diff options
author | Vibha Yadav <yvibha@novell.com> | 2011-10-04 14:38:43 +0800 |
---|---|---|
committer | Vibha Yadav <yvibha@novell.com> | 2011-10-04 14:38:43 +0800 |
commit | 273b10a5baebd97bea4aeb1dae158f93ce93eb72 (patch) | |
tree | 083d1343da405db5745ec6d3f7b76fea4fc46937 /composer | |
parent | d5658725bf1c8cf7a705ca15e4fdd9b28939dd7e (diff) | |
download | gsoc2013-evolution-273b10a5baebd97bea4aeb1dae158f93ce93eb72.tar gsoc2013-evolution-273b10a5baebd97bea4aeb1dae158f93ce93eb72.tar.gz gsoc2013-evolution-273b10a5baebd97bea4aeb1dae158f93ce93eb72.tar.bz2 gsoc2013-evolution-273b10a5baebd97bea4aeb1dae158f93ce93eb72.tar.lz gsoc2013-evolution-273b10a5baebd97bea4aeb1dae158f93ce93eb72.tar.xz gsoc2013-evolution-273b10a5baebd97bea4aeb1dae158f93ce93eb72.tar.zst gsoc2013-evolution-273b10a5baebd97bea4aeb1dae158f93ce93eb72.zip |
Bug #657374 - mailto: attachment parameter can lead to accidental data exfiltration
Through warning on attaching Hidden/security files by mailto command.
Diffstat (limited to 'composer')
-rw-r--r-- | composer/e-msg-composer.c | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/composer/e-msg-composer.c b/composer/e-msg-composer.c index ba7a7a4641..e58fd6fdf4 100644 --- a/composer/e-msg-composer.c +++ b/composer/e-msg-composer.c @@ -128,6 +128,8 @@ static void handle_multipart_signed (EMsgComposer *composer, static void e_msg_composer_alert_sink_init (EAlertSinkInterface *interface); +gboolean check_blacklisted_file (gchar *filename); + G_DEFINE_TYPE_WITH_CODE ( EMsgComposer, e_msg_composer, @@ -4006,6 +4008,28 @@ merge_always_cc_and_bcc (EComposerHeaderTable *table, e_destination_freev (addrv); } +static const gchar *blacklisted_files [] = {".", "etc", ".."}; + +gboolean check_blacklisted_file (gchar *filename) +{ + gboolean blacklisted = FALSE; + gint i,j,len; + gchar **filename_part; + + filename_part = g_strsplit (filename, G_DIR_SEPARATOR_S, -1); + len = g_strv_length(filename_part); + for(i = 0; !blacklisted && i < G_N_ELEMENTS(blacklisted_files); i++) + { + for (j = 0; !blacklisted && j < len;j++) + if (g_str_has_prefix (filename_part[j], blacklisted_files[i])) + blacklisted = TRUE; + } + + g_strfreev(filename_part); + + return blacklisted; +} + static void handle_mailto (EMsgComposer *composer, const gchar *mailto) @@ -4097,8 +4121,14 @@ handle_mailto (EMsgComposer *composer, } else if (!g_ascii_strcasecmp (header, "attach") || !g_ascii_strcasecmp (header, "attachment")) { EAttachment *attachment; + gboolean check = FALSE; camel_url_decode (content); + check = check_blacklisted_file(content); + if(check) + e_alert_submit ( + E_ALERT_SINK (composer), + "mail:blacklisted-file", content, NULL); if (g_ascii_strncasecmp (content, "file:", 5) == 0) attachment = e_attachment_new_for_uri (content); else |