sup

A curses threads-with-tags style email client

sup.git

git clone https://supmua.dev/git/sup/ 
commit 85fdddfa423c7f990e80a9876b1325dd30514af6
parent 916a354db8eb851bff6ff2e3f2e08727d132a8dc
Author: Gaute Hope <eg@gaute.vetsj.com>
Date:   Mon, 28 Oct 2013 16:25:01 +0100

note on shellwords and remote command injection

Diffstat:
M History.txt | 2 ++
M ReleaseNotes | 3 +++ 
2 files changed, 5 insertions(+), 0 deletions(-)
diff --git a/History.txt b/History.txt
@@ -45,6 +45,8 @@
 * Tempfiles for attachments are persistent through the sup process to
   ensure that spawned processes have access to them.
 
+* Fix incorrect use of Shellwords.escape to better prevent remote
+  command injection.
 
 == 0.14.1 / 2013-08-31
 
diff --git a/ReleaseNotes b/ReleaseNotes
@@ -6,6 +6,9 @@ how to set it up.
 sup-sync-back has been moved to sup-sync-back-mbox, please make sure
 you make any needed changes.
 
+Shellwords.escape was used somewhat incorrectly which still allowed a
+potential remote command injection, please make sure your mime-view/mime-decode
+hooks have been updated (see wiki).
 
 Release 0.14.1: