aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--mail/ChangeLog10
-rw-r--r--mail/mail-format.c33
2 files changed, 33 insertions, 10 deletions
diff --git a/mail/ChangeLog b/mail/ChangeLog
index ec8c9e200c..7b553f817e 100644
--- a/mail/ChangeLog
+++ b/mail/ChangeLog
@@ -1,5 +1,15 @@
2003-03-12 Jeffrey Stedfast <fejj@ximian.com>
+ Security vulnerability fixes.
+
+ * mail-format.c (handle_text_html, attachment_header)
+ (handle_image, handle_via_bonobo): Encode the result from
+ get_cid() so that malicious Content-Id strings cannot bypass the
+ user's preference to not load http images, force a bonobo control
+ to load passing it arbitrary data, etc.
+
+2003-03-12 Jeffrey Stedfast <fejj@ximian.com>
+
* mail-signature-editor.c (menu_file_save_cb): Rewritten to do the
same as the composer's build_message() code.
diff --git a/mail/mail-format.c b/mail/mail-format.c
index 67a4604b2c..9e24a1c065 100644
--- a/mail/mail-format.c
+++ b/mail/mail-format.c
@@ -613,7 +613,7 @@ static void
attachment_header (CamelMimePart *part, const char *mime_type, MailDisplay *md,
MailDisplayStream *stream)
{
- char *htmlinfo;
+ char *htmlinfo, *cid_html;
const char *info;
/* Start the table, create the pop-up object. */
@@ -622,8 +622,10 @@ attachment_header (CamelMimePart *part, const char *mime_type, MailDisplay *md,
"<tr><td></td></tr></table></td>");
if (!md->printing) {
+ cid_html = camel_text_to_html (get_cid (part, md), 0, 0);
camel_stream_printf ((CamelStream *) stream, "<td><object classid=\"popup:%s\""
- "type=\"%s\"></object></td>", get_cid (part, md), mime_type);
+ "type=\"%s\"></object></td>", cid_html, mime_type);
+ g_free (cid_html);
}
camel_stream_write_string ((CamelStream *) stream, "<td><table width=3 cellspacing=0 cellpadding=0>"
@@ -1279,6 +1281,7 @@ handle_text_html (CamelMimePart *part, const char *mime_type,
MailDisplay *md, MailDisplayStream *stream)
{
const char *location, *base;
+ char *buf;
camel_stream_write_string ((CamelStream *) stream, "\n<!-- text/html -->\n");
@@ -1303,8 +1306,10 @@ handle_text_html (CamelMimePart *part, const char *mime_type,
if (!location)
location = get_cid (part, md);
+ buf = camel_text_to_html (location, 0, 0);
camel_stream_printf ((CamelStream *) stream, "<iframe src=\"%s\" frameborder=0 "
- "scrolling=no>could not get %s</iframe>", location, location);
+ "scrolling=no>could not get %s</iframe>", buf, buf);
+ g_free (buf);
return TRUE;
}
@@ -1312,8 +1317,12 @@ handle_text_html (CamelMimePart *part, const char *mime_type,
static gboolean
handle_image (CamelMimePart *part, const char *mime_type, MailDisplay *md, MailDisplayStream *stream)
{
- camel_stream_printf ((CamelStream *) stream, "<img hspace=10 vspace=10 src=\"%s\">",
- get_cid (part, md));
+ char *buf;
+
+ buf = camel_text_to_html (get_cid (part, md), 0, 0);
+ camel_stream_printf ((CamelStream *) stream, "<img hspace=10 vspace=10 src=\"%s\">", buf);
+ g_free (buf);
+
return TRUE;
}
@@ -1814,11 +1823,15 @@ static gboolean
handle_via_bonobo (CamelMimePart *part, const char *mime_type,
MailDisplay *md, MailDisplayStream *stream)
{
- if (!md->printing) {
- camel_stream_printf ((CamelStream *) stream,
- "<object classid=\"%s\" type=\"%s\"></object>",
- get_cid (part, md), mime_type);
- }
+ char *buf;
+
+ if (md->printing)
+ return TRUE;
+
+ buf = camel_text_to_html (get_cid (part, md), 0, 0);
+ camel_stream_printf ((CamelStream *) stream, "<object classid=\"%s\" type=\"%s\"></object>",
+ buf, mime_type);
+ g_free (buf);
return TRUE;
}