diff options
| author | Mark Longair <mhl@pobox.com> | 2013-06-17 09:53:29 +0100 |
|---|---|---|
| committer | Mark Longair <mhl@pobox.com> | 2013-06-17 12:25:13 +0100 |
| commit | 64ae21945a69441ad6a58a1069417e7a56cc15f6 (patch) | |
| tree | 33a6d8002327856e290c717a77bdca36ecef5b3a /lib/mail_handler/backends/mail_backend.rb | |
| parent | e31d6252d206afb155d09eb54fb068f7695880d1 (diff) | |
Fix a security vulnerability: eval used in quoting display name0.11.0.12
This use of eval allows arbitrary remote code execution on
parsing of a maliciously formed email.
Two tests are updated to match the behaviour of the new
code to return the display name - these introduce extra
escaping, so should be innocous.
Diffstat (limited to 'lib/mail_handler/backends/mail_backend.rb')
| -rw-r--r-- | lib/mail_handler/backends/mail_backend.rb | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/mail_handler/backends/mail_backend.rb b/lib/mail_handler/backends/mail_backend.rb index 561946980..28c486e1b 100644 --- a/lib/mail_handler/backends/mail_backend.rb +++ b/lib/mail_handler/backends/mail_backend.rb @@ -112,7 +112,7 @@ module MailHandler if first_from.is_a?(ActiveSupport::Multibyte::Chars) return nil else - return first_from.display_name ? eval(%Q{"#{first_from.display_name}"}) : nil + return (first_from.display_name || nil) end else return nil |