You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@whimsical.apache.org by ru...@apache.org on 2016/09/15 12:33:15 UTC

[whimsy] branch master updated: untaint email addresses

This is an automated email from the ASF dual-hosted git repository.

rubys pushed a commit to branch master
in repository https://git-dual.apache.org/repos/asf/whimsy.git

The following commit(s) were added to refs/heads/master by this push:
       new  e39392f   untaint email addresses
e39392f is described below

commit e39392fb0fb40d00bb00b22bc09f740702af0271
Author: Sam Ruby <ru...@intertwingly.net>
AuthorDate: Thu Sep 15 08:30:35 2016 -0400

    untaint email addresses
---
 www/secmail/public/tasklist.js         |  2 +-
 www/secmail/tasks.rb                   |  2 +-
 www/secmail/views/actions/icla.json.rb | 13 +++++++++++--
 3 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/www/secmail/public/tasklist.js b/www/secmail/public/tasklist.js
index e2ea23e..1674f29 100644
--- a/www/secmail/public/tasklist.js
+++ b/www/secmail/public/tasklist.js
@@ -75,7 +75,7 @@ function nexttask(proceed) {
 
     spinner.remove();
 
-    if (tasks.length) {
+    if (!proceed) {
       $('h1').removeClass('bg-info').addClass('bg-danger').
         text('Processing Aborted');
       message = {status: 'aborted'}
diff --git a/www/secmail/tasks.rb b/www/secmail/tasks.rb
index 1203599..a560ae1 100644
--- a/www/secmail/tasks.rb
+++ b/www/secmail/tasks.rb
@@ -45,7 +45,7 @@ class Wunderbar::JsonBuilder
 
   def svn *args
     args << svnauth if %(checkout update commit).include? args.first
-    _.system 'svn', *args
+    _.system! 'svn', *args
   end
 
   def svnauth
diff --git a/www/secmail/views/actions/icla.json.rb b/www/secmail/views/actions/icla.json.rb
index d57cd90..b53cd86 100644
--- a/www/secmail/views/actions/icla.json.rb
+++ b/www/secmail/views/actions/icla.json.rb
@@ -122,6 +122,11 @@ task "email #@email" do
   mail.cc = cc.uniq
   mail.bcc = message.bcc - cc if message.bcc
 
+  # untaint email addresses
+  mail.to = mail.to.map {|email| email.dup.untaint}
+  mail.cc = mail.cc.map {|email| email.dup.untaint}
+  mail.bcc = mail.bcc.map {|email| email.dup.untaint} if message.bcc
+
   # add reply info
   mail.in_reply_to = message.id
   mail.references = message.id
@@ -182,8 +187,7 @@ if @user and not @user.empty? and pmc and not @votelink.empty?
       svn 'diff', dest
 
       # commit changes
-      svn 'commit', dest, '-m', 
-        "#{@user} account request by #{env.user}"
+      svn 'commit', dest, '-m', "#{@user} account request by #{env.user}"
     end
   end
 
@@ -201,6 +205,11 @@ if @user and not @user.empty? and pmc and not @votelink.empty?
     cc << podling.private_mail_list if podling # copy podling
     mail.cc = cc.uniq
 
+    # untaint email addresses
+    mail.to = mail.to.map {|email| email.dup.untaint}
+    mail.cc = mail.cc.map {|email| email.dup.untaint}
+    mail.bcc = mail.bcc.map {|email| email.dup.untaint} if message.bcc
+
     # echo email
     form do
       _message mail.to_s

-- 
To stop receiving notification emails like this one, please contact
['"commits@whimsical.apache.org" <co...@whimsical.apache.org>'].