From 64ae21945a69441ad6a58a1069417e7a56cc15f6 Mon Sep 17 00:00:00 2001
From: Mark Longair <mhl@pobox.com>
Date: Mon, 17 Jun 2013 09:53:29 +0100
Subject: Fix a security vulnerability: eval used in quoting display name

This use of eval allows arbitrary remote code execution on
parsing of a maliciously formed email.

Two tests are updated to match the behaviour of the new
code to return the display name - these introduce extra
escaping, so should be innocous.
---
 lib/mail_handler/backends/mail_backend.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'lib/mail_handler/backends/mail_backend.rb')

diff --git a/lib/mail_handler/backends/mail_backend.rb b/lib/mail_handler/backends/mail_backend.rb
index 561946980..28c486e1b 100644
--- a/lib/mail_handler/backends/mail_backend.rb
+++ b/lib/mail_handler/backends/mail_backend.rb
@@ -112,7 +112,7 @@ module MailHandler
                     if first_from.is_a?(ActiveSupport::Multibyte::Chars)
                         return nil
                     else
-                        return first_from.display_name ? eval(%Q{"#{first_from.display_name}"}) : nil
+                        return (first_from.display_name || nil)
                     end
                 else
                     return nil
-- 
cgit v1.2.3