RubyGems - mail - Versions diffs - 2.6.5 → 2.6.6.rc1 - Mend

mail 2.6.5 → 2.6.6.rc1

Files changed (10) hide show

checksums.yaml +4 -4
data/CHANGELOG.rdoc +5 -0
data/lib/mail/check_delivery_params.rb +47 -10
data/lib/mail/network/delivery_methods/file_delivery.rb +4 -8
data/lib/mail/network/delivery_methods/sendmail.rb +2 -4
data/lib/mail/network/delivery_methods/smtp.rb +2 -5
data/lib/mail/network/delivery_methods/smtp_connection.rb +2 -6
data/lib/mail/network/delivery_methods/test_mailer.rb +5 -8
data/lib/mail/version.rb +2 -2
metadata +5 -5

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: a4283c0737ab7bc528ff6a60317c46e1a2ff0f92
-  data.tar.gz: 8f98051e95f99f1622283e76919404d08027b7ff
+  metadata.gz: ff722f1c50918ad8e99f86995d08b803d32f745e
+  data.tar.gz: f552360cabc519f3fc959e6c193ef1d37d55670e
 SHA512:
-  metadata.gz: 63514c34ddad591e76cb6704122775906f4d603aad4e90024ec88f17d7f19a78129dfe15d561b2f9e3807bdb074e6269dbdcb09d95656da2399b143e58681cd2
-  data.tar.gz: a05cbc7af1c553e062d405b024390c17b03649f280c1c171b278b373401c1843657dc25e316f5041a44fdd3aba19f2a7a44b9d33d0ca9074bab06ed6c86b068d
+  metadata.gz: 73ff2add4d33b0e7ee9b8fc7b4473fcaf8cb7b581d6dbda1a3e6e6a46ed19d1f25c1a614e6ad142eb05982d47078eee4828f27aa76e48101822fba7ebbc78175
+  data.tar.gz: 48904e5d7a407ed85c7ef7be12dd1bd2e70042db1d99d9b1ff66a9af693862f3697498bbb2784a29900926d68e1a22d8bfad8e7b538a3bc26733a72660e35387

data/CHANGELOG.rdoc CHANGED

@@ -1,3 +1,8 @@
+== Version 2.6.6 - unreleased
+Security:
+* #1097 – SMTP security: prevent command injection via To/From addresses. (jeremy)
 == Version 2.6.5 - 2017-04-26 Jeremy Daer <jeremydaer@gmail.com>
 Features:

data/lib/mail/check_delivery_params.rb CHANGED

@@ -1,21 +1,58 @@
 # frozen_string_literal: true
 module Mail
-  module CheckDeliveryParams
-    def check_delivery_params(mail)
-      if Utilities.blank?(mail.smtp_envelope_from)
-        raise ArgumentError.new('An SMTP From address is required to send a message. Set the message smtp_envelope_from, return_path, sender, or from address.')
+  module CheckDeliveryParams #:nodoc:
+    class << self
+      def check(mail)
+        [ check_from(mail.smtp_envelope_from),
+          check_to(mail.smtp_envelope_to),
+          check_message(mail) ]
       end
-      if Utilities.blank?(mail.smtp_envelope_to)
-        raise ArgumentError.new('An SMTP To address is required to send a message. Set the message smtp_envelope_to, to, cc, or bcc address.')
+      def check_from(addr)
+        if Utilities.blank?(addr)
+          raise ArgumentError, "SMTP From address may not be blank: #{addr.inspect}"
+        end
+        check_addr 'From', addr
+      end
+      def check_to(addrs)
+        if Utilities.blank?(addrs)
+          raise ArgumentError, "SMTP To address may not be blank: #{addrs.inspect}"
+        end
+        Array(addrs).map do |addr|
+          check_addr 'To', addr
+        end
       end
-      message = mail.encoded if mail.respond_to?(:encoded)
-      if Utilities.blank?(message)
-        raise ArgumentError.new('An encoded message is required to send an email')
+      def check_addr(addr_name, addr)
+        validate_smtp_addr addr do |error_message|
+          raise ArgumentError, "SMTP #{addr_name} address #{error_message}: #{addr.inspect}"
+        end
       end
-      [mail.smtp_envelope_from, mail.smtp_envelope_to, message]
+      def validate_smtp_addr(addr)
+        if addr.bytesize > 2048
+          yield 'may not exceed 2kB'
+        end
+        if /[\r\n]/ =~ addr
+          yield 'may not contain CR or LF line breaks'
+        end
+        addr
+      end
+      def check_message(message)
+        message = message.encoded if message.respond_to?(:encoded)
+        if Utilities.blank?(message)
+          raise ArgumentError, 'An encoded message is required to send an email'
+        end
+        message
+      end
     end
   end
 end

