mirror of
git://git.sv.gnu.org/emacs.git
synced 2026-06-14 04:21:24 +00:00
Fix Lisp injection via X-Draft-From in Gnus
* lisp/gnus/gnus-msg.el (gnus-inews-make-draft-meta-information): Escape the group name with prin1-to-string to prevent arbitrary Lisp injection through crafted group names. The unescaped group name was embedded into a Lisp-readable string, parsed back with read-from-string in gnus-draft-setup, and eventually eval'd via message-do-actions, allowing code execution when a draft was sent.
This commit is contained in:
Jacek Migacz
Paul Eggert
parent
d6f7b2d99b
commit
142b1e0d4c
1 changed files with 1 additions and 1 deletions
|
|
@ -444,7 +444,7 @@ only affect the Gcc copy, but not the original message."
|
|||
(defun gnus-inews-make-draft-meta-information (group articles)
|
||||
(when (numberp articles)
|
||||
(setq articles (list articles)))
|
||||
(concat "(\"" group "\""
|
||||
(concat "(" (prin1-to-string (or group ""))
|
||||
(if articles
|
||||
(concat " "
|
||||
(mapconcat
|
||||
|
|
|
|||
Loading…
Reference in a new issue