tweak end of CVE regex slightly to allow []

[debbugs.git] / Debbugs / Recipients.pm

diff --git a/Debbugs/Recipients.pm b/Debbugs/Recipients.pm
index 572f6e758a7a8778b31cdd6cc73e051098ff9634..a06e69249f4f41877ea92613b4aabf40cf6cb192 100644 (file)
--- a/Debbugs/Recipients.pm
+++ b/Debbugs/Recipients.pm
@@ -46,7 +46,7 @@ use Params::Validate qw(:types validate_with);
 use Debbugs::Common qw(:misc :util);
 use Debbugs::Status qw(splitpackages isstrongseverity);
 
-use Debbugs::Packages qw(binarytosource);
+use Debbugs::Packages qw(binary_to_source);
 
 use Debbugs::Mail qw(get_addresses);
 
@@ -114,7 +114,9 @@ sub add_recipients {
      for my $p (splitpackages($param{data}{package})) {
          $p = lc($p);
          if (defined $config{subscription_domain}) {
-              my @source_packages = binarytosource($p);
+              my @source_packages = binary_to_source(binary => $p,
+                                                     source_only => 1,
+                                                    );
               if (@source_packages) {
                    for my $source (@source_packages) {
                         _add_address(recipients => $param{recipients},
@@ -291,8 +293,13 @@ sub determine_recipients {
                         $level = 'cc';
                    }
               }
-              # strip out all non-word non-spaces
-              $reason =~ s/[^\ \w]//g;
+              # RFC 2822 comments cannot contain specials and
+              # unquoted () or \; there's no reason for us to allow
+              # insane things here, though, so we restrict this even
+              # more to 20-7E ( -~)
+              $reason =~ s/\\/\\\\/g;
+              $reason =~ s/([\)\(])/\\$1/g;
+              $reason =~ s/[^\x20-\x7E]//g;
               push @reasons, $reason . ' for {'.join(',',@bugs).'}';
          }
          if ($param{address_only}) {