You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@whimsical.apache.org by ru...@apache.org on 2017/07/19 18:49:50 UTC
[whimsy] branch master updated: untaint addresses
This is an automated email from the ASF dual-hosted git repository.
rubys pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/whimsy.git
The following commit(s) were added to refs/heads/master by this push:
new ef281dd untaint addresses
ef281dd is described below
commit ef281ddf7b81d2f4936836caf78bdb1b8f7ae296
Author: Sam Ruby <ru...@intertwingly.net>
AuthorDate: Wed Jul 19 14:49:41 2017 -0400
untaint addresses
---
www/board/agenda/views/actions/todos.json.rb | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/www/board/agenda/views/actions/todos.json.rb b/www/board/agenda/views/actions/todos.json.rb
index 205a67e..336fd10 100644
--- a/www/board/agenda/views/actions/todos.json.rb
+++ b/www/board/agenda/views/actions/todos.json.rb
@@ -73,10 +73,16 @@ if @add and env.password
ASF::Mail.configure
sender = ASF::Person.new(env.user)
mail = Mail.new do
- from "#{sender.public_name} <#{...@apache.org>"
- to people.map {|person| "#{person.public_name} <#{...@apache.org>"}
+ from "#{sender.public_name} <#{...@apache.org>".untaint
+
+ to people.map do |person|
+ "<#{...@apache.org>".untaint
+ end
+
cc 'Apache Board <bo...@apache.org>'
+
subject "Congratulations on your new role at Apache"
+
body "Dear new PMC chairs,\n\nCongratulations on your new role at " +
"Apache. I've changed your LDAP privileges to reflect your new " +
"status.\n\nPlease read this and update the foundation records:\n" +
--
To stop receiving notification emails like this one, please contact
['"commits@whimsical.apache.org" <co...@whimsical.apache.org>'].
Re: [whimsy] branch master updated: untaint addresses
Posted by Sam Ruby <ru...@intertwingly.net>.
On Wed, Jul 19, 2017 at 4:23 PM, Craig Russell <ap...@gmail.com> wrote:
>
>> On Jul 19, 2017, at 1:14 PM, Sam Ruby <ru...@intertwingly.net> wrote:
>>
>> On Wed, Jul 19, 2017 at 2:53 PM, Craig Russell <ap...@gmail.com> wrote:
>>> Hi Sam,
>>>
>>> What is a tainted email address?
>>
>> Tainted strings are strings that are constructed from outside sources,
>> and therefore potential security holes (think SQL injection
>> attack[1]).
>
> So when you construct email addresses
> #{person.public_name} <#{...@apache.org>"
> from a file or ldap or from the secretary typing into the form field, they are tainted.
>
> And .untaint says that even though these came from unreliable sources, you can trust them.
>
> Got it.
Correct.
You will often see code of the form:
date.untaint if date =~ /^\d+_\d+_\d+$/
In this case, I didn't feel it was necessary. But just to be doubly
sure, I just added calls to '.inspect' to where we use public names,
this will have the effect of quoting those names.
> Thanks,
>
> Craig
- Sam Ruby
>> Given the restrictions we have on Apache user ids, I think we are safe.
>>
>>> Craig
>>
>> - Sam Ruby
>>
>>>> On Jul 19, 2017, at 11:49 AM, rubys@apache.org wrote:
>>>>
>>>> This is an automated email from the ASF dual-hosted git repository.
>>>>
>>>> rubys pushed a commit to branch master
>>>> in repository https://gitbox.apache.org/repos/asf/whimsy.git
>>>>
>>>>
>>>> The following commit(s) were added to refs/heads/master by this push:
>>>> new ef281dd untaint addresses
>>>> ef281dd is described below
>>>>
>>>> commit ef281ddf7b81d2f4936836caf78bdb1b8f7ae296
>>>> Author: Sam Ruby <ru...@intertwingly.net>
>>>> AuthorDate: Wed Jul 19 14:49:41 2017 -0400
>>>>
>>>> untaint addresses
>>>> ---
>>>> www/board/agenda/views/actions/todos.json.rb | 10 ++++++++--
>>>> 1 file changed, 8 insertions(+), 2 deletions(-)
>>>>
>>>> diff --git a/www/board/agenda/views/actions/todos.json.rb b/www/board/agenda/views/actions/todos.json.rb
>>>> index 205a67e..336fd10 100644
>>>> --- a/www/board/agenda/views/actions/todos.json.rb
>>>> +++ b/www/board/agenda/views/actions/todos.json.rb
>>>> @@ -73,10 +73,16 @@ if @add and env.password
>>>> ASF::Mail.configure
>>>> sender = ASF::Person.new(env.user)
>>>> mail = Mail.new do
>>>> - from "#{sender.public_name} <#{...@apache.org>"
>>>> - to people.map {|person| "#{person.public_name} <#{...@apache.org>"}
>>>> + from "#{sender.public_name} <#{...@apache.org>".untaint
>>>> +
>>>> + to people.map do |person|
>>>> + "<#{...@apache.org>".untaint
>>>> + end
>>>> +
>>>> cc 'Apache Board <bo...@apache.org>'
>>>> +
>>>> subject "Congratulations on your new role at Apache"
>>>> +
>>>> body "Dear new PMC chairs,\n\nCongratulations on your new role at " +
>>>> "Apache. I've changed your LDAP privileges to reflect your new " +
>>>> "status.\n\nPlease read this and update the foundation records:\n" +
>>>>
>>>> --
>>>> To stop receiving notification emails like this one, please contact
>>>> ['"commits@whimsical.apache.org" <co...@whimsical.apache.org>'].
