RubyGems - mail - Versions diffs - 2.6.5 → 2.6.6.rc1 - Mend

mail 2.6.5 → 2.6.6.rc1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

checksums.yaml +4 -4
data/CHANGELOG.rdoc +5 -0
data/lib/mail/check_delivery_params.rb +47 -10
data/lib/mail/network/delivery_methods/file_delivery.rb +4 -8
data/lib/mail/network/delivery_methods/sendmail.rb +2 -4
data/lib/mail/network/delivery_methods/smtp.rb +2 -5
data/lib/mail/network/delivery_methods/smtp_connection.rb +2 -6
data/lib/mail/network/delivery_methods/test_mailer.rb +5 -8
data/lib/mail/version.rb +2 -2
metadata +5 -5

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: a4283c0737ab7bc528ff6a60317c46e1a2ff0f92
-  data.tar.gz: 8f98051e95f99f1622283e76919404d08027b7ff
+  metadata.gz: ff722f1c50918ad8e99f86995d08b803d32f745e
+  data.tar.gz: f552360cabc519f3fc959e6c193ef1d37d55670e
 SHA512:
-  metadata.gz: 63514c34ddad591e76cb6704122775906f4d603aad4e90024ec88f17d7f19a78129dfe15d561b2f9e3807bdb074e6269dbdcb09d95656da2399b143e58681cd2
-  data.tar.gz: a05cbc7af1c553e062d405b024390c17b03649f280c1c171b278b373401c1843657dc25e316f5041a44fdd3aba19f2a7a44b9d33d0ca9074bab06ed6c86b068d
+  metadata.gz: 73ff2add4d33b0e7ee9b8fc7b4473fcaf8cb7b581d6dbda1a3e6e6a46ed19d1f25c1a614e6ad142eb05982d47078eee4828f27aa76e48101822fba7ebbc78175
+  data.tar.gz: 48904e5d7a407ed85c7ef7be12dd1bd2e70042db1d99d9b1ff66a9af693862f3697498bbb2784a29900926d68e1a22d8bfad8e7b538a3bc26733a72660e35387

data/CHANGELOG.rdoc CHANGED

@@ -1,3 +1,8 @@
+== Version 2.6.6 - unreleased
+Security:
+* #1097 – SMTP security: prevent command injection via To/From addresses. (jeremy)
 == Version 2.6.5 - 2017-04-26 Jeremy Daer <jeremydaer@gmail.com>
 Features:

data/lib/mail/check_delivery_params.rb CHANGED

@@ -1,21 +1,58 @@
 # frozen_string_literal: true
 module Mail
-  module CheckDeliveryParams
-    def check_delivery_params(mail)
-      if Utilities.blank?(mail.smtp_envelope_from)
-        raise ArgumentError.new('An SMTP From address is required to send a message. Set the message smtp_envelope_from, return_path, sender, or from address.')
+  module CheckDeliveryParams #:nodoc:
+    class << self
+      def check(mail)
+        [ check_from(mail.smtp_envelope_from),
+          check_to(mail.smtp_envelope_to),
+          check_message(mail) ]
       end
-      if Utilities.blank?(mail.smtp_envelope_to)
-        raise ArgumentError.new('An SMTP To address is required to send a message. Set the message smtp_envelope_to, to, cc, or bcc address.')
+      def check_from(addr)
+        if Utilities.blank?(addr)
+          raise ArgumentError, "SMTP From address may not be blank: #{addr.inspect}"
+        end
+        check_addr 'From', addr
+      end
+      def check_to(addrs)
+        if Utilities.blank?(addrs)
+          raise ArgumentError, "SMTP To address may not be blank: #{addrs.inspect}"
+        end
+        Array(addrs).map do |addr|
+          check_addr 'To', addr
+        end
       end
-      message = mail.encoded if mail.respond_to?(:encoded)
-      if Utilities.blank?(message)
-        raise ArgumentError.new('An encoded message is required to send an email')
+      def check_addr(addr_name, addr)
+        validate_smtp_addr addr do |error_message|
+          raise ArgumentError, "SMTP #{addr_name} address #{error_message}: #{addr.inspect}"
+        end
       end
-      [mail.smtp_envelope_from, mail.smtp_envelope_to, message]
+      def validate_smtp_addr(addr)
+        if addr.bytesize > 2048
+          yield 'may not exceed 2kB'
+        end
+        if /[\r\n]/ =~ addr
+          yield 'may not contain CR or LF line breaks'
+        end
+        addr
+      end
+      def check_message(message)
+        message = message.encoded if message.respond_to?(:encoded)
+        if Utilities.blank?(message)
+          raise ArgumentError, 'An encoded message is required to send an email'
+        end
+        message
+      end
     end
   end
 end

