[Commits] [SCM] claws branch, master, updated. 3.17.6-4-g4c9d15b4b
paul at claws-mail.org
paul at claws-mail.org
Wed Aug 19 08:56:29 CEST 2020
The branch, master has been updated
via 4c9d15b4b37cdc57edfa16df550a0a881a156153 (commit)
from 4099289a72d9007c4b054babd6eabe915add5a31 (commit)
Summary of changes:
AUTHORS | 2 +-
src/common/utils.c | 37 ++++++++++++++++++++++++++++++-------
src/common/utils.h | 3 ++-
src/gtk/authors.h | 1 +
4 files changed, 34 insertions(+), 9 deletions(-)
- Log -----------------------------------------------------------------
commit 4c9d15b4b37cdc57edfa16df550a0a881a156153
Author: Paul <paul at claws-mail.org>
Date: Wed Aug 19 07:56:23 2020 +0100
fix bugs 4373, 'attach mailto URI double free' and 4374, ' insert mailto URI misses checks'
patch by Alvar Penning
diff --git a/AUTHORS b/AUTHORS
index 5299b1381..7d9f066f3 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -332,4 +332,4 @@ contributors (in addition to the above; based on Changelog)
Jakub KiciĆski
Jean Delvare
Damian Poddebniak
-
+ Alvar Penning
diff --git a/src/common/utils.c b/src/common/utils.c
index 87575671a..848f0ce86 100644
--- a/src/common/utils.c
+++ b/src/common/utils.c
@@ -1,6 +1,6 @@
/*
* Claws Mail -- a GTK+ based, lightweight, and fast e-mail client
- * Copyright (C) 1999-2016 Hiroyuki Yamamoto & The Claws Mail Team
+ * Copyright (C) 1999-2020 The Claws Mail Team and Hiroyuki Yamamoto
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -1486,11 +1486,28 @@ gint scan_mailto_url(const gchar *mailto, gchar **from, gchar **to, gchar **cc,
} else if (body && !*body && !g_ascii_strcasecmp(field, "body")) {
*body = decode_uri_gdup(value);
} else if (body && !*body && !g_ascii_strcasecmp(field, "insert")) {
+ int i = 0;
gchar *tmp = decode_uri_gdup(value);
- if (!g_file_get_contents(tmp, body, NULL, NULL)) {
- g_warning("couldn't set insert file '%s' in body", value);
+
+ for (; forbidden_uris[i]; i++) {
+ if (strstr(tmp, forbidden_uris[i])) {
+ g_print("Refusing to insert '%s', potential private data leak\n",
+ tmp);
+ g_free(tmp);
+ tmp = NULL;
+ break;
+ }
+ }
+
+ if (tmp) {
+ if (!is_file_entry_regular(tmp)) {
+ g_warning("Refusing to insert '%s', not a regular file\n", tmp);
+ } else if (!g_file_get_contents(tmp, body, NULL, NULL)) {
+ g_warning("couldn't set insert file '%s' in body", value);
+ }
+
+ g_free(tmp);
}
- g_free(tmp);
} else if (attach && !g_ascii_strcasecmp(field, "attach")) {
int i = 0;
gchar *tmp = decode_uri_gdup(value);
@@ -1504,6 +1521,7 @@ gint scan_mailto_url(const gchar *mailto, gchar **from, gchar **to, gchar **cc,
tmp);
g_free(tmp);
g_free(my_att);
+ tmp = NULL;
break;
}
}
@@ -1514,9 +1532,6 @@ gint scan_mailto_url(const gchar *mailto, gchar **from, gchar **to, gchar **cc,
my_att[num_attach-1] = tmp;
my_att[num_attach] = NULL;
*attach = my_att;
- g_free(tmp);
- } else {
- g_free(my_att);
}
} else if (inreplyto && !*inreplyto &&
!g_ascii_strcasecmp(field, "in-reply-to")) {
@@ -2047,6 +2062,14 @@ gboolean is_file_entry_exist(const gchar *file)
return g_file_test(file, G_FILE_TEST_EXISTS);
}
+gboolean is_file_entry_regular(const gchar *file)
+{
+ if (file == NULL)
+ return FALSE;
+
+ return g_file_test(file, G_FILE_TEST_IS_REGULAR);
+}
+
gboolean dirent_is_regular_file(struct dirent *d)
{
#if !defined(G_OS_WIN32) && defined(HAVE_DIRENT_D_TYPE)
diff --git a/src/common/utils.h b/src/common/utils.h
index 47563b2a1..9816c4efc 100644
--- a/src/common/utils.h
+++ b/src/common/utils.h
@@ -1,6 +1,6 @@
/*
* Claws Mail -- a GTK+ based, lightweight, and fast e-mail client
- * Copyright (C) 1999-2016 Hiroyuki Yamamoto and the Claws Mail team
+ * Copyright (C) 1999-2020 The Claws Mail Team and Hiroyuki Yamamoto
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -413,6 +413,7 @@ gboolean file_exist (const gchar *file,
gboolean is_relative_filename (const gchar *file);
gboolean is_dir_exist (const gchar *dir);
gboolean is_file_entry_exist (const gchar *file);
+gboolean is_file_entry_regular(const gchar *file);
gboolean dirent_is_regular_file (struct dirent *d);
#define is_file_exist(file) file_exist(file, FALSE)
diff --git a/src/gtk/authors.h b/src/gtk/authors.h
index d8c06432f..7e4557047 100644
--- a/src/gtk/authors.h
+++ b/src/gtk/authors.h
@@ -253,6 +253,7 @@ static char *CONTRIBS_LIST[] = {
"Thomas Orgis",
"Reza Pakdel",
"Richard Palo",
+"Alvar Penning",
"Damian Poddebniak",
"Marcel Pol",
"Martin Pool",
-----------------------------------------------------------------------
hooks/post-receive
--
Claws Mail
More information about the Commits
mailing list