That did the trick and I will test thoroughly. I was suspecting it was a
security issue.

Many thanks!!

On Tue, 2007-13-03 at 00:18 +0900, Rick DeNatale wrote:
> On 3/12/07, peter <ruby / iwebsl.com> wrote:
> >
> >
> > Yes I understand that, removing the '' fails, as does adding "" or
> > anything I have tried. I can remove the () and [] and as long as I use a
> > proper email address instead of a var it works.
> >
> >
> > [Mon Mar 12 10:14:04 2007] [error] mod_ruby: error in ruby
> > [Mon Mar 12 10:14:04 2007] [error]
> > mod_ruby: /usr/lib/ruby/1.8/net/smtp.rb:540:in `send0': tainted to_addr
> > (SecurityError)
> >
> >
> >
> >
> > > >
> > > >
> > >
> > > not:
> > > smtp.open_message_stream('sender / mail.com', ['email']) do
> > >
> > >
> > > but:
> > > smtp.open_message_stream('sender / mail.com', [email]) do
> > >
> 
> Okay,  I finally realize that we have been chasing the wrong issue.
> 
> The problem isn't that you are using a variable vs. a literal, it's
> that the email address you got from the form is marked as tainted and
> you are running with $safe > 0
> 
> Here's the relevant code from Net:SMTP, it's in the send0 method which
> is called by open_message_stream
> 
>       if $SAFE > 0
>         raise SecurityError, 'tainted from_addr' if from_addr.tainted?
>         to_addrs.each do |to|
>           raise SecurityError, 'tainted to_addr' if to.tainted?
>         end
>       end
> 
> Web frameworks often do, and should, mark strings obtained from the
> user as tainted, this avoids various security exposures.
> 
> You should try either:
> 
> smtp.open_message_stream('sender / mail.com', [email.untaint]) do
> 
> or
> 
> smtp.open_message_stream('sender / mail.com', email.untaint) do
> 
> You might want to apply various tests to email to see if it is a valid
> email address, at least syntactically first, but this should get you
> around the current problem.
>