aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPunit Jain <jpunit@novell.com>2011-02-01 14:47:05 +0800
committerPunit Jain <jpunit@novell.com>2011-02-01 14:47:05 +0800
commita9fb511ced4cfaffb7109e58a9db66e6279e309c (patch)
treeffebc3785ef5840040d0cd1f2a977cb5e6020c8b
parentc122f88ac5b42428e8a6f290fd843ad187f6fb78 (diff)
downloadgsoc2013-evolution-a9fb511ced4cfaffb7109e58a9db66e6279e309c.tar.gz
gsoc2013-evolution-a9fb511ced4cfaffb7109e58a9db66e6279e309c.tar.zst
gsoc2013-evolution-a9fb511ced4cfaffb7109e58a9db66e6279e309c.zip
bug #641069 - tnef plugin vulnerabilities
Resolves directory traversal and buffer overflow vulnerabilities.
-rw-r--r--plugins/tnef-attachments/tnef-plugin.c102
1 files changed, 69 insertions, 33 deletions
diff --git a/plugins/tnef-attachments/tnef-plugin.c b/plugins/tnef-attachments/tnef-plugin.c
index e25bff8afc..4148008264 100644
--- a/plugins/tnef-attachments/tnef-plugin.c
+++ b/plugins/tnef-attachments/tnef-plugin.c
@@ -25,6 +25,7 @@
/* We include gi18n-lib.h so that we have strings translated directly for this package */
#include <glib/gi18n-lib.h>
+#include <glib/gprintf.h>
#include <string.h>
#include <stdio.h>
@@ -67,6 +68,19 @@ guchar getRruleCount (guchar a, guchar b);
guchar getRruleMonthNum (guchar a, guchar b);
gchar * getRruleDayname (guchar a);
+static gchar*
+sanitize_filename (const gchar *filename)
+{
+ gchar * sanitized_name;
+ sanitized_name = g_path_get_basename (filename);
+ if (sanitized_name == NULL || !g_strcmp0 (sanitized_name, ".")) {
+ g_free (sanitized_name);
+ return NULL;
+ } else {
+ return g_strdelimit (sanitized_name, " ", '_');
+ }
+}
+
void
org_gnome_format_tnef (gpointer ep, EMFormatHookTarget *t)
{
@@ -216,8 +230,9 @@ void processTnef (TNEFStruct *tnef, const gchar *tmpdir) {
Attachment *p;
gint RealAttachment;
gint object;
- gchar ifilename[256];
- gint i, count;
+ gchar *ifilename = NULL;
+ gchar *absfilename, *file;
+ gint count;
gint foundCal=0;
FILE *fptr;
@@ -255,10 +270,13 @@ void processTnef (TNEFStruct *tnef, const gchar *tmpdir) {
!= MAPI_UNDEFINED) {
variableLength buf;
if ((buf.data = (gchar *) DecompressRTF (filename, &buf.size)) != NULL) {
- sprintf(ifilename, "%s/%s.rtf", tmpdir, tnef->subject.data);
- for (i=0; i<strlen (ifilename); i++)
- if (ifilename[i] == ' ')
- ifilename[i] = '_';
+ file = sanitize_filename (tnef->subject.data);
+ if (!file)
+ return;
+ absfilename = g_strconcat (file, ".rtf", NULL);
+ ifilename = g_build_filename (tmpdir, file, NULL);
+ g_free (absfilename);
+ g_free (file);
if ((fptr = fopen(ifilename, "wb"))==NULL) {
printf("ERROR: Error writing file to disk!");
@@ -347,13 +365,14 @@ void processTnef (TNEFStruct *tnef, const gchar *tmpdir) {
}
if (filename->size == 1) {
filename->size = 20;
- sprintf(tmpname, "file_%03i.dat", count);
+ g_sprintf(tmpname, "file_%03i.dat", count);
filename->data = tmpname;
}
- sprintf(ifilename, "%s/%s", tmpdir, filename->data);
- for (i=0; i<strlen (ifilename); i++)
- if (ifilename[i] == ' ')
- ifilename[i] = '_';
+ absfilename = sanitize_filename (filename->data);
+ if (!absfilename)
+ return;
+ ifilename = g_build_filename (tmpdir, absfilename, NULL);
+ g_free (absfilename);
if ((fptr = fopen(ifilename, "wb"))==NULL) {
printf("ERROR: Error writing file to disk!");
@@ -375,33 +394,43 @@ void processTnef (TNEFStruct *tnef, const gchar *tmpdir) {
} /* if size>0 */
p=p->next;
} /* while p!= null */
+ g_free (ifilename);
}
void saveVCard (TNEFStruct *tnef, const gchar *tmpdir) {
