reverted mail-display.c and mail-format.c fixes - pondering better fixes

svn path=/trunk/; revision=20279

mail/ChangeLog

@@ -1,20 +1,3 @@
-2003-03-12  Jeffrey Stedfast  <fejj@ximian.com>
-
-	Security vulnerability fixes.
-
-	* mail-display.c (do_external_viewer): Make sure that we don't
-	launch a bonobo control to view a mime-type that we handle
-	internally, otherwise maliciously formed HTML mail using <object>
-	tags could potentially launch a bonobo vontrol to view the mime
-	part bypassing any checks that Evolution might do on the data
-	normally.
-
-	* mail-format.c (handle_text_html, attachment_header)
-	(handle_image, handle_via_bonobo): Encode the result from
-	get_cid() so that malicious Content-Id strings cannot bypass the
-	user's preference to not load http images, force a bonobo control
-	to load passing it arbitrary data, etc.
-
 2003-03-12  Jeffrey Stedfast  <fejj@ximian.com>
 
 	* mail-signature-editor.c (menu_file_save_cb): Rewritten to do the

mail/mail-display.c

@@ -1081,11 +1081,6 @@ do_external_viewer (GtkHTML *html, GtkHTMLEmbedded *eb,
 	CORBA_Environment ev;
 	CamelStreamMem *cstream;
 	BonoboStream *bstream;
-	MailMimeHandler *handler;
-	
-	handler = mail_lookup_handler (eb->type);
-	if (!handler || handler->builtin)
-		return FALSE;
 	
 	component = gnome_vfs_mime_get_default_component (eb->type);
 	if (!component)

mail/mail-format.c

@@ -613,7 +613,7 @@ static void
 attachment_header (CamelMimePart *part, const char *mime_type, MailDisplay *md,
 		   MailDisplayStream *stream)
 {
-	char *htmlinfo, *cid_html;
+	char *htmlinfo;
 	const char *info;
 	
 	/* Start the table, create the pop-up object. */
@@ -622,10 +622,8 @@ attachment_header (CamelMimePart *part, const char *mime_type, MailDisplay *md,
 				   "<tr><td></td></tr></table></td>");
 	
 	if (!md->printing) {
-		cid_html = camel_text_to_html (get_cid (part, md), 0, 0);
 		camel_stream_printf ((CamelStream *) stream, "<td><object classid=\"popup:%s\""
-				     "type=\"%s\"></object></td>", cid_html, mime_type);
-		g_free (cid_html);
+				     "type=\"%s\"></object></td>", get_cid (part, md), mime_type);
 	}
 	
 	camel_stream_write_string ((CamelStream *) stream, "<td><table width=3 cellspacing=0 cellpadding=0>"
@@ -1281,7 +1279,6 @@ handle_text_html (CamelMimePart *part, const char *mime_type,
 		  MailDisplay *md, MailDisplayStream *stream)
 {
 	const char *location, *base;
-	char *buf;
 	
 	camel_stream_write_string ((CamelStream *) stream, "\n<!-- text/html -->\n");
 	
@@ -1306,10 +1303,8 @@ handle_text_html (CamelMimePart *part, const char *mime_type,
 	if (!location)
 		location = get_cid (part, md);
 	
-	buf = camel_text_to_html (location, 0, 0);
 	camel_stream_printf ((CamelStream *) stream, "<iframe src=\"%s\" frameborder=0 "
-			     "scrolling=no>could not get %s</iframe>", buf, buf);
-	g_free (buf);
+			     "scrolling=no>could not get %s</iframe>", location, location);
 	
 	return TRUE;
 }
@@ -1317,12 +1312,8 @@ handle_text_html (CamelMimePart *part, const char *mime_type,
 static gboolean
 handle_image (CamelMimePart *part, const char *mime_type, MailDisplay *md, MailDisplayStream *stream)
 {
-	char *buf;
-	
-	buf = camel_text_to_html (get_cid (part, md), 0, 0);
-	camel_stream_printf ((CamelStream *) stream, "<img hspace=10 vspace=10 src=\"%s\">", buf);
-	g_free (buf);
-	
+	camel_stream_printf ((CamelStream *) stream, "<img hspace=10 vspace=10 src=\"%s\">",
+			     get_cid (part, md));
 	return TRUE;
 }
 
@@ -1823,15 +1814,11 @@ static gboolean
 handle_via_bonobo (CamelMimePart *part, const char *mime_type,
 		   MailDisplay *md, MailDisplayStream *stream)
 {
-	char *buf;
-	
-	if (md->printing)
-		return TRUE;
-	
-	buf = camel_text_to_html (get_cid (part, md), 0, 0);
-	camel_stream_printf ((CamelStream *) stream, "<object classid=\"%s\" type=\"%s\"></object>",
-			     buf, mime_type);
-	g_free (buf);
+	if (!md->printing) {
+		camel_stream_printf ((CamelStream *) stream,
+				     "<object classid=\"%s\" type=\"%s\"></object>",
+				     get_cid (part, md), mime_type);
+	}
 	
 	return TRUE;
 }