Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Register
  • Sign in
  • X xdg-utils
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 175
    • Issues 175
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 44
    • Merge requests 44
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar

Due to an influx of spam, we have had to impose restrictions on new accounts. Please see this wiki page for instructions on how to get full permissions. Sorry for the inconvenience.

  • xdg
  • xdg-utils
  • Issues
  • #177
Closed
Open
Issue created Aug 18, 2020 by Jens Mueller@jensvoid

Attaching files with mailto:?attach=... parameter is considered dangerous

In run_thunderbird(), xdg-email greps for a proprietary attach parameter: https://gitlab.freedesktop.org/xdg/xdg-utils/-/blob/master/scripts/xdg-email.in#L51

This allows arbitrary websites with mailto links to add local files on disk into the Thunderbird's email composition dialog and should be removed: https://twitter.com/i/status/1295357952480751616

After Thunderbird removed this functionality years ago, I think xdg-email somewhat re-introduced it. Original bug report for Thunderbird: https://bugzilla.mozilla.org/show_bug.cgi?id=1613425

Assignee
Assign to
Time tracking