44 lines
1.2 KiB
Diff
44 lines
1.2 KiB
Diff
From c7c5f7f272659981f4c6bbfa212257945c86d17c Mon Sep 17 00:00:00 2001
|
|
From: shixuantong <shixuantong@h-partners.com>
|
|
Date: Sat, 14 May 2022 16:50:02 +0800
|
|
Subject: [PATCH] fix CVE-2015-20107
|
|
|
|
---
|
|
Lib/mailcap.py | 6 ++++--
|
|
1 file changed, 4 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/Lib/mailcap.py b/Lib/mailcap.py
|
|
index bd0fc09..1ad3dd5 100644
|
|
--- a/Lib/mailcap.py
|
|
+++ b/Lib/mailcap.py
|
|
@@ -2,6 +2,7 @@
|
|
|
|
import os
|
|
import warnings
|
|
+from shlex import quote
|
|
|
|
__all__ = ["getcaps","findmatch"]
|
|
|
|
@@ -203,8 +204,6 @@ def subst(field, MIMEtype, filename, plist=[]):
|
|
c = field[i]; i = i+1
|
|
if c == '%':
|
|
res = res + c
|
|
- elif c == 's':
|
|
- res = res + filename
|
|
elif c == 't':
|
|
res = res + MIMEtype
|
|
elif c == '{':
|
|
@@ -219,6 +218,9 @@ def subst(field, MIMEtype, filename, plist=[]):
|
|
# %F == list of alternating type and filename for parts
|
|
else:
|
|
res = res + '%' + c
|
|
+ res = res.replace("'%s'", quote(filename))
|
|
+ res = res.replace('"%s"',quote(filename))
|
|
+ res = res.replace('%s',quote(filename))
|
|
return res
|
|
|
|
def findparam(name, plist):
|
|
--
|
|
1.8.3.1
|
|
|