Command Injection bug in Mailspring MacOS build

Under macOS, Mailspring does create quicklookpreview for the attachments of email.

They put the filename into command line with some sanitizing of removing double quote to create quicklookview.
But command can still injectable with backtick or $(…) syntax.

So, email with a attachment named “$(command).md” will execute the arbitrary command when reading the mail.

@posix Thanks a lot for bringing this to our attention. I will take a look at this as soon as possible!


@posix After confirming this issue, I just unlisted it from the discourse overview and search until we are able to resolve this.

1 Like

This has been resolved with the latest version 10.0.2.
Thanks a lot for this report @posix

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.