634dcbd50d
textview_uri_security_check in textview.c in Claws Mail before 3.18.0, and Sylpheed through 3.7.0, does not have sufficient link checks before accepting a click. Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
38 lines
1.1 KiB
Diff
38 lines
1.1 KiB
Diff
From ac286a71ed78429e16c612161251b9ea90ccd431 Mon Sep 17 00:00:00 2001
|
|
From: Paul <paul@claws-mail.org>
|
|
Date: Sun, 23 May 2021 12:16:40 +0100
|
|
Subject: [PATCH] harden link checker before accepting click
|
|
|
|
[Retrieved from:
|
|
https://git.claws-mail.org/?p=claws.git;a=commit;h=ac286a71ed78429e16c612161251b9ea90ccd431]
|
|
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
|
|
---
|
|
src/textview.c | 4 +++-
|
|
1 file changed, 3 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/src/textview.c b/src/textview.c
|
|
index 62ad46eaf..3cdf5d911 100644
|
|
--- a/src/textview.c
|
|
+++ b/src/textview.c
|
|
@@ -2885,7 +2885,7 @@ gboolean textview_uri_security_check(TextView *textview, ClickableText *uri)
|
|
gboolean retval = TRUE;
|
|
|
|
if (is_uri_string(uri->uri) == FALSE)
|
|
- return TRUE;
|
|
+ return FALSE;
|
|
|
|
visible_str = textview_get_visible_uri(textview, uri);
|
|
if (visible_str == NULL)
|
|
@@ -2922,6 +2922,8 @@ gboolean textview_uri_security_check(TextView *textview, ClickableText *uri)
|
|
if (aval == G_ALERTALTERNATE)
|
|
retval = TRUE;
|
|
}
|
|
+ if (strlen(uri->uri) > get_uri_len(uri->uri))
|
|
+ retval = FALSE;
|
|
|
|
g_free(visible_str);
|
|
|
|
--
|
|
2.25.1
|
|
|