On Wed, Jul 19, 2017 at 4:23 PM, Craig Russell <[email protected]> wrote: > >> On Jul 19, 2017, at 1:14 PM, Sam Ruby <[email protected]> wrote: >> >> On Wed, Jul 19, 2017 at 2:53 PM, Craig Russell <[email protected]> wrote: >>> Hi Sam, >>> >>> What is a tainted email address? >> >> Tainted strings are strings that are constructed from outside sources, >> and therefore potential security holes (think SQL injection >> attack[1]). > > So when you construct email addresses > #{person.public_name} <#{person.id}@apache.org>" > from a file or ldap or from the secretary typing into the form field, they > are tainted. > > And .untaint says that even though these came from unreliable sources, you > can trust them. > > Got it.
Correct. You will often see code of the form: date.untaint if date =~ /^\d+_\d+_\d+$/ In this case, I didn't feel it was necessary. But just to be doubly sure, I just added calls to '.inspect' to where we use public names, this will have the effect of quoting those names. > Thanks, > > Craig - Sam Ruby >> Given the restrictions we have on Apache user ids, I think we are safe. >> >>> Craig >> >> - Sam Ruby >> >>>> On Jul 19, 2017, at 11:49 AM, [email protected] wrote: >>>> >>>> This is an automated email from the ASF dual-hosted git repository. >>>> >>>> rubys pushed a commit to branch master >>>> in repository https://gitbox.apache.org/repos/asf/whimsy.git >>>> >>>> >>>> The following commit(s) were added to refs/heads/master by this push: >>>> new ef281dd untaint addresses >>>> ef281dd is described below >>>> >>>> commit ef281ddf7b81d2f4936836caf78bdb1b8f7ae296 >>>> Author: Sam Ruby <[email protected]> >>>> AuthorDate: Wed Jul 19 14:49:41 2017 -0400 >>>> >>>> untaint addresses >>>> --- >>>> www/board/agenda/views/actions/todos.json.rb | 10 ++++++++-- >>>> 1 file changed, 8 insertions(+), 2 deletions(-) >>>> >>>> diff --git a/www/board/agenda/views/actions/todos.json.rb >>>> b/www/board/agenda/views/actions/todos.json.rb >>>> index 205a67e..336fd10 100644 >>>> --- a/www/board/agenda/views/actions/todos.json.rb >>>> +++ b/www/board/agenda/views/actions/todos.json.rb >>>> @@ -73,10 +73,16 @@ if @add and env.password >>>> ASF::Mail.configure >>>> sender = ASF::Person.new(env.user) >>>> mail = Mail.new do >>>> - from "#{sender.public_name} <#{sender.id}@apache.org>" >>>> - to people.map {|person| "#{person.public_name} >>>> <#{person.id}@apache.org>"} >>>> + from "#{sender.public_name} <#{sender.id}@apache.org>".untaint >>>> + >>>> + to people.map do |person| >>>> + "<#{person.id}@apache.org>".untaint >>>> + end >>>> + >>>> cc 'Apache Board <[email protected]>' >>>> + >>>> subject "Congratulations on your new role at Apache" >>>> + >>>> body "Dear new PMC chairs,\n\nCongratulations on your new role at " + >>>> "Apache. I've changed your LDAP privileges to reflect your new " + >>>> "status.\n\nPlease read this and update the foundation records:\n" + >>>> >>>> -- >>>> To stop receiving notification emails like this one, please contact >>>> ['"[email protected]" <[email protected]>']. >>> >>> Craig L Russell >>> Architect >>> [email protected] >>> P.S. A good JDO? O, Gasp! >>> >>> >>> >>> >>> > > Craig L Russell > Architect > [email protected] > P.S. A good JDO? O, Gasp! > > > > >
