[Users] [Bug 4374] New: insert mailto URI misses checks

[noreply at thewildbeast.co.uk]

https://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=4374

            Bug ID: 4374
           Summary: insert mailto URI misses checks
           Product: Claws Mail
           Version: GIT
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P3
         Component: Other
          Assignee: users at lists.claws-mail.org
          Reporter: post at 0x21.biz

Created attachment 2077
  -->
https://www.thewildbeast.co.uk/claws-mail/bugzilla/attachment.cgi?id=2077&action=edit
possible patch

Claws Mail supports the undocumented "insert" field within the mailto URI.
Setting this field to a valid path should result in Claws Mail setting the
specific file's content as the new mail's body.

Contrary to the code for the attach functionality, there are no parameter
checks. This allows the creation of an mailto URI to send, for example,
/etc/passwd.

Furthermore, there is also no check if the parameter is a regular file. Passing
a device results in copying all its data into memory. By selecting /dev/zero my
system has hung within seconds.

A patch is attached which hopefully fixes these problems.

-- 
You are receiving this mail because:
You are the assignee for the bug.