Fix Lisp injection via X-Draft-From in Gnus

* lisp/gnus/gnus-msg.el (gnus-inews-make-draft-meta-information): Escape the group name with prin1-to-string to prevent arbitrary Lisp injection through crafted group names. The unescaped group name was embedded into a Lisp-readable string, parsed back with read-from-string in gnus-draft-setup, and eventually eval'd via message-do-actions, allowing code execution when a draft was sent.
author: Jacek Migacz <jmigacz@redhat.com> 2026-05-21 10:44:55 +0000
committer: Paul Eggert <eggert@cs.ucla.edu> 2026-05-22 11:59:43 -0700
commit: 142b1e0d4c3f63fd5aa07ce748915137fea1ec52 (patch)
tree: a42c89b563721e168fc56d649b949d53c185d61c
parent: d6f7b2d99bdbcc29e8784185612282a508cc3e84 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/lisp/gnus/gnus-msg.el b/lisp/gnus/gnus-msg.el
index 99f1735dfec..a478093fc6c 100644
--- a/lisp/gnus/gnus-msg.el
+++ b/lisp/gnus/gnus-msg.el
@@ -444,7 +444,7 @@ only affect the Gcc copy, but not the original message."
 (defun gnus-inews-make-draft-meta-information (group articles)
   (when (numberp articles)
     (setq articles (list articles)))
-  (concat "(\"" group "\""
+  (concat "(" (prin1-to-string (or group ""))
 	  (if articles
 	      (concat " "
 		      (mapconcat
author	Jacek Migacz <jmigacz@redhat.com>	2026-05-21 10:44:55 +0000
committer	Paul Eggert <eggert@cs.ucla.edu>	2026-05-22 11:59:43 -0700
commit	142b1e0d4c3f63fd5aa07ce748915137fea1ec52 (patch)
tree	a42c89b563721e168fc56d649b949d53c185d61c
parent	d6f7b2d99bdbcc29e8784185612282a508cc3e84 (diff)