0.9.6claws78
authorLuke Plant <L.Plant.98@cantab.net>
Mon, 17 Nov 2003 23:55:41 +0000 (23:55 +0000)
committerLuke Plant <L.Plant.98@cantab.net>
Mon, 17 Nov 2003 23:55:41 +0000 (23:55 +0000)
* src/textview.c
        add check for disguised URLs, fixing bug 57
        "Hidden URL in HTML Mails"

ChangeLog.claws
configure.ac
src/textview.c

index 35326dd..95d184e 100644 (file)
@@ -1,3 +1,8 @@
+2003-11-17 [luke]      0.9.6claws78
+        * src/textview.c
+                add check for disguised URLs, fixing bug 57
+                "Hidden URL in HTML Mails"
+
 2003-11-16 [christoph] 0.9.6claws77
 
        * src/procmime.c
index 486195e..9a68834 100644 (file)
@@ -11,7 +11,7 @@ MINOR_VERSION=9
 MICRO_VERSION=6
 INTERFACE_AGE=0
 BINARY_AGE=0
-EXTRA_VERSION=77
+EXTRA_VERSION=78
 if test $EXTRA_VERSION -eq 0; then
     VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.${MICRO_VERSION}claws
 else
index 3c0d6f5..d96ca91 100644 (file)
@@ -51,6 +51,7 @@
 #include "displayheader.h"
 #include "account.h"
 #include "mimeview.h"
+#include "alertpanel.h"
 
 typedef struct _RemoteURI      RemoteURI;
 
@@ -1789,6 +1790,67 @@ static gint show_url_timeout_cb(gpointer data)
                return FALSE;
 }
 
+/*!
+ *\brief    Check to see if a web URL has been disguised as a different
+ *          URL (possible with HTML email).
+ *
+ *\param    uri The uri to check
+ *
+ *\param    textview The TextView the URL is contained in
+ *
+ *\return   gboolean TRUE if the URL is ok, or if the user chose to open
+ *          it anyway, otherwise FALSE          
+ */
+static gboolean uri_security_check(RemoteURI *uri, TextView *textview) 
+{
+       gchar *clicked_str;
+       gboolean retval = TRUE;
+
+       if (g_strncasecmp(uri->uri, "http:", 5) &&
+           g_strncasecmp(uri->uri, "https:", 6) &&
+           g_strncasecmp(uri->uri, "www.", 4)) 
+               return retval;
+
+       clicked_str = gtk_editable_get_chars(GTK_EDITABLE(textview->text),
+                                            uri->start,
+                                            uri->end);
+       
+       if (strcmp(clicked_str, uri->uri) &&
+           (!g_strncasecmp(clicked_str, "http:",  5) ||
+            !g_strncasecmp(clicked_str, "https:", 6) ||
+            !g_strncasecmp(clicked_str, "www.",   4))) {
+               retval = FALSE;
+
+               /* allow uri->uri    == http://somewhere.com
+                  and   clicked_str ==        somewhere.com */
+               gchar *str = g_strconcat("http://", clicked_str, NULL);
+
+               if (!g_strcasecmp(str, uri->uri))
+                       retval = TRUE;
+               g_free(str);
+       }
+
+       if (retval == FALSE) {
+               gchar *msg = NULL;
+               AlertValue resp;
+
+               msg = g_strdup_printf(_("The real URL (%s) is different from\n"
+                                       "the apparent URL (%s).  \n"
+                                       "Open it anyway?"),
+                                       uri->uri, clicked_str);
+               resp = alertpanel(_("Warning"), 
+                                 msg,
+                                 _("Yes"), 
+                                 _("No"),
+                                 NULL);
+               g_free(msg);
+               if (resp == G_ALERTDEFAULT)
+                       retval = TRUE;
+       } 
+       g_free(clicked_str);
+       return retval;
+}
+
 static gint textview_button_pressed(GtkWidget *widget, GdkEventButton *event,
                                    TextView *textview)
 {
@@ -1871,8 +1933,9 @@ static gint textview_button_released(GtkWidget *widget, GdkEventButton *event,
                                                compose_new(account, uri->uri + 7, NULL);
                                        }
                                } else {
-                                       open_uri(uri->uri,
-                                                prefs_common.uri_cmd);
+                                       if (uri_security_check(uri, textview) == TRUE) 
+                                               open_uri(uri->uri,
+                                                        prefs_common.uri_cmd);
                                }
                                g_free(trimmed_uri);
                        }