Help with NET::SMTP

[peter]

I'm trying to use Net::SMTP which appears to do most everything I need
except for one thing. In the example below I need to replace
(e-mail address removed) with a variable based on the submitting users email
address #{email) but nothing I have tried works. In most cases I get a
tainted sender error. How can I use this and have a variable recipient?

Net::SMTP.start('mail', 25) do |smtp|
smtp.open_message_stream('(e-mail address removed)', ['(e-mail address removed)']) do |
f|
f.puts "From: sender (e-mail address removed)"
f.puts "To: #{name} #{email}"
f.puts "Subject: Test"
f.puts "Date: #{t}"
f.puts
f.puts "#{name}\n\nTest Email!\n\n"
end

Thanks in advance!

Peter

 

[Rick DeNatale]

I'm trying to use Net::SMTP which appears to do most everything I need
except for one thing. In the example below I need to replace
(e-mail address removed) with a variable based on the submitting users email
address #{email) but nothing I have tried works. In most cases I get a
tainted sender error. How can I use this and have a variable recipient?

Net::SMTP.start('mail', 25) do |smtp|
smtp.open_message_stream('(e-mail address removed)', ['(e-mail address removed)']) do |
f|
f.puts "From: sender (e-mail address removed)"
f.puts "To: #{name} #{email}"

It looks like the problem might be that the recipient email in the
header doesn't match the one you gave when you opened the stream.

Assuming that the email variable contains the real recipient , have you tried:
smtp.open_message_stream('(e-mail address removed)', (e-mail address removed)

 

[peter]

Hi Rick
Thanks for the response. I tried it just to check but that does not
work . The var email comes from a web form and does match the To however
I think the real problem is that the to is in an array and the array
does not allow for a variable. This is very odd though because it would
be extremely limiting to not be able to set these values as vars.

I'm trying to use Net::SMTP which appears to do most everything I need
except for one thing. In the example below I need to replace
(e-mail address removed) with a variable based on the submitting users email
address #{email) but nothing I have tried works. In most cases I get a
tainted sender error. How can I use this and have a variable recipient?

Net::SMTP.start('mail', 25) do |smtp|
smtp.open_message_stream('(e-mail address removed)', ['(e-mail address removed)']) do |
f|
f.puts "From: sender (e-mail address removed)"
f.puts "To: #{name} #{email}"

It looks like the problem might be that the recipient email in the
header doesn't match the one you gave when you opened the stream.

Assuming that the email variable contains the real recipient , have you tried:
smtp.open_message_stream('(e-mail address removed)', (e-mail address removed)

 

[Rick DeNatale]

Hi Rick
Thanks for the response. I tried it just to check but that does not
work . The var email comes from a web form and does match the To however
I think the real problem is that the to is in an array and the array
does not allow for a variable. This is very odd though because it would
be extremely limiting to not be able to set these values as vars.

Can you show a bit more of your code.

I'm not sure what you mean by "I think the real problem is that the to
is in an array and the array does not allow for a variable."

In my suggested line:
smtp.open_message_stream('(e-mail address removed)', )

[email] will make and array containing one element which is the object
(presumably a String) referenced by the variable email. Now if email
ISN'T a string but is some other object, then perhaps [email.to_s]
would work.

I've never played with NET::SMTP, but this is basic Ruby stuff.

 

[peter]

Hi Rick

I was hoping I could use this as a simple form mailer but I'm starting
to think that that is not possible.

In the open_message_stream you need a from and to. In my case the to is
a variable in eruby #{email}. Everything I have tried either results in
tainted to or security error.

Bits of code.

require 'digest/md5'
require 'net/smtp'
require 'cgi'
email = cgi['email'].strip

Form posts to self. The variable is email.

Net::SMTP.start('mail', 25) do |smtp|
smtp.open_message_stream('(e-mail address removed)', ['email']) do |
f|
f.puts "From: sender (e-mail address removed)"
f.puts "To: #{name} #{email}"
f.puts "Subject: Test"
f.puts "Date: #{t}"
f.puts
f.puts "#{name}\n\nTest Email!\n\n"
end

Hi Rick
Thanks for the response. I tried it just to check but that does not
work . The var email comes from a web form and does match the To however
I think the real problem is that the to is in an array and the array
does not allow for a variable. This is very odd though because it would
be extremely limiting to not be able to set these values as vars.

Can you show a bit more of your code.

I'm not sure what you mean by "I think the real problem is that the to
is in an array and the array does not allow for a variable."

In my suggested line:
smtp.open_message_stream('(e-mail address removed)', )

[email] will make and array containing one element which is the object
(presumably a String) referenced by the variable email. Now if email
ISN'T a string but is some other object, then perhaps [email.to_s]
would work.

I've never played with NET::SMTP, but this is basic Ruby stuff.
[/QUOTE]

 

[Rick DeNatale]

Hi Rick

I was hoping I could use this as a simple form mailer but I'm starting
to think that that is not possible.

In the open_message_stream you need a from and to. In my case the to is
a variable in eruby #{email}. Everything I have tried either results in
tainted to or security error.