- gchar ifilename[512];
+ gchar *ifilename;
+ gchar *absfilename, *file=NULL;
FILE *fptr;
variableLength *vl;
variableLength *pobox, *street, *city, *state, *zip, *country;
dtr thedate;
- gint boolean, i;
+ gint boolean;
if ((vl = MAPIFindProperty (&(tnef->MapiProperties), PROP_TAG (PT_STRING8, PR_DISPLAY_NAME))) == MAPI_UNDEFINED) {
if ((vl=MAPIFindProperty (&(tnef->MapiProperties), PROP_TAG (PT_STRING8, PR_COMPANY_NAME))) == MAPI_UNDEFINED) {
if (tnef->subject.size > 0) {
- sprintf(ifilename, "%s/%s.vcard", tmpdir, tnef->subject.data);
- } else {
- sprintf(ifilename, "%s/unknown.vcard", tmpdir);
- }
- } else {
- sprintf(ifilename, "%s/%s.vcard", tmpdir, vl->data);
+ file = sanitize_filename (tnef->subject.data);
+ if (!file)
+ return;
+ absfilename = g_strconcat (file, ".vcard", NULL);
+ } else
+ absfilename = g_strdup ("unknown.vcard");
+ } else {
+ file = sanitize_filename (vl->data);
+ if (!file)
+ return;
+ absfilename = g_strconcat (file, ".vcard", NULL);
}
} else {
- sprintf(ifilename, "%s/%s.vcard", tmpdir, vl->data);
+ file = sanitize_filename (vl->data);
+ if (!file)
+ return;
+ absfilename = g_strconcat (file, ".vcard", NULL);
}
- for (i=0; i<strlen (ifilename); i++)
- if (ifilename[i] == ' ')
- ifilename[i] = '_';
- printf("%s\n", ifilename);
+
+ ifilename = g_build_filename (tmpdir, absfilename, NULL);
+ g_free (file);
+ g_free (absfilename);
if ((fptr = fopen(ifilename, "wb"))==NULL) {
printf("Error writing file to disk!");
@@ -657,6 +686,7 @@ void saveVCard (TNEFStruct *tnef, const gchar *tmpdir) {
fprintf(fptr, "END:VCARD\n");
fclose (fptr);
}
+ g_free (ifilename);
}
guchar getRruleCount (guchar a, guchar b) {
@@ -842,7 +872,7 @@ void printRrule (FILE *fptr, gchar *recur_data, gint size, TNEFStruct *tnef)
}
void saveVCalendar (TNEFStruct *tnef, const gchar *tmpdir) {
- gchar ifilename[256];
+ gchar *ifilename;
variableLength *filename;
gchar *charptr, *charptr2;
FILE *fptr;
@@ -851,7 +881,7 @@ void saveVCalendar (TNEFStruct *tnef, const gchar *tmpdir) {
DWORD dword_val;
dtr thedate;
- sprintf(ifilename, "%s/calendar.ics", tmpdir);
+ ifilename = g_build_filename (tmpdir, "calendar.vcf", NULL);
printf("%s\n", ifilename);
if ((fptr = fopen(ifilename, "wb"))==NULL) {
@@ -1088,13 +1118,15 @@ void saveVCalendar (TNEFStruct *tnef, const gchar *tmpdir) {
fprintf(fptr, "END:VCALENDAR\n");
fclose (fptr);
}
+ g_free (ifilename);
}
void saveVTask (TNEFStruct *tnef, const gchar *tmpdir) {
variableLength *vl;
variableLength *filename;
- gint index,i;
- gchar ifilename[256];
+ gint index;
+ gchar *ifilename;
+ gchar *absfilename, *file;
gchar *charptr, *charptr2;
dtr thedate;
FILE *fptr;
@@ -1111,10 +1143,14 @@ void saveVTask (TNEFStruct *tnef, const gchar *tmpdir) {
while (vl->data[index] == ' ')
vl->data[index--] = 0;
- sprintf(ifilename, "%s/%s.ics", tmpdir, vl->data);
- for (i=0; i<strlen (ifilename); i++)
- if (ifilename[i] == ' ')
- ifilename[i] = '_';
+ file = sanitize_filename (vl->data);
+ if (!file)
+ return;
+ absfilename = g_strconcat (file, ".vcf", NULL);
+ ifilename = g_build_filename (tmpdir, absfilename, NULL);
+ g_free (file);
+ g_free (absfilename);
+
printf("%s\n", ifilename);
if ((fptr = fopen(ifilename, "wb"))==NULL) {
@@ -1210,7 +1246,7 @@ void saveVTask (TNEFStruct *tnef, const gchar *tmpdir) {
fprintf(fptr, "END:VCALENDAR\n");
fclose (fptr);
}
-
+ g_free (ifilename);
}
void fprintProperty (TNEFStruct *tnef, FILE *fptr, DWORD proptype, DWORD propid, const gchar text[]) {