Ruby
http://talklikeaduck.denhaven2.com/


#5

Hi Rick

I was hoping I could use this as a simple form mailer but I’m starting
to think that that is not possible.

In the open_message_stream you need a from and to. In my case the to is
a variable in eruby #{email}. Everything I have tried either results in
tainted to or security error.

Bits of code.

require ‘digest/md5’
require ‘net/smtp’
require ‘cgi’
email = cgi[‘email’].strip

Form posts to self. The variable is email.

Net::SMTP.start(‘mail’, 25) do |smtp|
smtp.open_message_stream(‘removed_email_address@domain.invalid’, [‘email’]) do |
f|
f.puts “From: sender removed_email_address@domain.invalid”
f.puts “To: #{name} #{email}”
f.puts “Subject: Test”
f.puts “Date: #{t}”
f.puts
f.puts “#{name}\n\nTest Email!\n\n”
end


#6

Yes I understand that, removing the ‘’ fails, as does adding “” or
anything I have tried. I can remove the () and [] and as long as I use a
proper email address instead of a var it works.

[Mon Mar 12 10:14:04 2007] [error] mod_ruby: error in ruby
[Mon Mar 12 10:14:04 2007] [error]
mod_ruby: /usr/lib/ruby/1.8/net/smtp.rb:540:in `send0’: tainted to_addr
(SecurityError)


#7

On 3/12/07, peter removed_email_address@domain.invalid wrote:

f.puts “From: sender removed_email_address@domain.invalid”

Hi Rick

not:
smtp.open_message_stream(‘removed_email_address@domain.invalid’, [‘email’]) do

but:
smtp.open_message_stream(‘removed_email_address@domain.invalid’, [email]) do

Those quotes mean that you are making an array with the literal string
‘email’

email=“removed_email_address@domain.invalid”
[‘email’] => [ ‘email’]

[email] => [“removed_email_address@domain.invalid”]


Rick DeNatale

My blog on Ruby
http://talklikeaduck.denhaven2.com/


#8

On 3/12/07, peter removed_email_address@domain.invalid wrote:

(SecurityError)

but:
smtp.open_message_stream(‘removed_email_address@domain.invalid’, [email]) do

Okay, I finally realize that we have been chasing the wrong issue.

The problem isn’t that you are using a variable vs. a literal, it’s
that the email address you got from the form is marked as tainted and
you are running with $safe > 0

Here’s the relevant code from Net:SMTP, it’s in the send0 method which
is called by open_message_stream

  if $SAFE > 0
    raise SecurityError, 'tainted from_addr' if from_addr.tainted?
    to_addrs.each do |to|
      raise SecurityError, 'tainted to_addr' if to.tainted?
    end
  end

Web frameworks often do, and should, mark strings obtained from the
user as tainted, this avoids various security exposures.

You should try either:

smtp.open_message_stream(‘removed_email_address@domain.invalid’, [email.untaint]) do

or

smtp.open_message_stream(‘removed_email_address@domain.invalid’, email.untaint) do

You might want to apply various tests to email to see if it is a valid
email address, at least syntactically first, but this should get you
around the current problem.


Rick DeNatale

My blog on Ruby
http://talklikeaduck.denhaven2.com/


#9

That did the trick and I will test thoroughly. I was suspecting it was a
security issue.

Many thanks!!


#10

Rick Denatale wrote:

On 3/12/07, peter removed_email_address@domain.invalid wrote:

(SecurityError)

but:
smtp.open_message_stream(‘removed_email_address@domain.invalid’, [email]) do

Okay, I finally realize that we have been chasing the wrong issue.

The problem isn’t that you are using a variable vs. a literal, it’s
that the email address you got from the form is marked as tainted and
you are running with $safe > 0

Web frameworks often do, and should, mark strings obtained from the
user as tainted, this avoids various security exposures.

You should try either:

smtp.open_message_stream(‘removed_email_address@domain.invalid’, [email.untaint]) do

or

smtp.open_message_stream(‘removed_email_address@domain.invalid’, email.untaint) do

You might want to apply various tests to email to see if it is a valid
email address, at least syntactically first, but this should get you
around the current problem.

Yeah, you may do this and create yet another web based mailer that will
allow everyone to send the email to anyone. The email variable contents
were tainted for a reason! “Solving” the issue by blind untaining is not
the brightest thing to do. You should validate the email first and (if
at all possible) make sure it’s one of the allowed addresses or at least
that it’s in the allowed domain(s).

Jenda


#11

On 3/12/07, Jenda K. removed_email_address@domain.invalid wrote:

Rick Denatale wrote:

around the current problem.

Yeah, you may do this and create yet another web based mailer that will
allow everyone to send the email to anyone. The email variable contents
were tainted for a reason! “Solving” the issue by blind untaining is not
the brightest thing to do. You should validate the email first and (if
at all possible) make sure it’s one of the allowed addresses or at least
that it’s in the allowed domain(s).

Which is what I suggested. We do try to be a little gentle in our
suggestions in ruby-talk.

Being able to send an e-mail is the first pre-requisite to building a
verification system. In general you want to have a policy such as
verifying e-mail addresses before, say subscribing someone, and only
using that address again after it’s been verified by a reply or a link
back via http or the like, but in order to do that you need to be able
to send that verification email, the rest moves from mechanism to
policy, and as I understand the OPs problem he was having trouble
figuring out the mechanism.


Rick DeNatale

My blog on Ruby
http://talklikeaduck.denhaven2.com/


#12

Cool article. That guy you mentioned sounds familiar;)

I’m not a programmer I’m simply using ruby as an alternative to php on
my web site. Doing so has taught me a lot and its been a great deal of
fun.

Peter


#13

On 3/12/07, peter removed_email_address@domain.invalid wrote:

That did the trick and I will test thoroughly. I was suspecting it was a
security issue.

This prompted me to post about the debugging mind-traps, something
I’ve been wanting to do for a few days.

http://talklikeaduck.denhaven2.com/articles/2007/03/12/are-you-aiming-at-the-right-bug


Rick DeNatale

My blog on Ruby
http://talklikeaduck.denhaven2.com/


#14

On 3/12/07, peter removed_email_address@domain.invalid wrote:

Cool article. That guy you mentioned sounds familiar;)

I’m not a programmer I’m simply using ruby as an alternative to php on
my web site. Doing so has taught me a lot and its been a great deal of
fun.

Watch out you might become one :wink: I guess it is a great chance to
learn Ruby as one’s first programming language I envy you.

Cheers
Robert