commit 92effb1a21610f94eb95cac46549572b4bfe9f57
parent aa374765c6dc58b54c2d2d928bcf6702ea8bbccc
Author: Gaute Hope <eg@gaute.vetsj.com>
Date: Mon, 26 Aug 2013 12:06:47 +0200
Prevent command injection in attachment
Diffstat:
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/doc/Hooks.txt b/doc/Hooks.txt
@@ -50,10 +50,11 @@ before-poll:
mime-decode:
## turn text/html attachments into plain text, unless they are part
## of a multipart/alternative pair
+ require 'shellwords'
unless sibling_types.member? "text/plain"
case content_type
when "text/html"
- `/usr/bin/w3m -dump -T #{content_type} '#{filename}'`
+ `/usr/bin/w3m -dump -T #{content_type} '#{Shellwords.escape filename}'`
end
end