From f67c4d1f8bd2e3cbcb9eb49f5e897075e7426780 Mon Sep 17 00:00:00 2001 From: Gabriel Corona Date: Thu, 25 Aug 2022 23:51:45 +0200 Subject: [PATCH] Disable special support for Thunderbird in xdg-email (fixes CVE-2020-27748, CVE-2022-4055) Upstream-Status: Backport [https://gitlab.freedesktop.org/xdg/xdg-utils/-/commit/f67c4d1f8bd2e3cbcb9eb49f5e897075e7426780] CVE: CVE-2022-4055 Signed-off-by: Hitendra Prajapati --- scripts/xdg-email.in | 108 ------------------------------------------- 1 file changed, 108 deletions(-) diff --git a/scripts/xdg-email.in b/scripts/xdg-email.in index 13ba2d5..b700679 100644 --- a/scripts/xdg-email.in +++ b/scripts/xdg-email.in @@ -30,76 +30,8 @@ _USAGE #@xdg-utils-common@ -run_thunderbird() -{ - local THUNDERBIRD MAILTO NEWMAILTO TO CC BCC SUBJECT BODY - THUNDERBIRD="$1" - MAILTO=$(echo "$2" | sed 's/^mailto://') - echo "$MAILTO" | grep -qs "^?" - if [ "$?" = "0" ] ; then - MAILTO=$(echo "$MAILTO" | sed 's/^?//') - else - MAILTO=$(echo "$MAILTO" | sed 's/^/to=/' | sed 's/?/\&/') - fi - - MAILTO=$(echo "$MAILTO" | sed 's/&/\n/g') - TO=$(/bin/echo -e $(echo "$MAILTO" | grep '^to=' | sed 's/^to=//;s/%\(..\)/\\x\1/g' | awk '{ printf "%s,",$0 }')) - CC=$(/bin/echo -e $(echo "$MAILTO" | grep '^cc=' | sed 's/^cc=//;s/%\(..\)/\\x\1/g' | awk '{ printf "%s,",$0 }')) - BCC=$(/bin/echo -e $(echo "$MAILTO" | grep '^bcc=' | sed 's/^bcc=//;s/%\(..\)/\\x\1/g' | awk '{ printf "%s,",$0 }')) - SUBJECT=$(echo "$MAILTO" | grep '^subject=' | tail -n 1) - BODY=$(echo "$MAILTO" | grep '^body=' | tail -n 1) - - if [ -z "$TO" ] ; then - NEWMAILTO= - else - NEWMAILTO="to='$TO'" - fi - if [ -n "$CC" ] ; then - NEWMAILTO="${NEWMAILTO},cc='$CC'" - fi - if [ -n "$BCC" ] ; then - NEWMAILTO="${NEWMAILTO},bcc='$BCC'" - fi - if [ -n "$SUBJECT" ] ; then - NEWMAILTO="${NEWMAILTO},$SUBJECT" - fi - if [ -n "$BODY" ] ; then - NEWMAILTO="${NEWMAILTO},$BODY" - fi - - NEWMAILTO=$(echo "$NEWMAILTO" | sed 's/^,//') - DEBUG 1 "Running $THUNDERBIRD -compose \"$NEWMAILTO\"" - "$THUNDERBIRD" -compose "$NEWMAILTO" - if [ $? -eq 0 ]; then - exit_success - else - exit_failure_operation_failed - fi -} - open_kde() { - if [ -n "$KDE_SESSION_VERSION" ] && [ "$KDE_SESSION_VERSION" -ge 5 ]; then - local kreadconfig=kreadconfig$KDE_SESSION_VERSION - else - local kreadconfig=kreadconfig - fi - - if which $kreadconfig >/dev/null 2>&1; then - local profile=$($kreadconfig --file emaildefaults \ - --group Defaults --key Profile) - if [ -n "$profile" ]; then - local client=$($kreadconfig --file emaildefaults \ - --group "PROFILE_$profile" \ - --key EmailClient \ - | cut -d ' ' -f 1) - - if echo "$client" | grep -Eq 'thunderbird|icedove'; then - run_thunderbird "$client" "$1" - fi - fi - fi - local command case "$KDE_SESSION_VERSION" in '') command=kmailservice ;; @@ -130,15 +62,6 @@ open_kde() open_gnome3() { - local client - local desktop - desktop=`xdg-mime query default "x-scheme-handler/mailto"` - client=`desktop_file_to_binary "$desktop"` - echo $client | grep -E 'thunderbird|icedove' > /dev/null 2>&1 - if [ $? -eq 0 ] ; then - run_thunderbird "$client" "$1" - fi - if gio help open 2>/dev/null 1>&2; then DEBUG 1 "Running gio open \"$1\"" gio open "$1" @@ -159,13 +82,6 @@ open_gnome3() open_gnome() { - local client - client=`gconftool-2 --get /desktop/gnome/url-handlers/mailto/command | cut -d ' ' -f 1` || "" - echo $client | grep -E 'thunderbird|icedove' > /dev/null 2>&1 - if [ $? -eq 0 ] ; then - run_thunderbird "$client" "$1" - fi - if gio help open 2>/dev/null 1>&2; then DEBUG 1 "Running gio open \"$1\"" gio open "$1" @@ -231,15 +147,6 @@ open_flatpak() open_generic() { - local client - local desktop - desktop=`xdg-mime query default "x-scheme-handler/mailto"` - client=`desktop_file_to_binary "$desktop"` - echo $client | grep -E 'thunderbird|icedove' > /dev/null 2>&1 - if [ $? -eq 0 ] ; then - run_thunderbird "$client" "$1" - fi - xdg-open "$1" local ret=$? @@ -364,21 +271,6 @@ while [ $# -gt 0 ] ; do shift ;; - --attach) - if [ -z "$1" ] ; then - exit_failure_syntax "file argument missing for --attach option" - fi - check_input_file "$1" - file=`readlink -f "$1"` # Normalize path - if [ -z "$file" ] || [ ! -f "$file" ] ; then - exit_failure_file_missing "file '$1' does not exist" - fi - - url_encode "$file" - options="${options}attach=${result}&" - shift - ;; - -*) exit_failure_syntax "unexpected option '$parm'" ;; -- 2.25.1