aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorVibha Yadav <yvibha@novell.com>2011-09-15 20:33:53 +0800
committerVibha Yadav <yvibha@novell.com>2011-09-15 20:33:53 +0800
commit1544ad3a69ff1f19993eb7081f2ed09f9d12fc3a (patch)
tree6282647cb6046f4f8defe0a0c74706a482d60feb
parent47e9bcea88bf4899b09c9fd41766cbcb2315f859 (diff)
downloadgsoc2013-evolution-1544ad3a69ff1f19993eb7081f2ed09f9d12fc3a.tar
gsoc2013-evolution-1544ad3a69ff1f19993eb7081f2ed09f9d12fc3a.tar.gz
gsoc2013-evolution-1544ad3a69ff1f19993eb7081f2ed09f9d12fc3a.tar.bz2
gsoc2013-evolution-1544ad3a69ff1f19993eb7081f2ed09f9d12fc3a.tar.lz
gsoc2013-evolution-1544ad3a69ff1f19993eb7081f2ed09f9d12fc3a.tar.xz
gsoc2013-evolution-1544ad3a69ff1f19993eb7081f2ed09f9d12fc3a.tar.zst
gsoc2013-evolution-1544ad3a69ff1f19993eb7081f2ed09f9d12fc3a.zip
Bug #657374 - mailto: attachment parameter can lead to accidental data exfiltration
Through warning on attaching Hidden/security files by mailto command.
-rw-r--r--composer/e-msg-composer.c30
-rw-r--r--mail/mail.error.xml5
2 files changed, 35 insertions, 0 deletions
diff --git a/composer/e-msg-composer.c b/composer/e-msg-composer.c
index c41c4019b3..0eaf3caa6b 100644
--- a/composer/e-msg-composer.c
+++ b/composer/e-msg-composer.c
@@ -128,6 +128,8 @@ static void handle_multipart_signed (EMsgComposer *composer,
static void e_msg_composer_alert_sink_init (EAlertSinkInterface *interface);
+gboolean check_blacklisted_file (gchar *filename);
+
G_DEFINE_TYPE_WITH_CODE (
EMsgComposer,
e_msg_composer,
@@ -4003,6 +4005,28 @@ merge_always_cc_and_bcc (EComposerHeaderTable *table,
e_destination_freev (addrv);
}
+static const gchar *blacklisted_files [] = {".", "etc", ".."};
+
+gboolean check_blacklisted_file (gchar *filename)
+{
+ gboolean blacklisted = FALSE;
+ gint i,j,len;
+ gchar **filename_part;
+
+ filename_part = g_strsplit (filename, G_DIR_SEPARATOR_S, -1);
+ len = g_strv_length(filename_part);
+ for(i = 0; !blacklisted && i < G_N_ELEMENTS(blacklisted_files); i++)
+ {
+ for (j = 0; !blacklisted && j < len;j++)
+ if (g_str_has_prefix (filename_part[j], blacklisted_files[i]))
+ blacklisted = TRUE;
+ }
+
+ g_strfreev(filename_part);
+
+ return blacklisted;
+}
+
static void
handle_mailto (EMsgComposer *composer,
const gchar *mailto)
@@ -4094,8 +4118,14 @@ handle_mailto (EMsgComposer *composer,
} else if (!g_ascii_strcasecmp (header, "attach") ||
!g_ascii_strcasecmp (header, "attachment")) {
EAttachment *attachment;
+ gboolean check = FALSE;
camel_url_decode (content);
+ check = check_blacklisted_file(content);
+ if(check)
+ e_alert_submit (
+ E_ALERT_SINK (composer),
+ "mail:blacklisted-file", content, NULL);
if (g_ascii_strncasecmp (content, "file:", 5) == 0)
attachment = e_attachment_new_for_uri (content);
else
diff --git a/mail/mail.error.xml b/mail/mail.error.xml
index f32b4ce688..006cc559a4 100644
--- a/mail/mail.error.xml
+++ b/mail/mail.error.xml
@@ -540,5 +540,10 @@ An mbox account will be created to preserve the old mbox folders. You can delete
<_secondary>The reported error was &quot;{0}&quot;.</_secondary>
</error>
+ <error id="blacklisted-file" type="warning">
+ <_primary>Hidden file is attached.</_primary>
+ <_secondary xml:space="preserve">The attachment named {0} is a hidden file and may contain sensitive data. Please review it before sending.</_secondary>
+ </error>
+
</error-list>