Rick Denatale wrote:
> On 3/12/07, peter <ruby / iwebsl.com> wrote:
>> (SecurityError)
>> >
>> > but:
>> > smtp.open_message_stream('sender / mail.com', [email]) do
>> >
> 
> Okay,  I finally realize that we have been chasing the wrong issue.
> 
> The problem isn't that you are using a variable vs. a literal, it's
> that the email address you got from the form is marked as tainted and
> you are running with $safe > 0
> 
> Web frameworks often do, and should, mark strings obtained from the
> user as tainted, this avoids various security exposures.
> 
> You should try either:
> 
> smtp.open_message_stream('sender / mail.com', [email.untaint]) do
> 
> or
> 
> smtp.open_message_stream('sender / mail.com', email.untaint) do
> 
> You might want to apply various tests to email to see if it is a valid
> email address, at least syntactically first, but this should get you
> around the current problem.

Yeah, you may do this and create yet another web based mailer that will 
allow everyone to send the email to anyone. The email variable contents 
were tainted for a reason! "Solving" the issue by blind untaining is not 
the brightest thing to do. You should validate the email first and (if 
at all possible) make sure it's one of the allowed addresses or at least 
that it's in the allowed domain(s).

Jenda

-- 
Posted via http://www.ruby-forum.com/.