Bits of code.

require 'digest/md5'
require 'net/smtp'
require 'cgi'
email = cgi['email'].strip

Form posts to self. The variable is email.

Net::SMTP.start('mail', 25) do |smtp|
smtp.open_message_stream('(e-mail address removed)', ['email']) do |
f|
f.puts "From: sender (e-mail address removed)"
f.puts "To: #{name} #{email}"
f.puts "Subject: Test"
f.puts "Date: #{t}"
f.puts
f.puts "#{name}\n\nTest Email!\n\n"
end

Hi Rick
Thanks for the response. I tried it just to check but that does not
work . The var email comes from a web form and does match the To however
I think the real problem is that the to is in an array and the array
does not allow for a variable. This is very odd though because it would
be extremely limiting to not be able to set these values as vars.

Can you show a bit more of your code.

I'm not sure what you mean by "I think the real problem is that the to
is in an array and the array does not allow for a variable."

In my suggested line:
smtp.open_message_stream('(e-mail address removed)', (e-mail address removed)

 

[peter]

Yes I understand that, removing the '' fails, as does adding "" or
anything I have tried. I can remove the () and [] and as long as I use a
proper email address instead of a var it works.


[Mon Mar 12 10:14:04 2007] [error] mod_ruby: error in ruby
[Mon Mar 12 10:14:04 2007] [error]
mod_ruby: /usr/lib/ruby/1.8/net/smtp.rb:540:in `send0': tainted to_addr
(SecurityError)

not:
smtp.open_message_stream('(e-mail address removed)', ['email']) do


but:
smtp.open_message_stream('(e-mail address removed)', (e-mail address removed)

 

[Rick DeNatale]

Yes I understand that, removing the '' fails, as does adding "" or
anything I have tried. I can remove the () and [] and as long as I use a
proper email address instead of a var it works.


[Mon Mar 12 10:14:04 2007] [error] mod_ruby: error in ruby
[Mon Mar 12 10:14:04 2007] [error]
mod_ruby: /usr/lib/ruby/1.8/net/smtp.rb:540:in `send0': tainted to_addr
(SecurityError)

not:
smtp.open_message_stream('(e-mail address removed)', ['email']) do


but:
smtp.open_message_stream('(e-mail address removed)', (e-mail address removed)

 

[peter]

That did the trick and I will test thoroughly. I was suspecting it was a
security issue.

Many thanks!!

Yes I understand that, removing the '' fails, as does adding "" or
anything I have tried. I can remove the () and [] and as long as I use a
proper email address instead of a var it works.


[Mon Mar 12 10:14:04 2007] [error] mod_ruby: error in ruby
[Mon Mar 12 10:14:04 2007] [error]
mod_ruby: /usr/lib/ruby/1.8/net/smtp.rb:540:in `send0': tainted to_addr
(SecurityError)

not:
smtp.open_message_stream('(e-mail address removed)', ['email']) do


but:
smtp.open_message_stream('(e-mail address removed)', (e-mail address removed)

 

[Jenda Krynicky]

(SecurityError)

but:
smtp.open_message_stream('(e-mail address removed)', (e-mail address removed)

 

[Rick DeNatale]

That did the trick and I will test thoroughly. I was suspecting it was a
security issue.

This prompted me to post about the debugging mind-traps, something
I've been wanting to do for a few days.

http://talklikeaduck.denhaven2.com/articles/2007/03/12/are-you-aiming-at-the-right-bug

 

[Rick DeNatale]

Rick Denatale wrote:

You should try either:

smtp.open_message_stream('(e-mail address removed)', [email.untaint]) do

or

smtp.open_message_stream('(e-mail address removed)', email.untaint) do

You might want to apply various tests to email to see if it is a valid
email address, at least syntactically first, but this should get you
around the current problem.

Yeah, you may do this and create yet another web based mailer that will
allow everyone to send the email to anyone. The email variable contents
were tainted for a reason! "Solving" the issue by blind untaining is not
the brightest thing to do. You should validate the email first and (if
at all possible) make sure it's one of the allowed addresses or at least
that it's in the allowed domain(s).

Which is what I suggested. We do try to be a little gentle in our
suggestions in ruby-talk.

Being able to send an e-mail is the first pre-requisite to building a
verification system. In general you want to have a policy such as
verifying e-mail addresses before, say subscribing someone, and only
using that address again after it's been verified by a reply or a link
back via http or the like, but in order to do that you need to be able
to send that verification email, the rest moves from mechanism to
policy, and as I understand the OPs problem he was having trouble
figuring out the mechanism.

 

[peter]

Cool article. That guy you mentioned sounds familiar

I'm not a programmer I'm simply using ruby as an alternative to php on
my web site. Doing so has taught me a lot and its been a great deal of
fun.

Peter

 

[Robert Dober]

Cool article. That guy you mentioned sounds familiar

I'm not a programmer I'm simply using ruby as an alternative to php on
my web site. Doing so has taught me a lot and its been a great deal of
fun.

Watch out you might become one I guess it is a great chance to
learn Ruby as one's first programming language I envy you.

Cheers
Robert