mail 2.4.1 → 2.4.3

data/CHANGELOG.rdoc

@@ -1,4 +1,12 @@
-== Thu Jan 19 13:49:34 UTC 2012 Mikel Lindsaar <mikel@reinteractive.net>
+== HEAD
+
+== Version 2.4.3 - Tue Mar 6 19:38:00 UTC 2012 Mikel Lindsaar <mikel@reinteractive.net>
+
+* Fix security vulnerability allowing command line exploit when using exim or sendmail from the command line
+* Change Mail#deliver! to also inform the interceptors
+* Encodings.value_decode(str): Treat lines with mixed encoding correctly when the line ends with a plain text part.
+
+== Version 2.4.1 - Thu Jan 19 13:49:34 UTC 2012 Mikel Lindsaar <mikel@reinteractive.net>
 
 * Fix non ascii character folding problems
 * Handle multipart mail in Mail::Message#to_yaml / #from_yaml
@@ -8,7 +16,7 @@
 * Updated treetop to latest version, specs now run approximately 25-30% faster!
 * Version bump to 2.4.1 and gem release
 
-== Sun Jan 15 18:15:56 UTC 2011 Mikel Lindsaar <mikel@reinteractive.net>
+== Version 2.4.0 - Sun Jan 15 18:15:56 UTC 2011 Mikel Lindsaar <mikel@reinteractive.net>
 
 * Speed up reading of messages by about 12x
 * Added Message#without_attachments! that removes all message's attachments
@@ -34,7 +42,7 @@
 * Lots of warnings fixed
 * Version bump to 2.4.0 and gem release
 
-== Tue Apr 26 09:59:56 UTC 2011 Mikel Lindsaar <mikel@rubyx.com>
+== Version 2.3.0 - Tue Apr 26 09:59:56 UTC 2011 Mikel Lindsaar <mikel@rubyx.com>
 
 * Remove ActiveSupport from the dependencies, load Active Support if present, or use internals if not
 * Created v2.2 branch for all 2.2 related commits

data/Gemfile.lock

@@ -1,6 +1,7 @@
 GEM
   remote: http://rubygems.org/
   specs:
+    ZenTest (4.4.2)
     activesupport (3.0.6)
     columnize (0.3.6)
     diff-lcs (1.1.3)
@@ -9,21 +10,19 @@ GEM
       rbx-require-relative (> 0.0.4)
     mime-types (1.16)
     polyglot (0.3.3)
-    rake (0.9.2.2)
+    rake (0.8.7)
     rbx-require-relative (0.0.5)
-    rspec (2.8.0)
-      rspec-core (~> 2.8.0)
-      rspec-expectations (~> 2.8.0)
-      rspec-mocks (~> 2.8.0)
-    rspec-core (2.8.0)
-    rspec-expectations (2.8.0)
+    rspec (1.3.2)
+    rspec-core (2.4.0)
+    rspec-expectations (2.4.0)
       diff-lcs (~> 1.1.2)
-    rspec-mocks (2.8.0)
+    rspec-mocks (2.4.0)
     ruby-debug (0.10.4)
       columnize (>= 0.1)
       ruby-debug-base (~> 0.10.4.0)
     ruby-debug-base (0.10.4)
       linecache (>= 0.3)
+    ruby-debug-base (0.10.4-java)
     treetop (1.4.10)
       polyglot
       polyglot (>= 0.3.1)
@@ -33,10 +32,16 @@ PLATFORMS
   ruby
 
 DEPENDENCIES
+  ZenTest (~> 4.4.0)
   activesupport (>= 2.3.6)
+  bundler
+  diff-lcs
   i18n (>= 0.4.0)
   mime-types (~> 1.16)
-  rake (> 0.8.7)
-  rspec (~> 2.8.0)
+  rake (~> 0.8.7)
+  rspec (~> 1.3.0)
+  rspec-core (~> 2.4.0)
+  rspec-expectations (~> 2.4.0)
+  rspec-mocks (~> 2.4.0)
   ruby-debug
-  treetop (~> 1.4.10)
+  treetop (~> 1.4.8)

data/README.md

@@ -25,6 +25,20 @@ Finally, Mail has been designed with a very simple object oriented system
 that really opens up the email messages you are parsing, if you know what
 you are doing, you can fiddle with every last bit of your email directly.
 
