Patrick Williams | 8e7b46e | 2023-05-01 14:19:06 -0500 | [diff] [blame^] | 1 | xdg-email does not parse mailto uris properly for thunderbird |
| 2 | |
| 3 | When using thunderbird as mailto handler xdg-email translates mailto uris into an 'thunderbird -compose' argument. While to, cc and bcc values are properly enclosed in single quotes this is not the case for subject or body. This breaks functionality and allows to use all thunderbird -compose arguments within a mailto uri, e.g. |
| 4 | |
| 5 | xdg-email 'mailto:test@example.com?subject=Test,attachment=~/.thunderbird/profiles.ini,message=/home/test/test.txt' |
| 6 | |
| 7 | translates into |
| 8 | |
| 9 | thunderbird -compose to='test@example.com,',subject=Test,attachment=~/.thunderbird/profiles.ini,message=/home/test/test.txt |
| 10 | |
| 11 | with working attachment and message. (And, yes, ~ expands to the home directory.) |
| 12 | |
| 13 | Upstream-Status: Submitted [https://gitlab.freedesktop.org/xdg/xdg-utils/-/issues/205] |
| 14 | |
| 15 | Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> |
| 16 | |
| 17 | CVE: CVE-2022-4055 |
| 18 | |
| 19 | |
| 20 | Index: xdg-utils-1.1.3/scripts/xdg-email.in |
| 21 | =================================================================== |
| 22 | --- xdg-utils-1.1.3.orig/scripts/xdg-email.in |
| 23 | +++ xdg-utils-1.1.3/scripts/xdg-email.in |
| 24 | @@ -30,53 +30,6 @@ _USAGE |
| 25 | |
| 26 | #@xdg-utils-common@ |
| 27 | |
| 28 | -run_thunderbird() |
| 29 | -{ |
| 30 | - local THUNDERBIRD MAILTO NEWMAILTO TO CC BCC SUBJECT BODY |
| 31 | - THUNDERBIRD="$1" |
| 32 | - MAILTO=$(echo "$2" | sed 's/^mailto://') |
| 33 | - echo "$MAILTO" | grep -qs "^?" |
| 34 | - if [ "$?" = "0" ] ; then |
| 35 | - MAILTO=$(echo "$MAILTO" | sed 's/^?//') |
| 36 | - else |
| 37 | - MAILTO=$(echo "$MAILTO" | sed 's/^/to=/' | sed 's/?/\&/') |
| 38 | - fi |
| 39 | - |
| 40 | - MAILTO=$(echo "$MAILTO" | sed 's/&/\n/g') |
| 41 | - TO=$(/bin/echo -e $(echo "$MAILTO" | grep '^to=' | sed 's/^to=//;s/%\(..\)/\\x\1/g' | awk '{ printf "%s,",$0 }')) |
| 42 | - CC=$(/bin/echo -e $(echo "$MAILTO" | grep '^cc=' | sed 's/^cc=//;s/%\(..\)/\\x\1/g' | awk '{ printf "%s,",$0 }')) |
| 43 | - BCC=$(/bin/echo -e $(echo "$MAILTO" | grep '^bcc=' | sed 's/^bcc=//;s/%\(..\)/\\x\1/g' | awk '{ printf "%s,",$0 }')) |
| 44 | - SUBJECT=$(echo "$MAILTO" | grep '^subject=' | tail -n 1) |
| 45 | - BODY=$(echo "$MAILTO" | grep '^body=' | tail -n 1) |
| 46 | - |
| 47 | - if [ -z "$TO" ] ; then |
| 48 | - NEWMAILTO= |
| 49 | - else |
| 50 | - NEWMAILTO="to='$TO'" |
| 51 | - fi |
| 52 | - if [ -n "$CC" ] ; then |
| 53 | - NEWMAILTO="${NEWMAILTO},cc='$CC'" |
| 54 | - fi |
| 55 | - if [ -n "$BCC" ] ; then |
| 56 | - NEWMAILTO="${NEWMAILTO},bcc='$BCC'" |
| 57 | - fi |
| 58 | - if [ -n "$SUBJECT" ] ; then |
| 59 | - NEWMAILTO="${NEWMAILTO},$SUBJECT" |
