whimsical-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ru...@apache.org
Subject [whimsy] branch master updated: untaint from address
Date Tue, 06 Nov 2018 10:51:58 GMT
This is an automated email from the ASF dual-hosted git repository.

rubys pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/whimsy.git


The following commit(s) were added to refs/heads/master by this push:
     new 05f5e83  untaint from address
05f5e83 is described below

commit 05f5e833b0304db47866b32be5cec6f42e7e7b51
Author: Sam Ruby <rubys@intertwingly.net>
AuthorDate: Tue Nov 6 10:51:36 2018 +0000

    untaint from address
---
 www/secretary/workbench/templates/acreq.erb        | 1 -
 www/secretary/workbench/views/actions/icla.json.rb | 5 ++++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/www/secretary/workbench/templates/acreq.erb b/www/secretary/workbench/templates/acreq.erb
index 2b2a073..9c4c94f 100644
--- a/www/secretary/workbench/templates/acreq.erb
+++ b/www/secretary/workbench/templates/acreq.erb
@@ -1,5 +1,4 @@
 To:   root@apache.org
-From: <%= @from %>
 Subject: [FORM] Account Request - <%= @email %>: <%= @pubname %>
 
 Prospective userid: <%= @user %>
diff --git a/www/secretary/workbench/views/actions/icla.json.rb b/www/secretary/workbench/views/actions/icla.json.rb
index fddc303..c968dfe 100644
--- a/www/secretary/workbench/views/actions/icla.json.rb
+++ b/www/secretary/workbench/views/actions/icla.json.rb
@@ -10,6 +10,8 @@
 # extract message
 message = Mailbox.find(@message)
 
+@from.untaint if @from =~ /\A("?[\s\w]+"?\s+<)?\w+@apache\.org>?\z/
+
 # extract file extension
 fileext = File.extname(@selected).downcase if @signature.empty?
 
@@ -237,8 +239,9 @@ if @valid_user and @pmc and not @votelink.empty?
     cc << @podling.private_mail_list if @podling # copy podling
     mail.cc = cc.uniq.map {|email| email.dup.untaint}
 
-    # untaint to email addresses
+    # untaint from and to email addresses
     mail.to = mail.to.map {|email| email.dup.untaint}
+    mail.from = @from.untaint
 
     # echo email
     form do


Mime
View raw message