data/lib/mail/network/delivery_methods/file_delivery.rb CHANGED

@@ -2,7 +2,6 @@
 require 'mail/check_delivery_params'
 module Mail
   # FileDelivery class delivers emails into multiple files based on the destination
   # address.  Each file is appended to if it already exists.
   #
@@ -14,22 +13,20 @@ module Mail
   # Make sure the path you specify with :location is writable by the Ruby process
   # running Mail.
   class FileDelivery
-    include Mail::CheckDeliveryParams
     if RUBY_VERSION >= '1.9.1'
       require 'fileutils'
     else
       require 'ftools'
     end
+    attr_accessor :settings
     def initialize(values)
       self.settings = { :location => './mails' }.merge!(values)
     end
-    attr_accessor :settings
     def deliver!(mail)
-      check_delivery_params(mail)
+      Mail::CheckDeliveryParams.check(mail)
       if ::File.respond_to?(:makedirs)
         ::File.makedirs settings[:location]
@@ -41,6 +38,5 @@ module Mail
         ::File.open(::File.join(settings[:location], File.basename(to.to_s)), 'a') { |f| "#{f.write(mail.encoded)}\r\n\r\n" }
       end
     end
   end
 end

data/lib/mail/network/delivery_methods/sendmail.rb CHANGED

@@ -38,17 +38,15 @@ module Mail
   #
   #   mail.deliver!
   class Sendmail
-    include Mail::CheckDeliveryParams
+    attr_accessor :settings
     def initialize(values)
       self.settings = { :location       => '/usr/sbin/sendmail',
                         :arguments      => '-i' }.merge(values)
     end
-    attr_accessor :settings
     def deliver!(mail)
-      smtp_from, smtp_to, message = check_delivery_params(mail)
+      smtp_from, smtp_to, message = Mail::CheckDeliveryParams.check(mail)
       from = "-f #{self.class.shellquote(smtp_from)}"
       to = smtp_to.map { |_to| self.class.shellquote(_to) }.join(' ')

data/lib/mail/network/delivery_methods/smtp.rb CHANGED

@@ -75,7 +75,7 @@ module Mail
   #
   #   mail.deliver!
   class SMTP
-    include Mail::CheckDeliveryParams
+    attr_accessor :settings
     def initialize(values)
       self.settings = { :address              => "localhost",
@@ -91,12 +91,10 @@ module Mail
                       }.merge!(values)
     end
-    attr_accessor :settings
     # Send the message via SMTP.
     # The from and to attributes are optional. If not set, they are retrieve from the Message.
     def deliver!(mail)
-      smtp_from, smtp_to, message = check_delivery_params(mail)
+      smtp_from, smtp_to, message = Mail::CheckDeliveryParams.check(mail)
       smtp = Net::SMTP.new(settings[:address], settings[:port])
       if settings[:tls] || settings[:ssl]
@@ -120,7 +118,6 @@ module Mail
         self
       end
     end
     private

data/lib/mail/network/delivery_methods/smtp_connection.rb CHANGED

@@ -38,7 +38,7 @@ module Mail
   #
   #   mail.deliver!
   class SMTPConnection
-    include Mail::CheckDeliveryParams
+    attr_accessor :smtp, :settings
     def initialize(values)
       raise ArgumentError.new('A Net::SMTP object is required for this delivery method') if values[:connection].nil?
@@ -46,17 +46,13 @@ module Mail
       self.settings = values
     end
-    attr_accessor :smtp
-    attr_accessor :settings
     # Send the message via SMTP.
     # The from and to attributes are optional. If not set, they are retrieve from the Message.
     def deliver!(mail)
-      smtp_from, smtp_to, message = check_delivery_params(mail)
+      smtp_from, smtp_to, message = Mail::CheckDeliveryParams.check(mail)
       response = smtp.sendmail(message, smtp_from, smtp_to)
       settings[:return_response] ? response : self
     end
   end
 end

data/lib/mail/network/delivery_methods/test_mailer.rb CHANGED

@@ -8,10 +8,8 @@ module Mail
   # It also provides a template of the minimum methods you require to implement
   # if you want to make a custom mailer for Mail
   class TestMailer
-    include Mail::CheckDeliveryParams
     # Provides a store of all the emails sent with the TestMailer so you can check them.
-    def TestMailer.deliveries
+    def self.deliveries
       @@deliveries ||= []
     end
@@ -26,20 +24,19 @@ module Mail
     # * length
     # * size
     # * and other common Array methods
-    def TestMailer.deliveries=(val)
+    def self.deliveries=(val)
       @@deliveries = val
     end
+    attr_accessor :settings
     def initialize(values)
       @settings = values.dup
     end
-    attr_accessor :settings
     def deliver!(mail)
-      check_delivery_params(mail)
+      Mail::CheckDeliveryParams.check(mail)
       Mail::TestMailer.deliveries << mail
     end
   end
 end

data/lib/mail/version.rb CHANGED

@@ -4,8 +4,8 @@ module Mail
     MAJOR = 2
     MINOR = 6
-    PATCH = 5
-    BUILD = nil
+    PATCH = 6
+    BUILD = 'rc1'
     STRING = [MAJOR, MINOR, PATCH, BUILD].compact.join('.')

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: mail
 version: !ruby/object:Gem::Version
-  version: 2.6.5
+  version: 2.6.6.rc1
 platform: ruby
 authors:
 - Mikel Lindsaar
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2017-04-27 00:00:00.000000000 Z
+date: 2017-05-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: mime-types
@@ -264,12 +264,12 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
 rubyforge_project:
-rubygems_version: 2.6.10
+rubygems_version: 2.6.12
 signing_key:
 specification_version: 4
 summary: Mail provides a nice Ruby DSL for making, sending and reading emails.