Fix a security vulnerability: eval used in quoting display name0.9.0.8

This use of eval allows arbitrary remote code execution on parsing of a maliciously formed email.
author: Mark Longair <mhl@pobox.com> 2013-06-17 09:53:29 +0100
committer: Mark Longair <mhl@pobox.com> 2013-06-17 11:26:18 +0100
commit: 7221b444e2e454f12ac1fa16374a37b23256cb40 (patch)
tree: 5e058457c8ebe7f1d4df7e3b05c6b149cd78cd84
parent: 071d9acda250a07fd70f36db657c5e043e54d5a2 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/mail_handler/backends/mail_backend.rb b/lib/mail_handler/backends/mail_backend.rb
index 0a12ab3bb..5c54fe7e2 100644
--- a/lib/mail_handler/backends/mail_backend.rb
+++ b/lib/mail_handler/backends/mail_backend.rb
@@ -77,7 +77,7 @@ module MailHandler
                     if first_from.is_a?(String)
                         return nil
                     else
-                        return first_from.display_name ? eval(%Q{"#{first_from.display_name}"}) : nil
+                        return (first_from.display_name || nil)
                     end
                 else
                     return nil
author	Mark Longair <mhl@pobox.com>	2013-06-17 09:53:29 +0100
committer	Mark Longair <mhl@pobox.com>	2013-06-17 11:26:18 +0100
commit	7221b444e2e454f12ac1fa16374a37b23256cb40 (patch)
tree	5e058457c8ebe7f1d4df7e3b05c6b149cd78cd84
parent	071d9acda250a07fd70f36db657c5e043e54d5a2 (diff)