[Users] [Bug 4373] New: attach mailto URI double free
noreply at thewildbeast.co.uk
noreply at thewildbeast.co.uk
Tue Aug 18 20:50:44 CEST 2020
https://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=4373
Bug ID: 4373
Summary: attach mailto URI double free
Product: Claws Mail
Version: GIT
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P3
Component: Other
Assignee: users at lists.claws-mail.org
Reporter: post at 0x21.biz
Created attachment 2076
-->
https://www.thewildbeast.co.uk/claws-mail/bugzilla/attachment.cgi?id=2076&action=edit
possible patch
Claws Mail supports the undocumented "attach" field within the mailto URI.
Setting this field to a valid path should result in Claws Mail adding the
specific file as an attachment to the new mail.
This feature was also discussed in the recently published paper "Mailto: Me
Your Secrets. On Bugs and Features in Email End-to-End Encryption" by Müller et
al.
The scan_mailto_url function within common/utils.c checks the attach value
against an array of forbidden URIs (forbidden_uris). In case of a match the
file should not be attached.
This is done by "unsetting" the tmp variable which stores the attach value.
However, the current code only frees the variable but does not NULLs it. The
following "if (tmp) { … }" branch will be executed which results in another
freeing. Thus, Claws Mail crashed on my machine.
This very if branch might has another bug. Even freeing a valid tmp will result
in a freed pointer in the attach array. Thus, attaching a valid file errors.
A patch is attached which hopefully fixes these two problems.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the Users
mailing list