Fix a security vulnerability: eval used in quoting display name0.6.9.4

This use of eval allows arbitrary remote code execution on parsing of a maliciously formed email.
author: Mark Longair <mhl@pobox.com> 2013-06-17 09:53:29 +0100
committer: Mark Longair <mhl@pobox.com> 2013-06-17 09:53:29 +0100
commit: 06dbc0b9e05b1db03c979c7900bfe0d0844155a4 (patch)
tree: 57e5eaff6db1e160ee07d574681b27f2d6826644
parent: 6fa9c17c7cd5551489a77f6e89543b7886be51d4 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/mail_handler/backends/mail_backend.rb b/lib/mail_handler/backends/mail_backend.rb
index b75e6ed63..905315f1f 100644
--- a/lib/mail_handler/backends/mail_backend.rb
+++ b/lib/mail_handler/backends/mail_backend.rb
@@ -78,7 +78,7 @@ module MailHandler
                     if first_from.is_a?(String)
                         return nil
                     else
-                        return first_from.display_name ? eval(%Q{"#{first_from.display_name}"}) : nil
+                        return (first_from.display_name || nil)
                     end
                 else
                     return nil
author	Mark Longair <mhl@pobox.com>	2013-06-17 09:53:29 +0100
committer	Mark Longair <mhl@pobox.com>	2013-06-17 09:53:29 +0100
commit	06dbc0b9e05b1db03c979c7900bfe0d0844155a4 (patch)
tree	57e5eaff6db1e160ee07d574681b27f2d6826644
parent	6fa9c17c7cd5551489a77f6e89543b7886be51d4 (diff)