From 6489f20d6905cc797e2b2581c415e558c457caa7 Mon Sep 17 00:00:00 2001 From: Milan Crha Date: Wed, 12 Feb 2020 18:59:52 +0100 Subject: [PATCH] I#784 - Warn about and limit what can be attached using mailto: URI Closes https://gitlab.gnome.org/GNOME/evolution/issues/784 --- src/composer/e-msg-composer.c | 58 +++++++++++++++++++++++++++++------ src/e-util/e-system.error.xml | 7 ++++- 2 files changed, 54 insertions(+), 11 deletions(-) diff --git a/src/composer/e-msg-composer.c b/src/composer/e-msg-composer.c index e4c9ac095e..cd3168d882 100644 --- a/src/composer/e-msg-composer.c +++ b/src/composer/e-msg-composer.c @@ -4761,7 +4761,8 @@ handle_mailto (EMsgComposer *composer, gchar *header, *content, *buf; gsize nread, nwritten; const gchar *p; - gint len, clen; + gint len, clen, has_attachments = 0; + gboolean has_blacklisted_attachment = FALSE; table = e_msg_composer_get_header_table (composer); view = e_msg_composer_get_attachment_view (composer); @@ -4844,22 +4845,36 @@ handle_mailto (EMsgComposer *composer, } else if (!g_ascii_strcasecmp (header, "attach") || !g_ascii_strcasecmp (header, "attachment")) { EAttachment *attachment; + GFile *file; camel_url_decode (content); - if (file_is_blacklisted (content)) - e_alert_submit ( - E_ALERT_SINK (e_msg_composer_get_editor (composer)), - "mail:blacklisted-file", - content, NULL); if (g_ascii_strncasecmp (content, "file:", 5) == 0) attachment = e_attachment_new_for_uri (content); else attachment = e_attachment_new_for_path (content); - e_attachment_store_add_attachment (store, attachment); - e_attachment_load_async ( - attachment, (GAsyncReadyCallback) - e_attachment_load_handle_error, composer); + file = e_attachment_ref_file (attachment); + if (!file || !g_file_peek_path (file) || + !g_file_test (g_file_peek_path (file), G_FILE_TEST_EXISTS) || + g_file_test (g_file_peek_path (file), G_FILE_TEST_IS_DIR)) { + /* Do nothing, simply ignore the attachment request */ + } else { + has_attachments++; + + if (file_is_blacklisted (content)) { + has_blacklisted_attachment = TRUE; + e_alert_submit ( + E_ALERT_SINK (e_msg_composer_get_editor (composer)), + "mail:blacklisted-file", + content, NULL); + } + + e_attachment_store_add_attachment (store, attachment); + e_attachment_load_async ( + attachment, (GAsyncReadyCallback) + e_attachment_load_handle_error, composer); + } g_object_unref (attachment); + g_clear_object (&file); } else if (!g_ascii_strcasecmp (header, "from")) { /* Ignore */ } else if (!g_ascii_strcasecmp (header, "reply-to")) { @@ -4883,6 +4898,29 @@ handle_mailto (EMsgComposer *composer, g_free (buf); + if (has_attachments && !has_blacklisted_attachment) { + const gchar *primary; + gchar *secondary; + + primary = g_dngettext (GETTEXT_PACKAGE, + "Review attachment before sending.", + "Review attachments before sending.", + has_attachments); + + secondary = g_strdup_printf (g_dngettext (GETTEXT_PACKAGE, + "There had been added %d attachment. Make sure it does not contain any sensitive information before sending the message.", + "There had been added %d attachments. Make sure they do not contain any sensitive information before sending the message.", + has_attachments), + has_attachments); + + e_alert_submit ( + E_ALERT_SINK (e_msg_composer_get_editor (composer)), + "system:generic-warning", + primary, secondary, NULL); + + g_free (secondary); + } + merge_always_cc_and_bcc (table, to, &cc, &bcc); tov = destination_list_to_vector (to); diff --git a/src/e-util/e-system.error.xml b/src/e-util/e-system.error.xml index ddcf989fda..02facb7d26 100644 --- a/src/e-util/e-system.error.xml +++ b/src/e-util/e-system.error.xml @@ -1,6 +1,11 @@ - + + {0} + {1} + + + {0} {1} -- GitLab