aboutsummaryrefslogtreecommitdiffstats
path: root/mail/em-format-html.c
diff options
context:
space:
mode:
authorNot Zed <NotZed@Ximian.com>2005-06-25 01:38:12 +0800
committerMichael Zucci <zucchi@src.gnome.org>2005-06-25 01:38:12 +0800
commit9066b42dddc33e74a7aacb4e44125f148785280d (patch)
tree440f6e3646f711c8f9e2dfa513a664a3b6f5ca4f /mail/em-format-html.c
parent0ef0eccd868f1072c988f2cadf08845824319d3c (diff)
downloadgsoc2013-evolution-9066b42dddc33e74a7aacb4e44125f148785280d.tar.gz
gsoc2013-evolution-9066b42dddc33e74a7aacb4e44125f148785280d.tar.zst
gsoc2013-evolution-9066b42dddc33e74a7aacb4e44125f148785280d.zip
** See bug #307398
2005-06-25 Not Zed <NotZed@Ximian.com> ** See bug #307398 * mail-session.c (alert_user): copy the prompt string, in 'no cancel' mode we run asynchronously. (free_user_message): & free it. 2005-06-24 Not Zed <NotZed@Ximian.com> * em-format-html.c (efh_url_requested): dont pass data gtkhtml definitely can't handle, to gtkhtml. This is no security patch, but stops gtkhtml wasting time tying to render malicious mails or other rubbish. svn path=/trunk/; revision=29582
Diffstat (limited to 'mail/em-format-html.c')
-rw-r--r--mail/em-format-html.c23
1 files changed, 19 insertions, 4 deletions
diff --git a/mail/em-format-html.c b/mail/em-format-html.c
index d00387ba80..ad26fbacad 100644
--- a/mail/em-format-html.c
+++ b/mail/em-format-html.c
@@ -527,10 +527,25 @@ efh_url_requested(GtkHTML *html, const char *url, GtkHTMLStream *handle, EMForma
puri = em_format_find_visible_puri((EMFormat *)efh, url);
if (puri) {
- puri->use_count++;
-
- d(printf(" adding puri job\n"));
- job = em_format_html_job_new(efh, emfh_getpuri, puri);
+ CamelContentType *ct = ((CamelDataWrapper *)puri->part)->mime_type;
+
+ /* GtkHTML only handles text and images.
+ application/octet-stream parts are the only ones
+ which are snooped for other content. So only try
+ to pass these to it - any other types are badly
+ formed or intentionally malicious emails. They
+ will still show as attachments anyway */
+
+ if (ct && (camel_content_type_is(ct, "text", "*")
+ || camel_content_type_is(ct, "image", "*")
+ || camel_content_type_is(ct, "application", "octet-stream"))) {
+ puri->use_count++;
+
+ d(printf(" adding puri job\n"));
+ job = em_format_html_job_new(efh, emfh_getpuri, puri);
+ } else {
+ gtk_html_stream_close(handle, GTK_HTML_STREAM_ERROR);
+ }
} else if (g_ascii_strncasecmp(url, "http:", 5) == 0 || g_ascii_strncasecmp(url, "https:", 6) == 0) {
d(printf(" adding job, get %s\n", url));
job = em_format_html_job_new(efh, emfh_gethttp, g_strdup(url));