From 6494a6797b4a797b1640c051656df8a2898f0ae6 Mon Sep 17 00:00:00 2001 From: Luke Plant Date: Mon, 17 Nov 2003 23:55:41 +0000 Subject: [PATCH] 0.9.6claws78 * src/textview.c add check for disguised URLs, fixing bug 57 "Hidden URL in HTML Mails" --- ChangeLog.claws | 5 ++++ configure.ac | 2 +- src/textview.c | 67 +++++++++++++++++++++++++++++++++++++++++++++++-- 3 files changed, 71 insertions(+), 3 deletions(-) diff --git a/ChangeLog.claws b/ChangeLog.claws index 35326dde4..95d184e47 100644 --- a/ChangeLog.claws +++ b/ChangeLog.claws @@ -1,3 +1,8 @@ +2003-11-17 [luke] 0.9.6claws78 + * src/textview.c + add check for disguised URLs, fixing bug 57 + "Hidden URL in HTML Mails" + 2003-11-16 [christoph] 0.9.6claws77 * src/procmime.c diff --git a/configure.ac b/configure.ac index 486195e26..9a68834a4 100644 --- a/configure.ac +++ b/configure.ac @@ -11,7 +11,7 @@ MINOR_VERSION=9 MICRO_VERSION=6 INTERFACE_AGE=0 BINARY_AGE=0 -EXTRA_VERSION=77 +EXTRA_VERSION=78 if test $EXTRA_VERSION -eq 0; then VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.${MICRO_VERSION}claws else diff --git a/src/textview.c b/src/textview.c index 3c0d6f57b..d96ca911c 100644 --- a/src/textview.c +++ b/src/textview.c @@ -51,6 +51,7 @@ #include "displayheader.h" #include "account.h" #include "mimeview.h" +#include "alertpanel.h" typedef struct _RemoteURI RemoteURI; @@ -1789,6 +1790,67 @@ static gint show_url_timeout_cb(gpointer data) return FALSE; } +/*! + *\brief Check to see if a web URL has been disguised as a different + * URL (possible with HTML email). + * + *\param uri The uri to check + * + *\param textview The TextView the URL is contained in + * + *\return gboolean TRUE if the URL is ok, or if the user chose to open + * it anyway, otherwise FALSE + */ +static gboolean uri_security_check(RemoteURI *uri, TextView *textview) +{ + gchar *clicked_str; + gboolean retval = TRUE; + + if (g_strncasecmp(uri->uri, "http:", 5) && + g_strncasecmp(uri->uri, "https:", 6) && + g_strncasecmp(uri->uri, "www.", 4)) + return retval; + + clicked_str = gtk_editable_get_chars(GTK_EDITABLE(textview->text), + uri->start, + uri->end); + + if (strcmp(clicked_str, uri->uri) && + (!g_strncasecmp(clicked_str, "http:", 5) || + !g_strncasecmp(clicked_str, "https:", 6) || + !g_strncasecmp(clicked_str, "www.", 4))) { + retval = FALSE; + + /* allow uri->uri == http://somewhere.com + and clicked_str == somewhere.com */ + gchar *str = g_strconcat("http://", clicked_str, NULL); + + if (!g_strcasecmp(str, uri->uri)) + retval = TRUE; + g_free(str); + } + + if (retval == FALSE) { + gchar *msg = NULL; + AlertValue resp; + + msg = g_strdup_printf(_("The real URL (%s) is different from\n" + "the apparent URL (%s). \n" + "Open it anyway?"), + uri->uri, clicked_str); + resp = alertpanel(_("Warning"), + msg, + _("Yes"), + _("No"), + NULL); + g_free(msg); + if (resp == G_ALERTDEFAULT) + retval = TRUE; + } + g_free(clicked_str); + return retval; +} + static gint textview_button_pressed(GtkWidget *widget, GdkEventButton *event, TextView *textview) { @@ -1871,8 +1933,9 @@ static gint textview_button_released(GtkWidget *widget, GdkEventButton *event, compose_new(account, uri->uri + 7, NULL); } } else { - open_uri(uri->uri, - prefs_common.uri_cmd); + if (uri_security_check(uri, textview) == TRUE) + open_uri(uri->uri, + prefs_common.uri_cmd); } g_free(trimmed_uri); } -- 2.25.1