Forum: Ruby Help with NET::SMTP

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
910b6d199b1cd150995af01dd08a7ba2?d=identicon&s=25 peter (Guest)
on 2007-03-11 16:13
(Received via mailing list)
I'm trying to use Net::SMTP which appears to do most everything I need
except for one thing. In the example below I need to replace
recipient@host.com with a variable based on the submitting users email
address #{email) but nothing I have tried works. In most cases I get a
tainted sender error. How can I use this and have a variable recipient?

Net::SMTP.start('mail', 25) do |smtp|
smtp.open_message_stream('sender@mail.com', ['recipient@host.com']) do |
f|
f.puts "From: sender sender@mail.com"
f.puts "To: #{name} #{email}"
f.puts "Subject: Test"
f.puts "Date: #{t}"
f.puts
f.puts "#{name}\n\nTest Email!\n\n"
end

Thanks in advance!

Peter
8f6f95c4bd64d5f10dfddfdcd03c19d6?d=identicon&s=25 Rick Denatale (rdenatale)
on 2007-03-11 23:46
(Received via mailing list)
On 3/11/07, peter <ruby@iwebsl.com> wrote:
> f.puts "To: #{name} #{email}"
It looks like the problem might be that the recipient email in the
header doesn't match the one you gave when you opened the stream.

Assuming that the email variable contains the real recipient , have you
tried:
smtp.open_message_stream('sender@mail.com', [email]) do |
  f|
  f.puts "From: sender sender@mail.com"
  f.puts "To: #{name} #{email}"
...


--
Rick DeNatale

My blog on Ruby
http://talklikeaduck.denhaven2.com/

IPMS/USA Region 12 Coordinator
http://ipmsr12.denhaven2.com/

Visit the Project Mercury Wiki Site
http://www.mercuryspacecraft.com/
910b6d199b1cd150995af01dd08a7ba2?d=identicon&s=25 peter (Guest)
on 2007-03-12 01:21
(Received via mailing list)
Hi Rick
Thanks for the response. I tried it just to check but that does not
work . The var email comes from a web form and does match the To however
I think the real problem is that the to is in an array and the array
does not allow for a variable. This is very odd though because it would
be extremely limiting to not be able to set these values as vars.
8f6f95c4bd64d5f10dfddfdcd03c19d6?d=identicon&s=25 Rick Denatale (rdenatale)
on 2007-03-12 13:47
(Received via mailing list)
On 3/11/07, peter <ruby@iwebsl.com> wrote:
> Hi Rick
> Thanks for the response. I tried it just to check but that does not
> work . The var email comes from a web form and does match the To however
> I think the real problem is that the to is in an array and the array
> does not allow for a variable. This is very odd though because it would
> be extremely limiting to not be able to set these values as vars.

Can you show a bit more of your code.

I'm not sure what you mean by "I think the real problem is that the to
is in an array and the array does not allow for a variable."

In my suggested line:
smtp.open_message_stream('sender@mail.com', [email])

[email] will make and array containing one element which is the object
(presumably a String) referenced by the variable email.  Now if email
ISN'T a string but is some other object, then perhaps [email.to_s]
would work.

I've never played with NET::SMTP, but this is basic Ruby stuff.

--
Rick DeNatale

My blog on Ruby
http://talklikeaduck.denhaven2.com/
910b6d199b1cd150995af01dd08a7ba2?d=identicon&s=25 peter (Guest)
on 2007-03-12 14:21
(Received via mailing list)
Hi Rick

I was hoping I could use this as a simple form mailer but I'm starting
to think that that is not possible.

In the open_message_stream you need a from and to. In my case the to is
a variable in eruby #{email}. Everything I have tried either results in
tainted to or security error.

Bits of code.

require 'digest/md5'
require 'net/smtp'
require 'cgi'
email = cgi['email'].strip

Form posts to self. The variable is email.

Net::SMTP.start('mail', 25) do |smtp|
smtp.open_message_stream('sender@mail.com', ['email']) do |
f|
f.puts "From: sender sender@mail.com"
f.puts "To: #{name} #{email}"
f.puts "Subject: Test"
f.puts "Date: #{t}"
f.puts
f.puts "#{name}\n\nTest Email!\n\n"
end
8f6f95c4bd64d5f10dfddfdcd03c19d6?d=identicon&s=25 Rick Denatale (rdenatale)
on 2007-03-12 14:33
(Received via mailing list)
On 3/12/07, peter <ruby@iwebsl.com> wrote:
>
> f.puts "From: sender sender@mail.com"
> > > Hi Rick
> >
>
>
>

not:
smtp.open_message_stream('sender@mail.com', ['email']) do


but:
smtp.open_message_stream('sender@mail.com', [email]) do

Those quotes mean that you are making an array with the literal string
'email'

email="joe.blow@somedomain.com"
['email'] => [ 'email']

[email] => ["joe.blow@somedomain.com"]

--
Rick DeNatale

My blog on Ruby
http://talklikeaduck.denhaven2.com/
910b6d199b1cd150995af01dd08a7ba2?d=identicon&s=25 peter (Guest)
on 2007-03-12 15:35
(Received via mailing list)
Yes I understand that, removing the '' fails, as does adding "" or
anything I have tried. I can remove the () and [] and as long as I use a
proper email address instead of a var it works.


