Security vulnerability fixes.

2003-03-12  Jeffrey Stedfast  <fejj@ximian.com>

	Security vulnerability fixes.

	* mail-display.c (do_external_viewer): Make sure that we don't
	launch a bonobo control to view a mime-type that we handle
	internally, otherwise maliciously formed HTML mail using <object>
	tags could potentially launch a bonobo vontrol to view the mime
	part bypassing any checks that Evolution might do on the data
	normally.

svn path=/trunk/; revision=20269

1 files changed, 5 insertions, 0 deletions

diff --git a/mail/mail-display.c b/mail/mail-display.c
index 83387bde92..955de714ea 100644
--- a/mail/mail-display.c
+++ b/mail/mail-display.c
@@ -1081,6 +1081,11 @@ do_external_viewer (GtkHTML *html, GtkHTMLEmbedded *eb,
 	CORBA_Environment ev;
 	CamelStreamMem *cstream;
 	BonoboStream *bstream;
+	MailMimeHandler *handler;
+	
+	handler = mail_lookup_handler (eb->type);
+	if (!handler || handler->builtin)
+		return FALSE;
 	
 	component = gnome_vfs_mime_get_default_component (eb->type);
 	if (!component)