Pin mail gem to version 2.6.6.rc1

This fixes a vulnerability that allows users to send spam from any form that allows email input (e.g. signup). For more about the vulnerability see: mikel/mail#1097 When implicit dependency resolution in Gemfile.lock resolves to a released mail version that includes the fix, the explicit dependency in Gemfile will be removed.
amatriain · May 15, 2017 · 0471094 · 0471094
1 parent 1034657
commit 0471094
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 1 deletion.
diff --git a/Gemfile b/Gemfile
@@ -4,6 +4,15 @@ ruby '2.4.1'
 
 gem 'rails', '~> 5.0.2'
 
+# TEMPORARY update mail gem
+# to fix vulnerability; see 
+# https://github.com/mikel/mail/pull/1097
+# Remove this explicit dependency when 
+# implicit dependency resolution in Gemfile.lock
+# resolves mail to a fixed version (2.5.5.rc1, 2.6.6.rc1, 2.7.0.rc1
+# or higher)
+gem 'mail', '2.6.6.rc1'
+
 # Sanitizer to replace poorly maintained new rails sanitizer
 gem 'sanitize'
 gem 'loofah'

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -225,7 +225,7 @@ GEM
       addressable (~> 2.3)
     loofah (2.0.3)
       nokogiri (>= 1.5.9)
-    mail (2.6.5)
+    mail (2.6.6.rc1)
       mime-types (>= 1.16, < 4)
     method_source (0.8.2)
     mime-types (3.1)
@@ -467,6 +467,7 @@ DEPENDENCIES
   kaminari
   launchy
   loofah
+  mail (= 2.6.6.rc1)
   newrelic_rpm
   nokogiri
   nokogumbo (= 1.4.9)