From 4c9d15b4b37cdc57edfa16df550a0a881a156153 Mon Sep 17 00:00:00 2001 From: Paul Date: Wed, 19 Aug 2020 07:56:23 +0100 Subject: [PATCH] fix bugs 4373, 'attach mailto URI double free' and 4374, ' insert mailto URI misses checks' patch by Alvar Penning --- AUTHORS | 2 +- src/common/utils.c | 37 ++++++++++++++++++++++++++++++------- src/common/utils.h | 3 ++- src/gtk/authors.h | 1 + 4 files changed, 34 insertions(+), 9 deletions(-) diff --git a/AUTHORS b/AUTHORS index 5299b1381..7d9f066f3 100644 --- a/AUTHORS +++ b/AUTHORS @@ -332,4 +332,4 @@ contributors (in addition to the above; based on Changelog) Jakub KiciƄski Jean Delvare Damian Poddebniak - + Alvar Penning diff --git a/src/common/utils.c b/src/common/utils.c index 87575671a..848f0ce86 100644 --- a/src/common/utils.c +++ b/src/common/utils.c @@ -1,6 +1,6 @@ /* * Claws Mail -- a GTK+ based, lightweight, and fast e-mail client - * Copyright (C) 1999-2016 Hiroyuki Yamamoto & The Claws Mail Team + * Copyright (C) 1999-2020 The Claws Mail Team and Hiroyuki Yamamoto * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -1486,11 +1486,28 @@ gint scan_mailto_url(const gchar *mailto, gchar **from, gchar **to, gchar **cc, } else if (body && !*body && !g_ascii_strcasecmp(field, "body")) { *body = decode_uri_gdup(value); } else if (body && !*body && !g_ascii_strcasecmp(field, "insert")) { + int i = 0; gchar *tmp = decode_uri_gdup(value); - if (!g_file_get_contents(tmp, body, NULL, NULL)) { - g_warning("couldn't set insert file '%s' in body", value); + + for (; forbidden_uris[i]; i++) { + if (strstr(tmp, forbidden_uris[i])) { + g_print("Refusing to insert '%s', potential private data leak\n", + tmp); + g_free(tmp); + tmp = NULL; + break; + } + } + + if (tmp) { + if (!is_file_entry_regular(tmp)) { + g_warning("Refusing to insert '%s', not a regular file\n", tmp); + } else if (!g_file_get_contents(tmp, body, NULL, NULL)) { + g_warning("couldn't set insert file '%s' in body", value); + } + + g_free(tmp); } - g_free(tmp); } else if (attach && !g_ascii_strcasecmp(field, "attach")) { int i = 0; gchar *tmp = decode_uri_gdup(value); @@ -1504,6 +1521,7 @@ gint scan_mailto_url(const gchar *mailto, gchar **from, gchar **to, gchar **cc, tmp); g_free(tmp); g_free(my_att); + tmp = NULL; break; } } @@ -1514,9 +1532,6 @@ gint scan_mailto_url(const gchar *mailto, gchar **from, gchar **to, gchar **cc, my_att[num_attach-1] = tmp; my_att[num_attach] = NULL; *attach = my_att; - g_free(tmp); - } else { - g_free(my_att); } } else if (inreplyto && !*inreplyto && !g_ascii_strcasecmp(field, "in-reply-to")) { @@ -2047,6 +2062,14 @@ gboolean is_file_entry_exist(const gchar *file) return g_file_test(file, G_FILE_TEST_EXISTS); } +gboolean is_file_entry_regular(const gchar *file) +{ + if (file == NULL) + return FALSE; + + return g_file_test(file, G_FILE_TEST_IS_REGULAR); +} + gboolean dirent_is_regular_file(struct dirent *d) { #if !defined(G_OS_WIN32) && defined(HAVE_DIRENT_D_TYPE) diff --git a/src/common/utils.h b/src/common/utils.h index 47563b2a1..9816c4efc 100644 --- a/src/common/utils.h +++ b/src/common/utils.h @@ -1,6 +1,6 @@ /* * Claws Mail -- a GTK+ based, lightweight, and fast e-mail client - * Copyright (C) 1999-2016 Hiroyuki Yamamoto and the Claws Mail team + * Copyright (C) 1999-2020 The Claws Mail Team and Hiroyuki Yamamoto * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -413,6 +413,7 @@ gboolean file_exist (const gchar *file, gboolean is_relative_filename (const gchar *file); gboolean is_dir_exist (const gchar *dir); gboolean is_file_entry_exist (const gchar *file); +gboolean is_file_entry_regular(const gchar *file); gboolean dirent_is_regular_file (struct dirent *d); #define is_file_exist(file) file_exist(file, FALSE) diff --git a/src/gtk/authors.h b/src/gtk/authors.h index d8c06432f..7e4557047 100644 --- a/src/gtk/authors.h +++ b/src/gtk/authors.h @@ -253,6 +253,7 @@ static char *CONTRIBS_LIST[] = { "Thomas Orgis", "Reza Pakdel", "Richard Palo", +"Alvar Penning", "Damian Poddebniak", "Marcel Pol", "Martin Pool", -- 2.11.4.GIT