data/lib/mail/network/delivery_methods/file_delivery.rb CHANGED

@@ -2,7 +2,6 @@
 require 'mail/check_delivery_params'
 module Mail
   # FileDelivery class delivers emails into multiple files based on the destination
   # address.  Each file is appended to if it already exists.
   #
@@ -14,22 +13,20 @@ module Mail
   # Make sure the path you specify with :location is writable by the Ruby process
   # running Mail.
   class FileDelivery
-    include Mail::CheckDeliveryParams
     if RUBY_VERSION >= '1.9.1'
       require 'fileutils'
     else
       require 'ftools'
     end
+    attr_accessor :settings
     def initialize(values)
       self.settings = { :location => './mails' }.merge!(values)
     end
-    attr_accessor :settings
     def deliver!(mail)
-      check_delivery_params(mail)
+      Mail::CheckDeliveryParams.check(mail)
       if ::File.respond_to?(:makedirs)
         ::File.makedirs settings[:location]
@@ -41,6 +38,5 @@ module Mail
         ::File.open(::File.join(settings[:location], File.basename(to.to_s)), 'a') { |f| "#{f.write(mail.encoded)}\r\n\r\n" }
       end
     end
   end
 end

data/lib/mail/network/delivery_methods/sendmail.rb CHANGED

@@ -38,17 +38,15 @@ module Mail
   #
   #   mail.deliver!
   class Sendmail
-    include Mail::CheckDeliveryParams
+    attr_accessor :settings
     def initialize(values)
       self.settings = { :location       => '/usr/sbin/sendmail',
                         :arguments      => '-i' }.merge(values)
     end
-    attr_accessor :settings
     def deliver!(mail)
-      smtp_from, smtp_to, message = check_delivery_params(mail)
+      smtp_from, smtp_to, message = Mail::CheckDeliveryParams.check(mail)
       from = "-f #{self.class.shellquote(smtp_from)}"
       to = smtp_to.map { |_to| self.class.shellquote(_to) }.join(' ')

data/lib/mail/network/delivery_methods/smtp.rb CHANGED

@@ -75,7 +75,7 @@ module Mail
   #
   #   mail.deliver!
   class SMTP
-    include Mail::CheckDeliveryParams
+    attr_accessor :settings
     def initialize(values)
       self.settings = { :address              => "localhost",
@@ -91,12 +91,10 @@ module Mail
                       }.merge!(values)
     end
-    attr_accessor :settings
     # Send the message via SMTP.
     # The from and to attributes are optional. If not set, they are retrieve from the Message.
     def deliver!(mail)
-      smtp_from, smtp_to, message = check_delivery_params(mail)
+      smtp_from, smtp_to, message = Mail::CheckDeliveryParams.check(mail)
       smtp = Net::SMTP.new(settings[:address], settings[:port])
       if settings[:tls] || settings[:ssl]
@@ -120,7 +118,6 @@ module Mail
         self
       end
     end
     private

data/lib/mail/network/delivery_methods/smtp_connection.rb CHANGED

@@ -38,7 +38,7 @@ module Mail
   #
   #   mail.deliver!
   class SMTPConnection
-    include Mail::CheckDeliveryParams
+    attr_accessor :smtp, :settings
     def initialize(values)
       raise ArgumentError.new('A Net::SMTP object is required for this delivery method') if values[:connection].nil?
@@ -46,17 +46,13 @@ module Mail
       self.settings = values
     end
-    attr_accessor :smtp
-    attr_accessor :settings
     # Send the message via SMTP.
     # The from and to attributes are optional. If not set, they are retrieve from the Message.
     def deliver!(mail)
-      smtp_from, smtp_to, message = check_delivery_params(mail)
+      smtp_from, smtp_to, message = Mail::CheckDeliveryParams.check(mail)
       response = smtp.sendmail(message, smtp_from, smtp_to)
       settings[:return_response] ? response : self
     end
   end
 end

data/lib/mail/network/delivery_methods/test_mailer.rb CHANGED

@@ -8,10 +8,8 @@ module Mail
   # It also provides a template of the minimum methods you require to implement
   # if you want to make a custom mailer for Mail
   class TestMailer
-    include Mail::CheckDeliveryParams
     # Provides a store of all the emails sent with the TestMailer so you can check them.
-    def TestMailer.deliveries
+    def self.deliveries
       @@deliveries ||= []
     end
@@ -26,20 +24,19 @@ module Mail
     # * length
     # * size
     # * and other common Array methods
-    def TestMailer.deliveries=(val)
+    def self.deliveries=(val)
       @@deliveries = val
     end
+    attr_accessor :settings
     def initialize(values)
       @settings = values.dup
     end
-    attr_accessor :settings
     def deliver!(mail)
-      check_delivery_params(mail)
+      Mail::CheckDeliveryParams.check(mail)
       Mail::TestMailer.deliveries << mail
     end
   end
 end

data/lib/mail/version.rb CHANGED

@@ -4,8 +4,8 @@ module Mail
     MAJOR = 2
     MINOR = 6
-    PATCH = 5
-    BUILD = nil
+    PATCH = 6
+    BUILD = 'rc1'
     STRING = [MAJOR, MINOR, PATCH, BUILD].compact.join('.')

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: mail
 version: !ruby/object:Gem::Version
-  version: 2.6.5
+  version: 2.6.6.rc1
 platform: ruby
 authors:
 - Mikel Lindsaar
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2017-04-27 00:00:00.000000000 Z
+date: 2017-05-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: mime-types
@@ -264,12 +264,12 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
 rubyforge_project:
-rubygems_version: 2.6.10
+rubygems_version: 2.6.12
 signing_key:
 specification_version: 4
 summary: Mail provides a nice Ruby DSL for making, sending and reading emails.