From 142b1e0d4c3f63fd5aa07ce748915137fea1ec52 Mon Sep 17 00:00:00 2001 From: Jacek Migacz Date: Thu, 21 May 2026 10:44:55 +0000 Subject: [PATCH] Fix Lisp injection via X-Draft-From in Gnus * lisp/gnus/gnus-msg.el (gnus-inews-make-draft-meta-information): Escape the group name with prin1-to-string to prevent arbitrary Lisp injection through crafted group names. The unescaped group name was embedded into a Lisp-readable string, parsed back with read-from-string in gnus-draft-setup, and eventually eval'd via message-do-actions, allowing code execution when a draft was sent. --- lisp/gnus/gnus-msg.el | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lisp/gnus/gnus-msg.el b/lisp/gnus/gnus-msg.el index 99f1735dfec..a478093fc6c 100644 --- a/lisp/gnus/gnus-msg.el +++ b/lisp/gnus/gnus-msg.el @@ -444,7 +444,7 @@ only affect the Gcc copy, but not the original message." (defun gnus-inews-make-draft-meta-information (group articles) (when (numberp articles) (setq articles (list articles))) - (concat "(\"" group "\"" + (concat "(" (prin1-to-string (or group "")) (if articles (concat " " (mapconcat