You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@whimsical.apache.org by ru...@apache.org on 2016/09/15 12:33:15 UTC
[whimsy] branch master updated: untaint email addresses
This is an automated email from the ASF dual-hosted git repository.
rubys pushed a commit to branch master
in repository https://git-dual.apache.org/repos/asf/whimsy.git
The following commit(s) were added to refs/heads/master by this push:
new e39392f untaint email addresses
e39392f is described below
commit e39392fb0fb40d00bb00b22bc09f740702af0271
Author: Sam Ruby <ru...@intertwingly.net>
AuthorDate: Thu Sep 15 08:30:35 2016 -0400
untaint email addresses
---
www/secmail/public/tasklist.js | 2 +-
www/secmail/tasks.rb | 2 +-
www/secmail/views/actions/icla.json.rb | 13 +++++++++++--
3 files changed, 13 insertions(+), 4 deletions(-)
diff --git a/www/secmail/public/tasklist.js b/www/secmail/public/tasklist.js
index e2ea23e..1674f29 100644
--- a/www/secmail/public/tasklist.js
+++ b/www/secmail/public/tasklist.js
@@ -75,7 +75,7 @@ function nexttask(proceed) {
spinner.remove();
- if (tasks.length) {
+ if (!proceed) {
$('h1').removeClass('bg-info').addClass('bg-danger').
text('Processing Aborted');
message = {status: 'aborted'}
diff --git a/www/secmail/tasks.rb b/www/secmail/tasks.rb
index 1203599..a560ae1 100644
--- a/www/secmail/tasks.rb
+++ b/www/secmail/tasks.rb
@@ -45,7 +45,7 @@ class Wunderbar::JsonBuilder
def svn *args
args << svnauth if %(checkout update commit).include? args.first
- _.system 'svn', *args
+ _.system! 'svn', *args
end
def svnauth
diff --git a/www/secmail/views/actions/icla.json.rb b/www/secmail/views/actions/icla.json.rb
index d57cd90..b53cd86 100644
--- a/www/secmail/views/actions/icla.json.rb
+++ b/www/secmail/views/actions/icla.json.rb
@@ -122,6 +122,11 @@ task "email #@email" do
mail.cc = cc.uniq
mail.bcc = message.bcc - cc if message.bcc
+ # untaint email addresses
+ mail.to = mail.to.map {|email| email.dup.untaint}
+ mail.cc = mail.cc.map {|email| email.dup.untaint}
+ mail.bcc = mail.bcc.map {|email| email.dup.untaint} if message.bcc
+
# add reply info
mail.in_reply_to = message.id
mail.references = message.id
@@ -182,8 +187,7 @@ if @user and not @user.empty? and pmc and not @votelink.empty?
svn 'diff', dest
# commit changes
- svn 'commit', dest, '-m',
- "#{@user} account request by #{env.user}"
+ svn 'commit', dest, '-m', "#{@user} account request by #{env.user}"
end
end
@@ -201,6 +205,11 @@ if @user and not @user.empty? and pmc and not @votelink.empty?
cc << podling.private_mail_list if podling # copy podling
mail.cc = cc.uniq
+ # untaint email addresses
+ mail.to = mail.to.map {|email| email.dup.untaint}
+ mail.cc = mail.cc.map {|email| email.dup.untaint}
+ mail.bcc = mail.bcc.map {|email| email.dup.untaint} if message.bcc
+
# echo email
form do
_message mail.to_s
--
To stop receiving notification emails like this one, please contact
['"commits@whimsical.apache.org" <co...@whimsical.apache.org>'].