On Wed, Jul 19, 2017 at 4:23 PM, Craig Russell <[email protected]> wrote:
>
>> On Jul 19, 2017, at 1:14 PM, Sam Ruby <[email protected]> wrote:
>>
>> On Wed, Jul 19, 2017 at 2:53 PM, Craig Russell <[email protected]> wrote:
>>> Hi Sam,
>>>
>>> What is a tainted email address?
>>
>> Tainted strings are strings that are constructed from outside sources,
>> and therefore potential security holes (think SQL injection
>> attack[1]).
>
> So when you construct email addresses
> #{person.public_name} <#{person.id}@apache.org>"
> from a file or ldap or from the secretary typing into the form field, they 
> are tainted.
>
> And .untaint says that even though these came from unreliable sources, you 
> can trust them.
>
> Got it.

Correct.

You will often see code of the form:

date.untaint if date =~ /^\d+_\d+_\d+$/

In this case, I didn't feel it was necessary.  But just to be doubly
sure, I just added calls to '.inspect' to where we use public names,
this will have the effect of quoting those names.

> Thanks,
>
> Craig

- Sam Ruby

>> Given the restrictions we have on Apache user ids, I think we are safe.
>>
>>> Craig
>>
>> - Sam Ruby
>>
>>>> On Jul 19, 2017, at 11:49 AM, [email protected] wrote:
>>>>
>>>> This is an automated email from the ASF dual-hosted git repository.
>>>>
>>>> rubys pushed a commit to branch master
>>>> in repository https://gitbox.apache.org/repos/asf/whimsy.git
>>>>
>>>>
>>>> The following commit(s) were added to refs/heads/master by this push:
>>>>    new ef281dd  untaint addresses
>>>> ef281dd is described below
>>>>
>>>> commit ef281ddf7b81d2f4936836caf78bdb1b8f7ae296
>>>> Author: Sam Ruby <[email protected]>
>>>> AuthorDate: Wed Jul 19 14:49:41 2017 -0400
>>>>
>>>>   untaint addresses
>>>> ---
>>>> www/board/agenda/views/actions/todos.json.rb | 10 ++++++++--
>>>> 1 file changed, 8 insertions(+), 2 deletions(-)
>>>>
>>>> diff --git a/www/board/agenda/views/actions/todos.json.rb 
>>>> b/www/board/agenda/views/actions/todos.json.rb
>>>> index 205a67e..336fd10 100644
>>>> --- a/www/board/agenda/views/actions/todos.json.rb
>>>> +++ b/www/board/agenda/views/actions/todos.json.rb
>>>> @@ -73,10 +73,16 @@ if @add and env.password
>>>>  ASF::Mail.configure
>>>>  sender = ASF::Person.new(env.user)
>>>>  mail = Mail.new do
>>>> -    from "#{sender.public_name} <#{sender.id}@apache.org>"
>>>> -    to people.map {|person| "#{person.public_name} 
>>>> <#{person.id}@apache.org>"}
>>>> +    from "#{sender.public_name} <#{sender.id}@apache.org>".untaint
>>>> +
>>>> +    to people.map do |person|
>>>> +      "<#{person.id}@apache.org>".untaint
>>>> +    end
>>>> +
>>>>    cc 'Apache Board <[email protected]>'
>>>> +
>>>>    subject "Congratulations on your new role at Apache"
>>>> +
>>>>    body "Dear new PMC chairs,\n\nCongratulations on your new role at " +
>>>>    "Apache. I've changed your LDAP privileges to reflect your new " +
>>>>    "status.\n\nPlease read this and update the foundation records:\n" +
>>>>
>>>> --
>>>> To stop receiving notification emails like this one, please contact
>>>> ['"[email protected]" <[email protected]>'].
>>>
>>> Craig L Russell
>>> Architect
>>> [email protected]
>>> P.S. A good JDO? O, Gasp!
>>>
>>>
>>>
>>>
>>>
>
> Craig L Russell
> Architect
> [email protected]
> P.S. A good JDO? O, Gasp!
>
>
>
>
>

Reply via email to