+Donations
+-------------
+
+Mail has been downloaded millions of times, by people around the world, in fact,
+it represents more than 1% of *all* gems downloaded.  
+
+It is (like all open source software) a labour of love and something I am doing
+with my own free time.  If you would like to say thanks, please feel free to
+[make a donation](http://www.pledgie.com/campaigns/8790) and feel free to send
+me a nice email :)
+
+<a href='http://www.pledgie.com/campaigns/8790'><img alt='Click here to lend your support to: mail and make a donation at www.pledgie.com !' src='http://www.pledgie.com/campaigns/8790.png?skin_name=chrome' border='0' /></a>
+
+
 Compatibility
 -------------
 

data/lib/VERSION

@@ -1,4 +1,4 @@
 major:2
 minor:4
-patch:1
+patch:3
 build:

data/lib/mail.rb

@@ -29,7 +29,7 @@ module Mail # :doc:
   require 'mail/core_extensions/nil'
   require 'mail/core_extensions/object'
   require 'mail/core_extensions/string'
-  require 'mail/core_extensions/shellwords' unless String.new.respond_to?(:shellescape)
+  require 'mail/core_extensions/shell_escape'
   require 'mail/core_extensions/smtp' if RUBY_VERSION < '1.9.3'
   require 'mail/indifferent_hash'
 

data/lib/mail/core_extensions/shell_escape.rb

@@ -0,0 +1,56 @@
+# encoding: utf-8
+
+# The following is an adaptation of ruby 1.9.2's shellwords.rb file,
+# it is modified to include '+' in the allowed list to allow for
+# sendmail to accept email addresses as the sender with a + in them
+#
+module Mail
+  module ShellEscape
+    # Escapes a string so that it can be safely used in a Bourne shell
+    # command line.
+    #
+    # Note that a resulted string should be used unquoted and is not
+    # intended for use in double quotes nor in single quotes.
+    #
+    #   open("| grep #{Shellwords.escape(pattern)} file") { |pipe|
+    #     # ...
+    #   }
+    #
+    # +String#shellescape+ is a shorthand for this function.
+    #
+    #   open("| grep #{pattern.shellescape} file") { |pipe|
+    #     # ...
+    #   }
+    #
+    def escape_for_shell(str)
+      # An empty argument will be skipped, so return empty quotes.
+      return "''" if str.empty?
+
+      str = str.dup
+
+      # Process as a single byte sequence because not all shell
+      # implementations are multibyte aware.
+      str.gsub!(/([^A-Za-z0-9_\s\+\-.,:\/@\n])/n, "\\\\\\1")
+
+      # A LF cannot be escaped with a backslash because a backslash + LF
+      # combo is regarded as line continuation and simply ignored.
+      str.gsub!(/\n/, "'\n'")
+
+      return str
+    end
+
+    module_function :escape_for_shell
+  end
+end
+
+class String
+  # call-seq:
+  #   str.shellescape => string
+  #
+  # Escapes +str+ so that it can be safely used in a Bourne shell
+  # command line.  See +Shellwords::shellescape+ for details.
+  #
+  def escape_for_shell
+    Mail::ShellEscape.escape_for_shell(self)
+  end
+end

data/lib/mail/encodings.rb

@@ -130,7 +130,7 @@ module Mail
           text.scan(/(                                  # Group around entire regex to include it in matches
                        \=\?[^?]+\?([QB])\?[^?]+?\?\=  # Quoted String with subgroup for encoding method
                        |                                # or
-                       .+?(?=\=\?)                      # Plain String
+                       .+?(?=\=\?|$)                    # Plain String
                      )/xmi).map do |matches|
             string, method = *matches
             if    method == 'b' || method == 'B'

data/lib/mail/message.rb

@@ -237,10 +237,11 @@ module Mail
     # This method bypasses checking perform_deliveries and raise_delivery_errors,
     # so use with caution.
     #
-    # It still however fires callbacks to the observers if they are defined.
+    # It still however fires off the intercepters and calls the observers callbacks if they are defined.
     #
     # Returns self
     def deliver!
+      inform_interceptors
       response = delivery_method.deliver!(self)
       inform_observers
       delivery_method.settings[:return_response] ? response : self

data/lib/mail/network/delivery_methods/exim.rb

@@ -1,12 +1,45 @@
 module Mail
 
+  # A delivery method implementation which sends via exim.
+  #
+  # To use this, first find out where the exim binary is on your computer,
+  # if you are on a mac or unix box, it is usually in /usr/sbin/exim, this will
+  # be your exim location.
+  #
+  #   Mail.defaults do
+  #     delivery_method :exim
+  #   end
+  #
+  # Or if your exim binary is not at '/usr/sbin/exim'
+  #
+  #   Mail.defaults do
+  #     delivery_method :exim, :location => '/absolute/path/to/your/exim'
+  #   end
+  #
+  # Then just deliver the email as normal:
+  #
+  #   Mail.deliver do
+  #     to 'mikel@test.lindsaar.net'
+  #     from 'ada@test.lindsaar.net'
+  #     subject 'testing exim'
+  #     body 'testing exim'
+  #   end
+  #
+  # Or by calling deliver on a Mail message
+  #
+  #   mail = Mail.new do
+  #     to 'mikel@test.lindsaar.net'
+  #     from 'ada@test.lindsaar.net'
+  #     subject 'testing exim'
+  #     body 'testing exim'
+  #   end
+  #
+  #   mail.deliver!
   class Exim < Sendmail
 