>>>
>>> Craig L Russell
>>> Architect
>>> craig.russell@oracle.com
>>> P.S. A good JDO? O, Gasp!
>>>
>>>
>>>
>>>
>>>
>
> Craig L Russell
> Architect
> craig.russell@oracle.com
> P.S. A good JDO? O, Gasp!
>
>
>
>
>
Re: [whimsy] branch master updated: untaint addresses
Posted by Craig Russell <ap...@gmail.com>.
> On Jul 19, 2017, at 1:14 PM, Sam Ruby <ru...@intertwingly.net> wrote:
>
> On Wed, Jul 19, 2017 at 2:53 PM, Craig Russell <ap...@gmail.com> wrote:
>> Hi Sam,
>>
>> What is a tainted email address?
>
> Tainted strings are strings that are constructed from outside sources,
> and therefore potential security holes (think SQL injection
> attack[1]).
So when you construct email addresses
#{person.public_name} <#{...@apache.org>"
from a file or ldap or from the secretary typing into the form field, they are tainted.
And .untaint says that even though these came from unreliable sources, you can trust them.
Got it.
Thanks,
Craig
>
> Given the restrictions we have on Apache user ids, I think we are safe.
>
>> Craig
>
> - Sam Ruby
>
>>> On Jul 19, 2017, at 11:49 AM, rubys@apache.org wrote:
>>>
>>> This is an automated email from the ASF dual-hosted git repository.
>>>
>>> rubys pushed a commit to branch master
>>> in repository https://gitbox.apache.org/repos/asf/whimsy.git
>>>
>>>
>>> The following commit(s) were added to refs/heads/master by this push:
>>> new ef281dd untaint addresses
>>> ef281dd is described below
>>>
>>> commit ef281ddf7b81d2f4936836caf78bdb1b8f7ae296
>>> Author: Sam Ruby <ru...@intertwingly.net>
>>> AuthorDate: Wed Jul 19 14:49:41 2017 -0400
>>>
>>> untaint addresses
>>> ---
>>> www/board/agenda/views/actions/todos.json.rb | 10 ++++++++--
>>> 1 file changed, 8 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/www/board/agenda/views/actions/todos.json.rb b/www/board/agenda/views/actions/todos.json.rb
>>> index 205a67e..336fd10 100644
>>> --- a/www/board/agenda/views/actions/todos.json.rb
>>> +++ b/www/board/agenda/views/actions/todos.json.rb
>>> @@ -73,10 +73,16 @@ if @add and env.password
>>> ASF::Mail.configure
>>> sender = ASF::Person.new(env.user)
>>> mail = Mail.new do
>>> - from "#{sender.public_name} <#{...@apache.org>"
>>> - to people.map {|person| "#{person.public_name} <#{...@apache.org>"}
>>> + from "#{sender.public_name} <#{...@apache.org>".untaint
>>> +
>>> + to people.map do |person|
>>> + "<#{...@apache.org>".untaint
>>> + end
>>> +
>>> cc 'Apache Board <bo...@apache.org>'
>>> +
>>> subject "Congratulations on your new role at Apache"
>>> +
>>> body "Dear new PMC chairs,\n\nCongratulations on your new role at " +
>>> "Apache. I've changed your LDAP privileges to reflect your new " +
>>> "status.\n\nPlease read this and update the foundation records:\n" +
>>>
>>> --
>>> To stop receiving notification emails like this one, please contact
>>> ['"commits@whimsical.apache.org" <co...@whimsical.apache.org>'].
>>
>> Craig L Russell
>> Architect
>> craig.russell@oracle.com
>> P.S. A good JDO? O, Gasp!
>>
>>
>>
>>
>>
Craig L Russell
Architect
craig.russell@oracle.com
P.S. A good JDO? O, Gasp!
Re: [whimsy] branch master updated: untaint addresses
Posted by Sam Ruby <ru...@intertwingly.net>.
On Wed, Jul 19, 2017 at 2:53 PM, Craig Russell <ap...@gmail.com> wrote:
> Hi Sam,
>
> What is a tainted email address?