| 60 | - fi |
| 61 | - if [ -n "$BODY" ] ; then |
| 62 | - NEWMAILTO="${NEWMAILTO},$BODY" |
| 63 | - fi |
| 64 | - |
| 65 | - NEWMAILTO=$(echo "$NEWMAILTO" | sed 's/^,//') |
| 66 | - DEBUG 1 "Running $THUNDERBIRD -compose \"$NEWMAILTO\"" |
| 67 | - "$THUNDERBIRD" -compose "$NEWMAILTO" |
| 68 | - if [ $? -eq 0 ]; then |
| 69 | - exit_success |
| 70 | - else |
| 71 | - exit_failure_operation_failed |
| 72 | - fi |
| 73 | -} |
| 74 | - |
| 75 | open_kde() |
| 76 | { |
| 77 | if [ -n "$KDE_SESSION_VERSION" ] && [ "$KDE_SESSION_VERSION" -ge 5 ]; then |
| 78 | @@ -130,15 +83,6 @@ open_kde() |
| 79 | |
| 80 | open_gnome3() |
| 81 | { |
| 82 | - local client |
| 83 | - local desktop |
| 84 | - desktop=`xdg-mime query default "x-scheme-handler/mailto"` |
| 85 | - client=`desktop_file_to_binary "$desktop"` |
| 86 | - echo $client | grep -E 'thunderbird|icedove' > /dev/null 2>&1 |
| 87 | - if [ $? -eq 0 ] ; then |
| 88 | - run_thunderbird "$client" "$1" |
| 89 | - fi |
| 90 | - |
| 91 | if gio help open 2>/dev/null 1>&2; then |
| 92 | DEBUG 1 "Running gio open \"$1\"" |
| 93 | gio open "$1" |
| 94 | @@ -159,13 +103,6 @@ open_gnome3() |
| 95 | |
| 96 | open_gnome() |
| 97 | { |
| 98 | - local client |
| 99 | - client=`gconftool-2 --get /desktop/gnome/url-handlers/mailto/command | cut -d ' ' -f 1` || "" |
| 100 | - echo $client | grep -E 'thunderbird|icedove' > /dev/null 2>&1 |
| 101 | - if [ $? -eq 0 ] ; then |
| 102 | - run_thunderbird "$client" "$1" |
| 103 | - fi |
| 104 | - |
| 105 | if gio help open 2>/dev/null 1>&2; then |
| 106 | DEBUG 1 "Running gio open \"$1\"" |
| 107 | gio open "$1" |
| 108 | @@ -231,15 +168,6 @@ open_flatpak() |
| 109 | |
| 110 | open_generic() |
| 111 | { |
| 112 | - local client |
| 113 | - local desktop |
| 114 | - desktop=`xdg-mime query default "x-scheme-handler/mailto"` |
| 115 | - client=`desktop_file_to_binary "$desktop"` |
| 116 | - echo $client | grep -E 'thunderbird|icedove' > /dev/null 2>&1 |
| 117 | - if [ $? -eq 0 ] ; then |
| 118 | - run_thunderbird "$client" "$1" |
| 119 | - fi |
| 120 | - |
| 121 | xdg-open "$1" |
| 122 | local ret=$? |
| 123 | |
| 124 | @@ -364,21 +292,6 @@ while [ $# -gt 0 ] ; do |
| 125 | shift |
| 126 | ;; |
| 127 | |
| 128 | - --attach) |
| 129 | - if [ -z "$1" ] ; then |
| 130 | - exit_failure_syntax "file argument missing for --attach option" |
| 131 | - fi |
| 132 | - check_input_file "$1" |
| 133 | - file=`readlink -f "$1"` # Normalize path |
| 134 | - if [ -z "$file" ] || [ ! -f "$file" ] ; then |
| 135 | - exit_failure_file_missing "file '$1' does not exist" |
| 136 | - fi |
| 137 | - |
| 138 | - url_encode "$file" |
| 139 | - options="${options}attach=${result}&" |
| 140 | - shift |
| 141 | - ;; |
| 142 | - |
| 143 | -*) |
| 144 | exit_failure_syntax "unexpected option '$parm'" |
| 145 | ;; |