diff options
author | Matthew Barnes <mbarnes@redhat.com> | 2008-06-04 18:46:38 +0800 |
---|---|---|
committer | Matthew Barnes <mbarnes@src.gnome.org> | 2008-06-04 18:46:38 +0800 |
commit | eee236262005c4486e246dc77b9609ddc0fdfe09 (patch) | |
tree | 1a4df35ec414a23160b66d3968d106462e68727f | |
parent | c1b28e2e05ac1790af041a6cb3cfdc4011baa002 (diff) | |
download | gsoc2013-evolution-eee236262005c4486e246dc77b9609ddc0fdfe09.tar gsoc2013-evolution-eee236262005c4486e246dc77b9609ddc0fdfe09.tar.gz gsoc2013-evolution-eee236262005c4486e246dc77b9609ddc0fdfe09.tar.bz2 gsoc2013-evolution-eee236262005c4486e246dc77b9609ddc0fdfe09.tar.lz gsoc2013-evolution-eee236262005c4486e246dc77b9609ddc0fdfe09.tar.xz gsoc2013-evolution-eee236262005c4486e246dc77b9609ddc0fdfe09.tar.zst gsoc2013-evolution-eee236262005c4486e246dc77b9609ddc0fdfe09.zip |
** Fixes security vulnerabilities CVE-2008-1108 and CVE-2008-1109
2008-06-04 Matthew Barnes <mbarnes@redhat.com>
** Fixes security vulnerabilities
CVE-2008-1108 and CVE-2008-1109
* calendar/gui/itip-utils.c (html_new_lines_for):
Do not use a fixed-size buffer for parsing external data.
Simplify the logic to just split and rejoin the string with a
different line separator.
* calendar/gui/e-itip-control.c (write_label_piece),
(write_recurrence_piece), (set_date_label):
Use a GString rather than a fixed-size buffer to build the HTML
string to avoid the possibility of an overflow.
svn path=/trunk/; revision=35594
-rw-r--r-- | calendar/ChangeLog | 15 | ||||
-rw-r--r-- | calendar/gui/e-itip-control.c | 129 | ||||
-rw-r--r-- | calendar/gui/itip-utils.c | 48 |
3 files changed, 96 insertions, 96 deletions
diff --git a/calendar/ChangeLog b/calendar/ChangeLog index b767e3bf9a..6fd1593859 100644 --- a/calendar/ChangeLog +++ b/calendar/ChangeLog @@ -1,3 +1,18 @@ +2008-06-04 Matthew Barnes <mbarnes@redhat.com> + + ** Fixes security vulnerabilities + CVE-2008-1108 and CVE-2008-1109 + + * gui/itip-utils.c (html_new_lines_for): + Do not use a fixed-size buffer for parsing external data. + Simplify the logic to just split and rejoin the string with a + different line separator. + + * gui/e-itip-control.c (write_label_piece), (write_recurrence_piece), + (set_date_label): + Use a GString rather than a fixed-size buffer to build the HTML + string to avoid the possibility of an overflow. + 2008-06-04 Shuai Liu <shuai.liu@sun.com> ** Fix for bug #535204 diff --git a/calendar/gui/e-itip-control.c b/calendar/gui/e-itip-control.c index f574d86b06..73f98940e9 100644 --- a/calendar/gui/e-itip-control.c +++ b/calendar/gui/e-itip-control.c @@ -660,7 +660,7 @@ find_attendee (icalcomponent *ical_comp, const char *address) static void write_label_piece (EItipControl *itip, ECalComponentDateTime *dt, - char *buffer, int size, + GString *buffer, const char *stext, const char *etext, gboolean just_date) { @@ -685,13 +685,13 @@ write_label_piece (EItipControl *itip, ECalComponentDateTime *dt, tmp_tm.tm_hour = tmp_tm.tm_min = tmp_tm.tm_sec = 0; if (stext != NULL) - strcat (buffer, stext); + g_string_append (buffer, stext); e_time_format_date_and_time (&tmp_tm, calendar_config_get_24_hour_format (), FALSE, FALSE, time_buf, sizeof (time_buf)); - strcat (buffer, time_buf); + g_string_append (buffer, time_buf); if (!dt->value->is_utc && dt->tzid) { zone = icalcomponent_get_timezone (priv->top_level, dt->tzid); @@ -703,21 +703,21 @@ write_label_piece (EItipControl *itip, ECalComponentDateTime *dt, UTF-8. But it probably is not translated. */ display_name = icaltimezone_get_display_name (zone); if (display_name && *display_name) { - strcat (buffer, " <font size=-1>["); + g_string_append_len (buffer, " <font size=-1>[", 16); /* We check if it is one of our