I''ve heard that it''s possible to halt email injection attacks by using validate_request, but does anyone have an example of how to actually do this? Thanks -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Joe Peck wrote:> I''ve heard that it''s possible to halt email injection attacks by using > validate_request, but does anyone have an example of how to actually do > this? ThanksI''ve done this in PHP, but is there a good way to do this in RoR? -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Anyone? -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Surely someone must know something about this. -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
please don''t bump your message just because you didn''t get a reply. if someone was interested or had an answer, i''m sure they would have answered by now. that being said, i assume by validate_request you mean the plugin. after looking at the readme/usage it appears to only support: 1) validating type of request 2) validating a parameter as either an integer or string 3) validating a string parameter against a specific string 4) validating a parameter against a model in other words, i don''t see how you could stop email injection based on that functionality. now, that''s not to say you couldn''t do those checks in your code yourself, where necessary. no plugin is necessary. check if request is a post/get check form fields against email injection (ie, match header fields against one or more regular expressions) point is, you''re going to have to do the same thing regardless of the language. now, most of the email injection info i''ve seen has to do with how the php mail() function constructs the mail message itself. ActionMailer may not be prone to this type of attack if it functions differently. Not it say it is or is not, because I don''t know. Chris On 1/24/07, Joe Peck <rails-mailing-list-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:> > Surely someone must know something about this. > > -- > Posted via http://www.ruby-forum.com/. > > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
I wonder if it is enough to scan the message body for To:, Bc:, Cc: and there was something else (Content-something) and replace them? -- Long http://MeandmyCity.com/ - Free, searchable business directory for local communities http://edgesoft.ca/blog/read/2 - No-Cookie Session Support plugin for Rails ----- Original Message ----- From: "Joe Peck" <rails-mailing-list-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> To: <rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org> Sent: Wednesday, January 24, 2007 9:17 AM Subject: [Rails] Re: Email Injection attacks> > Surely someone must know something about this. > > -- > Posted via http://www.ruby-forum.com/. > > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
not just the message body. you''d have to scan the headers (to, from, subject) for anything that should''nt be there or not in the correct format. see http://www.securephpwiki.com/index.php/Email_Injection for a list of example scenarios. On 1/24/07, Long <long755-bJEeYj9oJeDQT0dZR+AlfA@public.gmane.org> wrote:> > I wonder if it is enough to scan the message body for > To:, Bc:, Cc: and there was something else (Content-something) > and replace them? > > -- Long > http://MeandmyCity.com/ - Free, searchable business directory for local communities > http://edgesoft.ca/blog/read/2 - No-Cookie Session Support plugin for Rails > > > ----- Original Message ----- > From: "Joe Peck" <rails-mailing-list-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> > To: <rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org> > Sent: Wednesday, January 24, 2007 9:17 AM > Subject: [Rails] Re: Email Injection attacks > > > > > > Surely someone must know something about this. > > > > -- > > Posted via http://www.ruby-forum.com/. > > > > > > > > > > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
I agree. Each form field should be scanned. -- Long Chris Hall wrote:> > not just the message body. you''d have to scan the headers (to, from, > subject) for anything that should''nt be there or not in the correct > format. > > see > > http://www.securephpwiki.com/index.php/Email_Injection > > for a list of example scenarios. > > On 1/24/07, Long <longNOSPAM-bJEeYj9oJeDQT0dZR+AlfA@public.gmane.org> wrote: > > > > I wonder if it is enough to scan the message body for > > To:, Bc:, Cc: and there was something else (Content-something) > > and replace them? > > > > -- Long > > http://MeandmyCity.com/ - Free, searchable business directory for local communities > > http://edgesoft.ca/blog/read/2 - No-Cookie Session Support plugin for Rails > > > > > > ----- Original Message ----- > > From: "Joe Peck" <rails-mailing-list-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> > > To: <rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org> > > Sent: Wednesday, January 24, 2007 9:17 AM > > Subject: [Rails] Re: Email Injection attacks > > > > > > > > > > Surely someone must know something about this. > > > > > > -- > > > Posted via http://www.ruby-forum.com/. > > > > > > > > > > > > > > > > > > > > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Wow, thanks for all the information everyone. Weird how this gets no replies for two days, then gets a bunch all in one day. Thanks again. -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---