fix bugs 4373, 'attach mailto URI double free' and 4374, ' insert mailto URI misses...
authorPaul <paul@claws-mail.org>
Wed, 19 Aug 2020 06:56:23 +0000 (07:56 +0100)
committerPaul <paul@claws-mail.org>
Wed, 19 Aug 2020 06:56:23 +0000 (07:56 +0100)
patch by Alvar Penning

AUTHORS
src/common/utils.c
src/common/utils.h
src/gtk/authors.h

diff --git a/AUTHORS b/AUTHORS
index 5299b13813bf06c063e46ff061d510ad4fa12338..7d9f066f3fa64e6502903bc8dc9b1ef0653a9ab2 100644 (file)
--- a/AUTHORS
+++ b/AUTHORS
@@ -332,4 +332,4 @@ contributors (in addition to the above; based on Changelog)
        Jakub Kiciński
        Jean Delvare
        Damian Poddebniak
        Jakub Kiciński
        Jean Delvare
        Damian Poddebniak
-
+       Alvar Penning
index 87575671afbcef42e3e47f227dfb8a153760ed8b..848f0ce8690c27bde1bd1f035c6241552da0fb6d 100644 (file)
@@ -1,6 +1,6 @@
 /*
  * Claws Mail -- a GTK+ based, lightweight, and fast e-mail client
 /*
  * Claws Mail -- a GTK+ based, lightweight, and fast e-mail client
- * Copyright (C) 1999-2016 Hiroyuki Yamamoto & The Claws Mail Team
+ * Copyright (C) 1999-2020 The Claws Mail Team and Hiroyuki Yamamoto
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -1486,11 +1486,28 @@ gint scan_mailto_url(const gchar *mailto, gchar **from, gchar **to, gchar **cc,
                } else if (body && !*body && !g_ascii_strcasecmp(field, "body")) {
                        *body = decode_uri_gdup(value);
                } else if (body && !*body && !g_ascii_strcasecmp(field, "insert")) {
                } else if (body && !*body && !g_ascii_strcasecmp(field, "body")) {
                        *body = decode_uri_gdup(value);
                } else if (body && !*body && !g_ascii_strcasecmp(field, "insert")) {
+                       int i = 0;
                        gchar *tmp = decode_uri_gdup(value);
                        gchar *tmp = decode_uri_gdup(value);
-                       if (!g_file_get_contents(tmp, body, NULL, NULL)) {
-                               g_warning("couldn't set insert file '%s' in body", value);
+
+                       for (; forbidden_uris[i]; i++) {
+                               if (strstr(tmp, forbidden_uris[i])) {
+                                       g_print("Refusing to insert '%s', potential private data leak\n",
+                                                       tmp);
+                                       g_free(tmp);
+                                       tmp = NULL;
+                                       break;
+                               }
+                       }
+
+                       if (tmp) {
+                               if (!is_file_entry_regular(tmp)) {
+                                       g_warning("Refusing to insert '%s', not a regular file\n", tmp);
+                               } else if (!g_file_get_contents(tmp, body, NULL, NULL)) {
+                                       g_warning("couldn't set insert file '%s' in body", value);
+                               }
+
+                               g_free(tmp);
                        }
                        }
-                       g_free(tmp);
                } else if (attach && !g_ascii_strcasecmp(field, "attach")) {
                        int i = 0;
                        gchar *tmp = decode_uri_gdup(value);
                } else if (attach && !g_ascii_strcasecmp(field, "attach")) {
                        int i = 0;
                        gchar *tmp = decode_uri_gdup(value);
@@ -1504,6 +1521,7 @@ gint scan_mailto_url(const gchar *mailto, gchar **from, gchar **to, gchar **cc,
                                                        tmp);
                                        g_free(tmp);
                                        g_free(my_att);
                                                        tmp);
                                        g_free(tmp);
                                        g_free(my_att);
+                                       tmp = NULL;
                                        break;
                                }
                        }
                                        break;
                                }
                        }
@@ -1514,9 +1532,6 @@ gint scan_mailto_url(const gchar *mailto, gchar **from, gchar **to, gchar **cc,
                                my_att[num_attach-1] = tmp;
                                my_att[num_attach] = NULL;
                                *attach = my_att;
                                my_att[num_attach-1] = tmp;
                                my_att[num_attach] = NULL;
                                *attach = my_att;
-                               g_free(tmp);
-                       } else {
-                               g_free(my_att);
                        }
                } else if (inreplyto && !*inreplyto &&
                           !g_ascii_strcasecmp(field, "in-reply-to")) {
                        }
                } else if (inreplyto && !*inreplyto &&
                           !g_ascii_strcasecmp(field, "in-reply-to")) {
@@ -2047,6 +2062,14 @@ gboolean is_file_entry_exist(const gchar *file)
        return g_file_test(file, G_FILE_TEST_EXISTS);
 }
 
        return g_file_test(file, G_FILE_TEST_EXISTS);
 }
 
+gboolean is_file_entry_regular(const gchar *file)
+{
+       if (file == NULL)
+               return FALSE;
+
+       return g_file_test(file, G_FILE_TEST_IS_REGULAR);
+}
+
 gboolean dirent_is_regular_file(struct dirent *d)
 {
 #if !defined(G_OS_WIN32) && defined(HAVE_DIRENT_D_TYPE)
 gboolean dirent_is_regular_file(struct dirent *d)
 {
 #if !defined(G_OS_WIN32) && defined(HAVE_DIRENT_D_TYPE)
index 47563b2a1fef14c72b09a640b9a59a64fb5b10c8..9816c4efcac9c400985cef6ebba9f48e75b0e74b 100644 (file)
@@ -1,6 +1,6 @@
 /*
  * Claws Mail -- a GTK+ based, lightweight, and fast e-mail client
 /*
  * Claws Mail -- a GTK+ based, lightweight, and fast e-mail client
- * Copyright (C) 1999-2016 Hiroyuki Yamamoto and the Claws Mail team
+ * Copyright (C) 1999-2020 The Claws Mail Team and Hiroyuki Yamamoto
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -413,6 +413,7 @@ gboolean file_exist         (const gchar    *file,
 gboolean is_relative_filename   (const gchar *file);
 gboolean is_dir_exist          (const gchar    *dir);
 gboolean is_file_entry_exist   (const gchar    *file);
 gboolean is_relative_filename   (const gchar *file);
 gboolean is_dir_exist          (const gchar    *dir);
 gboolean is_file_entry_exist   (const gchar    *file);
+gboolean is_file_entry_regular(const gchar *file);
 gboolean dirent_is_regular_file        (struct dirent  *d);
 
 #define is_file_exist(file)            file_exist(file, FALSE)
 gboolean dirent_is_regular_file        (struct dirent  *d);
 
 #define is_file_exist(file)            file_exist(file, FALSE)
index d8c06432fb5527016cbf4df989ebb1a21a11de0e..7e45570476d1b6721f716ef7152eccdc07f6e3cd 100644 (file)
@@ -253,6 +253,7 @@ static char *CONTRIBS_LIST[] = {
 "Thomas Orgis",
 "Reza Pakdel",
 "Richard Palo",
 "Thomas Orgis",
 "Reza Pakdel",
 "Richard Palo",
+"Alvar Penning",
 "Damian Poddebniak",
 "Marcel Pol",
 "Martin Pool",
 "Damian Poddebniak",
 "Marcel Pol",
 "Martin Pool",