Fix a security vulnerability: eval used in quoting display name0.8.0.3

This use of eval allows arbitrary remote code execution on parsing of a maliciously formed email.
author: Mark Longair <mhl@pobox.com> 2013-06-17 09:53:29 +0100
committer: Mark Longair <mhl@pobox.com> 2013-06-17 11:10:51 +0100
commit: e39d4dc20f0d7906f43bd220f553dcef970d07e7 (patch)
tree: 547848e3eca9a81871d81d599c7debcf4c265081 /lib/mail_handler/backends/mail_backend.rb
parent: 4929b1e738d15d2178e131701027ef20492599d9 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/mail_handler/backends/mail_backend.rb b/lib/mail_handler/backends/mail_backend.rb
index 0a12ab3bb..5c54fe7e2 100644
--- a/lib/mail_handler/backends/mail_backend.rb
+++ b/lib/mail_handler/backends/mail_backend.rb
@@ -77,7 +77,7 @@ module MailHandler
                     if first_from.is_a?(String)
                         return nil
                     else
-                        return first_from.display_name ? eval(%Q{"#{first_from.display_name}"}) : nil
+                        return (first_from.display_name || nil)
                     end
                 else
                     return nil
author	Mark Longair <mhl@pobox.com>	2013-06-17 09:53:29 +0100
committer	Mark Longair <mhl@pobox.com>	2013-06-17 11:10:51 +0100
commit	e39d4dc20f0d7906f43bd220f553dcef970d07e7 (patch)
tree	547848e3eca9a81871d81d599c7debcf4c265081 /lib/mail_handler/backends/mail_backend.rb
parent	4929b1e738d15d2178e131701027ef20492599d9 (diff)