builtin timezone names, in which case we call gettext to translate it. */ if (icaltimezone_get_builtin_timezone (display_name)) { - strcat (buffer, _(display_name)); + g_string_append_printf (buffer, "%s", _(display_name)); } else { - strcat (buffer, display_name); + g_string_append_printf (buffer, "%s", display_name); } - strcat (buffer, "]</font>"); + g_string_append_len (buffer, "]</font>", 8); } } if (etext != NULL) - strcat (buffer, etext); + g_string_append (buffer, etext); } static const char * @@ -754,19 +754,17 @@ get_dayname (struct icalrecurrencetype *r, int i) static void write_recurrence_piece (EItipControl *itip, ECalComponent *comp, - char *buffer, int size) + GString *buffer) { GSList *rrules; struct icalrecurrencetype *r; - int len, i; + int i; - strcpy (buffer, "<b>Recurring:</b> "); - len = strlen (buffer); - buffer += len; - size -= len; + g_string_append_len (buffer, "<b>Recurring:</b> ", 18); if (!e_cal_component_has_simple_recurrence (comp)) { - strcpy (buffer, _("Yes. (Complex Recurrence)")); + g_string_append_printf ( + buffer, "%s", _("Yes. (Complex Recurrence)")); return; } @@ -782,7 +780,10 @@ write_recurrence_piece (EItipControl *itip, ECalComponent *comp, Every %d day/days" */ /* For Translators : 'Every day' is event Recurring every day */ /* For Translators : 'Every %d days' is event Recurring every %d days. %d is a digit */ - sprintf (buffer, ngettext("Every day", "Every %d days", r->interval), r->interval); + g_string_append_printf ( + buffer, ngettext ("Every day", + "Every %d days", r->interval), + r->interval); break; case ICAL_WEEKLY_RECURRENCE: @@ -792,29 +793,36 @@ write_recurrence_piece (EItipControl *itip, ECalComponent *comp, Every %d week/weeks" */ /* For Translators : 'Every week' is event Recurring every week */ /* For Translators : 'Every %d weeks' is event Recurring every %d weeks. %d is a digit */ - sprintf (buffer, ngettext("Every week", "Every %d weeks", r->interval), r->interval); + g_string_append_printf ( + buffer, ngettext ("Every week", + "Every %d weeks", r->interval), + r->interval); } else { /* For Translators : 'Every week on' is event Recurring every week on (dayname) and (dayname) and (dayname) */ /* For Translators : 'Every %d weeks on' is event Recurring: every %d weeks on (dayname) and (dayname). %d is a digit */ - sprintf (buffer, ngettext("Every week on ", "Every %d weeks on ", r->interval), r->interval); + g_string_append_printf ( + buffer, ngettext ("Every week on ", + "Every %d weeks on ", r->interval), + r->interval); for (i = 1; i < 8 && r->by_day[i] != ICAL_RECURRENCE_ARRAY_MAX; i++) { if (i > 1) - strcat (buffer, ", "); - strcat (buffer, get_dayname (r, i - 1)); + g_string_append_len (buffer, ", ", 2); + g_string_append (buffer, get_dayname (r, i - 1)); } if (i > 1) /* For Translators : 'and' is part of the sentence 'event recurring every week on (dayname) and (dayname)' */ - strcat (buffer, _(" and ")); - strcat (buffer, get_dayname (r, i - 1)); + g_string_append_printf (buffer, "%s", _(" and ")); + g_string_append (buffer, get_dayname (r, i - 1)); } break; case ICAL_MONTHLY_RECURRENCE: if (r->by_month_day[0] != ICAL_RECURRENCE_ARRAY_MAX) { /* For Translators : 'The %s day of' is part of the sentence 'event recurring on the (nth) day of every month.' */ - sprintf (buffer, _("The %s day of "), - nth (r->by_month_day[0])); + g_string_append_printf ( + buffer, _("The %s day of "), + nth (r->by_month_day[0])); } else { int pos; @@ -828,20 +836,21 @@ write_recurrence_piece (EItipControl *itip, ECalComponent *comp, /* For Translators : 'The %s %s of' is part of the sentence 'event recurring on the (nth) (dayname) of every month.' eg,third monday of every month */ - sprintf (buffer, _("The %s %s of "), - nth (pos), get_dayname (r, 0)); + g_string_append_printf ( + buffer, _("The %s %s of "), + nth (pos), get_dayname (r, 0)); } - len = strlen (buffer); - buffer += len; - size -= len; /* For Translators: In this can also be translated as "With the period of %d month/months", where %d is a number. The entire sentence is of the form "Recurring: Every %d month/months" */ /* For Translators : 'every month' is part of the sentence 'event recurring on the (nth) day of every month.' */ /* For Translators : 'every %d months' is part of the sentence 'event recurring on the (nth) day of every %d months.' %d is a digit */ - sprintf (buffer, ngettext("every month","every %d months", r->interval), r->interval); + g_string_append_printf ( + buffer, ngettext ("every month", + "every %d months", r->interval), + r->interval); break; case ICAL_YEARLY_RECURRENCE: @@ -850,20 +859,22 @@ write_recurrence_piece (EItipControl *itip, ECalComponent *comp, Every %d year/years" */ /* For Translators : 'Every year' is event Recurring every year */ /* For Translators : 'Every %d years' is event Recurring every %d years. %d is a digit */ - sprintf (buffer, ngettext("Every year", "Every %d years", r->interval), r->interval); + g_string_append_printf ( + buffer, ngettext ("Every year", + "Every %d years", r->interval), + r->interval); break; default: g_return_if_reached (); } - len = strlen (buffer); - buffer += len; - size -= len; if (r->count) { /* For Translators:'a total of %d time' is part of the sentence of the form 'event recurring every day,a total of % time.' %d is a digit*/ /* For Translators:'a total of %d times' is part of the sentence of the form 'event recurring every day,a total of % times.' %d is a digit*/ - sprintf (buffer, ngettext("a total of %d time", " a total of %d times", r->count), r->count); + g_string_append_printf ( + buffer, ngettext ("a total of %d time", + " a total of %d times", r->count), r->count); } else if (!icaltime_is_null_time (r->until)) { ECalComponentDateTime dt; @@ -871,12 +882,12 @@ write_recurrence_piece (EItipControl *itip, ECalComponent *comp, dt.value = &r->until; dt.tzid = icaltimezone_get_tzid ((icaltimezone *)r->until.zone); - write_label_piece (itip, &dt, buffer, size, + write_label_piece (itip, &dt, buffer, /* For Translators : ', ending on' is part of the sentence of the form 'event recurring every day, ending on (date).'*/ _(", ending on "), NULL, TRUE); } - strcat (buffer, "<br>"); + g_string_append_len (buffer, "<br>", 4); } static void @@ -884,47 +895,51 @@ set_date_label (EItipControl *itip, GtkHTML *html, GtkHTMLStream *html_stream, ECalComponent *comp) { ECalComponentDateTime datetime; - static char buffer[1024]; + GString *buffer; gchar *str; gboolean wrote = FALSE, task_completed = FALSE; ECalComponentVType type; + buffer = g_string_sized_new (1024); type = e_cal_component_get_vtype (comp); - buffer[0] = '\0'; e_cal_component_get_dtstart (comp, &datetime); if (datetime.value) { /* For Translators : 'starts' is starts:date implying a task starts on what date */ str = g_strdup_printf ("<b>%s:</b>", _("Starts")); - write_label_piece (itip, &datetime, buffer, 1024, - str, - "<br>", FALSE); - gtk_html_write (html, html_stream, buffer, strlen(buffer)); + write_label_piece (itip, &datetime, buffer, str, "<br>", FALSE); + gtk_html_write (html, html_stream, buffer->str, buffer->len); wrote = TRUE; g_free (str); } e_cal_component_free_datetime (&datetime); - buffer[0] = '\0'; + /* Reset the buffer. */ + g_string_truncate (buffer, 0); + e_cal_component_get_dtend (comp, &datetime); if (datetime.value){ /* For Translators : 'ends' is ends:date implying a task ends on what date */ str = g_strdup_printf ("<b>%s:</b>", _("Ends")); - write_label_piece (itip, &datetime, buffer, 1024, str, "<br>", FALSE); - gtk_html_write (html, html_stream, buffer, strlen (buffer)); + write_label_piece (itip, &datetime, buffer, str, "<br>", FALSE); + gtk_html_write (html, html_stream, buffer->str, buffer->len); wrote = TRUE; g_free (str); } e_cal_component_free_datetime (&datetime); - buffer[0] = '\0'; + /* Reset the buffer. */ + g_string_truncate (buffer, 0); + if (e_cal_component_has_recurrences (comp)) { - write_recurrence_piece (itip, comp, buffer, 1024); - gtk_html_write (html, html_stream, buffer, strlen (buffer)); + write_recurrence_piece (itip, comp, buffer); + gtk_html_write (html, html_stream, buffer->str, buffer->len); wrote = TRUE; } - buffer[0] = '\0'; + /* Reset the buffer. */ + g_string_truncate (buffer, 0); + datetime.tzid = NULL; e_cal_component_get_completed (comp, &datetime.value); if (type == E_CAL_COMPONENT_TODO && datetime.value) { @@ -932,20 +947,22 @@ set_date_label (EItipControl *itip, GtkHTML *html, GtkHTMLStream *html_stream, timezone. */ str = g_strdup_printf ("<b>%s:</b>", _("Completed")); datetime.value->is_utc = TRUE; - write_label_piece (itip, &datetime, buffer, 1024, str, "<br>", FALSE); - gtk_html_write (html, html_stream, buffer, strlen (buffer)); + write_label_piece (itip, &datetime, buffer, str, "<br>", FALSE); + gtk_html_write (html, html_stream, buffer->str, buffer->len); wrote = TRUE; task_completed = TRUE; g_free (str); } e_cal_component_free_datetime (&datetime); - buffer[0] = '\0'; + /* Reset the buffer. */ + g_string_truncate (buffer, 0); + e_cal_component_get_due (comp, &datetime); if (type == E_CAL_COMPONENT_TODO && !task_completed && datetime.value) { str = g_strdup_printf ("<b>%s:</b>", _("Due")); - write_label_piece (itip, &datetime, buffer, 1024, str, "<br>", FALSE); - gtk_html_write (html, html_stream, buffer, strlen (buffer)); + write_label_piece (itip, &datetime, buffer, str, "<br>", FALSE); + gtk_html_write (html, html_stream, buffer->str, buffer->len); wrote = TRUE; g_free (str); } @@ -954,6 +971,8 @@ set_date_label (EItipControl *itip, GtkHTML *html, GtkHTMLStream *html_stream, if (wrote) gtk_html_stream_printf (html_stream, "<br>"); + + g_string_free (buffer, TRUE); } static void diff --git a/calendar/gui/itip-utils.c b/calendar/gui/itip-utils.c index cddb3d9b4f..cb29c5329b 100644 --- a/calendar/gui/itip-utils.c +++ b/calendar/gui/itip-utils.c @@ -172,50 +172,16 @@ get_attendee_if_attendee_sentby_is_user (GSList *attendees, char *address) } static char * -html_new_lines_for (char *string) +html_new_lines_for (const char *string) { - char *html_string = (char *) malloc (sizeof (char)* (3500)); - int length = strlen (string); - int index = 0; - char *index_ptr = string; - char *temp = string; - - /*Find the first occurence*/ - index_ptr = strstr ((const char *)temp, "\n"); - - /*Doesn't occur*/ - if (index_ptr == NULL) { - strcpy (html_string, (const char *)string); - html_string[length] = '\0'; - return html_string; - } - - /*Split into chunks inserting <br> for \n */ - do{ - while (temp != index_ptr){ - html_string[index++] = *temp; - temp++; - } - temp++; - - html_string[index++] = '<'; - html_string[index++] = 'b'; - html_string[index++] = 'r'; - html_string[index++] = '>'; - - index_ptr = strstr ((const char *)temp, "\n"); - - } while (index_ptr); - - /*Don't leave out the last chunk*/ - while (*temp != '\0'){ - html_string[index++] = *temp; - temp++; - } + gchar **lines; + gchar *joined; - html_string[index] = '\0'; + lines = g_strsplit_set (string, "\n", -1); + joined = g_strjoinv ("<br>", lines); + g_strfreev (lines); - return html_string; + return joined; } char * |