[Mon Mar 12 10:14:04 2007] [error] mod_ruby: error in ruby
[Mon Mar 12 10:14:04 2007] [error]
mod_ruby: /usr/lib/ruby/1.8/net/smtp.rb:540:in `send0': tainted to_addr
(SecurityError)
8f6f95c4bd64d5f10dfddfdcd03c19d6?d=identicon&s=25 Rick Denatale (rdenatale)
on 2007-03-12 16:18
(Received via mailing list)
On 3/12/07, peter <ruby@iwebsl.com> wrote:
> (SecurityError)
> >
> > but:
> > smtp.open_message_stream('sender@mail.com', [email]) do
> >

Okay,  I finally realize that we have been chasing the wrong issue.

The problem isn't that you are using a variable vs. a literal, it's
that the email address you got from the form is marked as tainted and
you are running with $safe > 0

Here's the relevant code from Net:SMTP, it's in the send0 method which
is called by open_message_stream

      if $SAFE > 0
        raise SecurityError, 'tainted from_addr' if from_addr.tainted?
        to_addrs.each do |to|
          raise SecurityError, 'tainted to_addr' if to.tainted?
        end
      end

Web frameworks often do, and should, mark strings obtained from the
user as tainted, this avoids various security exposures.

You should try either:

smtp.open_message_stream('sender@mail.com', [email.untaint]) do

or

smtp.open_message_stream('sender@mail.com', email.untaint) do

You might want to apply various tests to email to see if it is a valid
email address, at least syntactically first, but this should get you
around the current problem.

--
Rick DeNatale

My blog on Ruby
http://talklikeaduck.denhaven2.com/
910b6d199b1cd150995af01dd08a7ba2?d=identicon&s=25 peter (Guest)
on 2007-03-12 16:32
(Received via mailing list)
That did the trick and I will test thoroughly. I was suspecting it was a
security issue.

Many thanks!!
88521907e2c9c585bc94e35a38893dc5?d=identicon&s=25 Jenda Krynicky (jendaperl)
on 2007-03-12 17:25
Rick Denatale wrote:
> On 3/12/07, peter <ruby@iwebsl.com> wrote:
>> (SecurityError)
>> >
>> > but:
>> > smtp.open_message_stream('sender@mail.com', [email]) do
>> >
>
> Okay,  I finally realize that we have been chasing the wrong issue.
>
> The problem isn't that you are using a variable vs. a literal, it's
> that the email address you got from the form is marked as tainted and
> you are running with $safe > 0
>
> Web frameworks often do, and should, mark strings obtained from the
> user as tainted, this avoids various security exposures.
>
> You should try either:
>
> smtp.open_message_stream('sender@mail.com', [email.untaint]) do
>
> or
>
> smtp.open_message_stream('sender@mail.com', email.untaint) do
>
> You might want to apply various tests to email to see if it is a valid
> email address, at least syntactically first, but this should get you
> around the current problem.

Yeah, you may do this and create yet another web based mailer that will
allow everyone to send the email to anyone. The email variable contents
were tainted for a reason! "Solving" the issue by blind untaining is not
the brightest thing to do. You should validate the email first and (if
at all possible) make sure it's one of the allowed addresses or at least
that it's in the allowed domain(s).

Jenda
8f6f95c4bd64d5f10dfddfdcd03c19d6?d=identicon&s=25 Rick Denatale (rdenatale)
on 2007-03-12 18:47
(Received via mailing list)
On 3/12/07, peter <ruby@iwebsl.com> wrote:
> That did the trick and I will test thoroughly. I was suspecting it was a
> security issue.

This prompted me to post about the debugging mind-traps, something
I've been wanting to do for a few days.

http://talklikeaduck.denhaven2.com/articles/2007/0...

--
Rick DeNatale

My blog on Ruby
http://talklikeaduck.denhaven2.com/
8f6f95c4bd64d5f10dfddfdcd03c19d6?d=identicon&s=25 Rick Denatale (rdenatale)
on 2007-03-12 18:55
(Received via mailing list)
On 3/12/07, Jenda Krynicky <jenda@cpan.org> wrote:
> Rick Denatale wrote:

> > around the current problem.
>
> Yeah, you may do this and create yet another web based mailer that will
> allow everyone to send the email to anyone. The email variable contents
> were tainted for a reason! "Solving" the issue by blind untaining is not
> the brightest thing to do. You should validate the email first and (if
> at all possible) make sure it's one of the allowed addresses or at least
> that it's in the allowed domain(s).

Which is what I suggested.  We do try to be a little gentle in our
suggestions in ruby-talk.

Being able to send an e-mail is the first pre-requisite to building a
verification system. In general you want to have a policy such as
verifying e-mail addresses before, say subscribing someone, and only
using that address again after it's been verified by a reply or a link
back via http or the like, but in order to do that you need to be able
to send that verification email, the rest moves from mechanism to
policy, and as I understand the OPs problem he was having trouble
figuring out the mechanism.


--
Rick DeNatale

My blog on Ruby
http://talklikeaduck.denhaven2.com/
910b6d199b1cd150995af01dd08a7ba2?d=identicon&s=25 peter (Guest)
on 2007-03-12 19:44
(Received via mailing list)
Cool article. That guy you mentioned sounds familiar;)

I'm not a programmer I'm simply using ruby as an alternative to php on
my web site. Doing so has taught me a lot and its been a great deal of
fun.

Peter
703fbc991fd63e0e1db54dca9ea31b53?d=identicon&s=25 Robert Dober (Guest)
on 2007-03-12 22:01
(Received via mailing list)
On 3/12/07, peter <ruby@iwebsl.com> wrote:
> Cool article. That guy you mentioned sounds familiar;)
>
> I'm not a programmer I'm simply using ruby as an alternative to php on
> my web site. Doing so has taught me a lot and its been a great deal of
> fun.

Watch out you might become one ;) I guess it is a great chance to
learn Ruby as one's first programming language I envy you.

Cheers
Robert
This topic is locked and can not be replied to.