Tainted strings are strings that are constructed from outside sources,
and therefore potential security holes (think SQL injection
attack[1]).
Given the restrictions we have on Apache user ids, I think we are safe.
> Craig
- Sam Ruby
>> On Jul 19, 2017, at 11:49 AM, rubys@apache.org wrote:
>>
>> This is an automated email from the ASF dual-hosted git repository.
>>
>> rubys pushed a commit to branch master
>> in repository https://gitbox.apache.org/repos/asf/whimsy.git
>>
>>
>> The following commit(s) were added to refs/heads/master by this push:
>> new ef281dd untaint addresses
>> ef281dd is described below
>>
>> commit ef281ddf7b81d2f4936836caf78bdb1b8f7ae296
>> Author: Sam Ruby <ru...@intertwingly.net>
>> AuthorDate: Wed Jul 19 14:49:41 2017 -0400
>>
>> untaint addresses
>> ---
>> www/board/agenda/views/actions/todos.json.rb | 10 ++++++++--
>> 1 file changed, 8 insertions(+), 2 deletions(-)
>>
>> diff --git a/www/board/agenda/views/actions/todos.json.rb b/www/board/agenda/views/actions/todos.json.rb
>> index 205a67e..336fd10 100644
>> --- a/www/board/agenda/views/actions/todos.json.rb
>> +++ b/www/board/agenda/views/actions/todos.json.rb
>> @@ -73,10 +73,16 @@ if @add and env.password
>> ASF::Mail.configure
>> sender = ASF::Person.new(env.user)
>> mail = Mail.new do
>> - from "#{sender.public_name} <#{...@apache.org>"
>> - to people.map {|person| "#{person.public_name} <#{...@apache.org>"}
>> + from "#{sender.public_name} <#{...@apache.org>".untaint
>> +
>> + to people.map do |person|
>> + "<#{...@apache.org>".untaint
>> + end
>> +
>> cc 'Apache Board <bo...@apache.org>'
>> +
>> subject "Congratulations on your new role at Apache"
>> +
>> body "Dear new PMC chairs,\n\nCongratulations on your new role at " +
>> "Apache. I've changed your LDAP privileges to reflect your new " +
>> "status.\n\nPlease read this and update the foundation records:\n" +
>>
>> --
>> To stop receiving notification emails like this one, please contact
>> ['"commits@whimsical.apache.org" <co...@whimsical.apache.org>'].
>
> Craig L Russell
> Architect
> craig.russell@oracle.com
> P.S. A good JDO? O, Gasp!
>
>
>
>
>
Re: [whimsy] branch master updated: untaint addresses
Posted by Craig Russell <ap...@gmail.com>.
Hi Sam,
What is a tainted email address?
Craig
> On Jul 19, 2017, at 11:49 AM, rubys@apache.org wrote:
>
> This is an automated email from the ASF dual-hosted git repository.
>
> rubys pushed a commit to branch master
> in repository https://gitbox.apache.org/repos/asf/whimsy.git
>
>
> The following commit(s) were added to refs/heads/master by this push:
> new ef281dd untaint addresses
> ef281dd is described below
>
> commit ef281ddf7b81d2f4936836caf78bdb1b8f7ae296
> Author: Sam Ruby <ru...@intertwingly.net>
> AuthorDate: Wed Jul 19 14:49:41 2017 -0400
>
> untaint addresses
> ---
> www/board/agenda/views/actions/todos.json.rb | 10 ++++++++--
> 1 file changed, 8 insertions(+), 2 deletions(-)
>
> diff --git a/www/board/agenda/views/actions/todos.json.rb b/www/board/agenda/views/actions/todos.json.rb
> index 205a67e..336fd10 100644
> --- a/www/board/agenda/views/actions/todos.json.rb
> +++ b/www/board/agenda/views/actions/todos.json.rb
> @@ -73,10 +73,16 @@ if @add and env.password
> ASF::Mail.configure
> sender = ASF::Person.new(env.user)
> mail = Mail.new do
> - from "#{sender.public_name} <#{...@apache.org>"
> - to people.map {|person| "#{person.public_name} <#{...@apache.org>"}
> + from "#{sender.public_name} <#{...@apache.org>".untaint
> +
> + to people.map do |person|
> + "<#{...@apache.org>".untaint
> + end
> +
> cc 'Apache Board <bo...@apache.org>'
> +
> subject "Congratulations on your new role at Apache"
> +
> body "Dear new PMC chairs,\n\nCongratulations on your new role at " +
> "Apache. I've changed your LDAP privileges to reflect your new " +
> "status.\n\nPlease read this and update the foundation records:\n" +
>
> --
> To stop receiving notification emails like this one, please contact
> ['"commits@whimsical.apache.org" <co...@whimsical.apache.org>'].
Craig L Russell
Architect
craig.russell@oracle.com
P.S. A good JDO? O, Gasp!