diff options
| author | Vibha Yadav <yvibha@novell.com> | 2011-09-15 20:33:53 +0800 |
|---|---|---|
| committer | Vibha Yadav <yvibha@novell.com> | 2011-09-15 20:33:53 +0800 |
| commit | 1544ad3a69ff1f19993eb7081f2ed09f9d12fc3a (patch) | |
| tree | 6282647cb6046f4f8defe0a0c74706a482d60feb /composer | |
| parent | 47e9bcea88bf4899b09c9fd41766cbcb2315f859 (diff) | |
| download | gsoc2013-evolution-1544ad3a69ff1f19993eb7081f2ed09f9d12fc3a.tar gsoc2013-evolution-1544ad3a69ff1f19993eb7081f2ed09f9d12fc3a.tar.gz gsoc2013-evolution-1544ad3a69ff1f19993eb7081f2ed09f9d12fc3a.tar.bz2 gsoc2013-evolution-1544ad3a69ff1f19993eb7081f2ed09f9d12fc3a.tar.lz gsoc2013-evolution-1544ad3a69ff1f19993eb7081f2ed09f9d12fc3a.tar.xz gsoc2013-evolution-1544ad3a69ff1f19993eb7081f2ed09f9d12fc3a.tar.zst gsoc2013-evolution-1544ad3a69ff1f19993eb7081f2ed09f9d12fc3a.zip | |
Bug #657374 - mailto: attachment parameter can lead to accidental data exfiltration
Through warning on attaching Hidden/security files by mailto command.
Diffstat (limited to 'composer')
| -rw-r--r-- | composer/e-msg-composer.c | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/composer/e-msg-composer.c b/composer/e-msg-composer.c index c41c4019b3..0eaf3caa6b 100644 --- a/composer/e-msg-composer.c +++ b/composer/e-msg-composer.c @@ -128,6 +128,8 @@ static void handle_multipart_signed (EMsgComposer *composer, static void e_msg_composer_alert_sink_init (EAlertSinkInterface *interface); +gboolean check_blacklisted_file (gchar *filename); + G_DEFINE_TYPE_WITH_CODE ( EMsgComposer, e_msg_composer, @@ -4003,6 +4005,28 @@ merge_always_cc_and_bcc (EComposerHeaderTable *table, e_destination_freev (addrv); } +static const gchar *blacklisted_files [] = {".", "etc", ".."}; + +gboolean check_blacklisted_file (gchar *filename) +{ + gboolean blacklisted = FALSE; + gint i,j,len; + gchar **filename_part; + + filename_part = g_strsplit (filename, G_DIR_SEPARATOR_S, -1); + len = g_strv_length(filename_part); + for(i = 0; !blacklisted && i < G_N_ELEMENTS(blacklisted_files); i++) + { + for (j = 0; !blacklisted && j < len;j++) + if (g_str_has_prefix (filename_part[j], blacklisted_files[i])) + blacklisted = TRUE; + } + + g_strfreev(filename_part); + + return blacklisted; +} + static void handle_mailto (EMsgComposer *composer, const gchar *mailto) @@ -4094,8 +4118,14 @@ handle_mailto (EMsgComposer *composer, } else if (!g_ascii_strcasecmp (header, "attach") || !g_ascii_strcasecmp (header, "attachment")) { EAttachment *attachment; + gboolean check = FALSE; camel_url_decode (content); + check = check_blacklisted_file(content); + if(check) + e_alert_submit ( + E_ALERT_SINK (composer), + "mail:blacklisted-file", content, NULL); if (g_ascii_strncasecmp (content, "file:", 5) == 0) attachment = e_attachment_new_for_uri (content); else |