From 69c9fbff698b3516ffc216fd8552736b9f040168 Mon Sep 17 00:00:00 2001 From: Jeffrey Stedfast Date: Thu, 13 Mar 2003 20:09:27 +0000 Subject: [PATCH] reverted mail-display.c and mail-format.c fixes - pondering better fixes svn path=/trunk/; revision=20279 --- mail/ChangeLog | 17 ----------------- mail/mail-display.c | 5 ----- mail/mail-format.c | 33 ++++++++++----------------------- 3 files changed, 10 insertions(+), 45 deletions(-) diff --git a/mail/ChangeLog b/mail/ChangeLog index a8be5524cc..ec8c9e200c 100644 --- a/mail/ChangeLog +++ b/mail/ChangeLog @@ -1,20 +1,3 @@ -2003-03-12 Jeffrey Stedfast - - Security vulnerability fixes. - - * mail-display.c (do_external_viewer): Make sure that we don't - launch a bonobo control to view a mime-type that we handle - internally, otherwise maliciously formed HTML mail using - tags could potentially launch a bonobo vontrol to view the mime - part bypassing any checks that Evolution might do on the data - normally. - - * mail-format.c (handle_text_html, attachment_header) - (handle_image, handle_via_bonobo): Encode the result from - get_cid() so that malicious Content-Id strings cannot bypass the - user's preference to not load http images, force a bonobo control - to load passing it arbitrary data, etc. - 2003-03-12 Jeffrey Stedfast * mail-signature-editor.c (menu_file_save_cb): Rewritten to do the diff --git a/mail/mail-display.c b/mail/mail-display.c index 955de714ea..83387bde92 100644 --- a/mail/mail-display.c +++ b/mail/mail-display.c @@ -1081,11 +1081,6 @@ do_external_viewer (GtkHTML *html, GtkHTMLEmbedded *eb, CORBA_Environment ev; CamelStreamMem *cstream; BonoboStream *bstream; - MailMimeHandler *handler; - - handler = mail_lookup_handler (eb->type); - if (!handler || handler->builtin) - return FALSE; component = gnome_vfs_mime_get_default_component (eb->type); if (!component) diff --git a/mail/mail-format.c b/mail/mail-format.c index 9e24a1c065..67a4604b2c 100644 --- a/mail/mail-format.c +++ b/mail/mail-format.c @@ -613,7 +613,7 @@ static void attachment_header (CamelMimePart *part, const char *mime_type, MailDisplay *md, MailDisplayStream *stream) { - char *htmlinfo, *cid_html; + char *htmlinfo; const char *info; /* Start the table, create the pop-up object. */ @@ -622,10 +622,8 @@ attachment_header (CamelMimePart *part, const char *mime_type, MailDisplay *md, ""); if (!md->printing) { - cid_html = camel_text_to_html (get_cid (part, md), 0, 0); camel_stream_printf ((CamelStream *) stream, "", cid_html, mime_type); - g_free (cid_html); + "type=\"%s\">", get_cid (part, md), mime_type); } camel_stream_write_string ((CamelStream *) stream, "" @@ -1281,7 +1279,6 @@ handle_text_html (CamelMimePart *part, const char *mime_type, MailDisplay *md, MailDisplayStream *stream) { const char *location, *base; - char *buf; camel_stream_write_string ((CamelStream *) stream, "\n\n"); @@ -1306,10 +1303,8 @@ handle_text_html (CamelMimePart *part, const char *mime_type, if (!location) location = get_cid (part, md); - buf = camel_text_to_html (location, 0, 0); camel_stream_printf ((CamelStream *) stream, "", buf, buf); - g_free (buf); + "scrolling=no>could not get %s", location, location); return TRUE; } @@ -1317,12 +1312,8 @@ handle_text_html (CamelMimePart *part, const char *mime_type, static gboolean handle_image (CamelMimePart *part, const char *mime_type, MailDisplay *md, MailDisplayStream *stream) { - char *buf; - - buf = camel_text_to_html (get_cid (part, md), 0, 0); - camel_stream_printf ((CamelStream *) stream, "", buf); - g_free (buf); - + camel_stream_printf ((CamelStream *) stream, "", + get_cid (part, md)); return TRUE; } @@ -1823,15 +1814,11 @@ static gboolean handle_via_bonobo (CamelMimePart *part, const char *mime_type, MailDisplay *md, MailDisplayStream *stream) { - char *buf; - - if (md->printing) - return TRUE; - - buf = camel_text_to_html (get_cid (part, md), 0, 0); - camel_stream_printf ((CamelStream *) stream, "", - buf, mime_type); - g_free (buf); + if (!md->printing) { + camel_stream_printf ((CamelStream *) stream, + "", + get_cid (part, md), mime_type); + } return TRUE; }