-    def deliver!(mail)
-      envelope_from = mail.return_path || mail.sender || mail.from_addrs.first
-      return_path = "-f \"#{envelope_from.to_s.shellescape}\"" if envelope_from
-      arguments = [settings[:arguments], return_path].compact.join(" ")
-      self.class.call(settings[:location], arguments, mail)
+    def initialize(values)
+      self.settings = { :location       => '/usr/sbin/exim',
+                        :arguments      => '-i -t' }.merge(values)
     end
 
     def self.call(path, arguments, mail)

data/lib/mail/network/delivery_methods/sendmail.rb

@@ -45,14 +45,14 @@ module Mail
 
     def deliver!(mail)
       envelope_from = mail.return_path || mail.sender || mail.from_addrs.first
-      return_path = "-f \"#{envelope_from.to_s.gsub('"', '\"')}\"" if envelope_from
+      return_path = "-f " + '"' + envelope_from.escape_for_shell + '"' if envelope_from
 
       arguments = [settings[:arguments], return_path].compact.join(" ")
 
-      Sendmail.call(settings[:location], arguments, mail.destinations.collect(&:shellescape).join(" "), mail)
+      self.class.call(settings[:location], arguments, mail.destinations.collect(&:escape_for_shell).join(" "), mail)
     end
 
-    def Sendmail.call(path, arguments, destinations, mail)
+    def self.call(path, arguments, destinations, mail)
       IO.popen("#{path} #{arguments} #{destinations}", "w+") do |io|
         io.puts mail.encoded.to_lf
         io.flush

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: mail
 version: !ruby/object:Gem::Version 
-  hash: 29
-  prerelease: 
+  hash: 25
+  prerelease: false
   segments: 
   - 2
   - 4
-  - 1
-  version: 2.4.1
+  - 3
+  version: 2.4.3
 platform: ruby
 authors: 
 - Mikel Lindsaar
@@ -15,7 +15,8 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2012-01-20 00:00:00 Z
+date: 2012-03-06 00:00:00 +11:00
+default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
   name: mime-types
@@ -89,7 +90,7 @@ files:
 - lib/mail/configuration.rb
 - lib/mail/core_extensions/nil.rb
 - lib/mail/core_extensions/object.rb
-- lib/mail/core_extensions/shellwords.rb
+- lib/mail/core_extensions/shell_escape.rb
 - lib/mail/core_extensions/smtp.rb
 - lib/mail/core_extensions/string/access.rb
 - lib/mail/core_extensions/string/multibyte.rb
@@ -216,6 +217,7 @@ files:
 - lib/tasks/corpus.rake
 - lib/tasks/treetop.rake
 - lib/VERSION
+has_rdoc: true
 homepage: http://github.com/mikel/mail
 licenses: []
 
@@ -245,7 +247,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
 requirements: []
 
 rubyforge_project: 
-rubygems_version: 1.8.10
+rubygems_version: 1.3.7
 signing_key: 
 specification_version: 3
 summary: Mail provides a nice Ruby DSL for making, sending and reading emails.

data/lib/mail/core_extensions/shellwords.rb

@@ -1,57 +0,0 @@
-# encoding: utf-8
-
-# The following is imported from ruby 1.9.2 shellwords.rb
-#
-module Shellwords
-  # Escapes a string so that it can be safely used in a Bourne shell
-  # command line.
-  #
-  # Note that a resulted string should be used unquoted and is not
-  # intended for use in double quotes nor in single quotes.
-  #
-  #   open("| grep #{Shellwords.escape(pattern)} file") { |pipe|
-  #     # ...
-  #   }
-  #
-  # +String#shellescape+ is a shorthand for this function.
-  #
-  #   open("| grep #{pattern.shellescape} file") { |pipe|
-  #     # ...
-  #   }
-  #
-  def shellescape(str)
-    # An empty argument will be skipped, so return empty quotes.
-    return "''" if str.empty?
-
-    str = str.dup
-
-    # Process as a single byte sequence because not all shell
-    # implementations are multibyte aware.
-    str.gsub!(/([^A-Za-z0-9_\-.,:\/@\n])/n, "\\\\\\1")
-
-    # A LF cannot be escaped with a backslash because a backslash + LF
-    # combo is regarded as line continuation and simply ignored.
-    str.gsub!(/\n/, "'\n'")
-
-    return str
-  end
-
-  module_function :shellescape
-
-  class << self
-    alias escape shellescape
-  end
-
-end
-
-class String
-  # call-seq:
-  #   str.shellescape => string
-  #
-  # Escapes +str+ so that it can be safely used in a Bourne shell
-  # command line.  See +Shellwords::shellescape+ for details.
-  #
-  def shellescape
-    Shellwords.escape(self)
-  end
-end