Mercurial > pidgin
diff pidgin/gtkutils.c @ 31819:70ff869a74d1
Open an explorer.exe window at the location of the file when clicking
on a file link instead of executing the file, because executing a file
can be potentially dangerous. Problem discovered by James Burton of
Insomnia Security. Fixed by Eion Robb.
| author | Mark Doliner <mark@kingant.net> |
|---|---|
| date | Thu, 18 Aug 2011 08:38:23 +0000 |
| parents | e2c6e4fc3c84 |
| children | 58e0e310ef2e 7b1cb7651609 |
line wrap: on
line diff
--- a/pidgin/gtkutils.c Thu Aug 18 08:00:50 2011 +0000 +++ b/pidgin/gtkutils.c Thu Aug 18 08:38:23 2011 +0000 @@ -3282,13 +3282,26 @@ #ifdef _WIN32 /* If using Win32... */ int code; - wchar_t *wc_filename = g_utf8_to_utf16( - uri, -1, NULL, NULL, NULL); - - code = (int)ShellExecuteW(NULL, NULL, wc_filename, NULL, NULL, - SW_SHOW); - - g_free(wc_filename); + if (purple_str_has_prefix(uri, "file://")) + { + gchar *escaped = g_shell_quote(uri); + gchar *param = g_strconcat("/select,\"", uri, "\"", NULL); + gchar *wc_param = g_utf8_to_utf16(param, -1, NULL, NULL, NULL); + + code = (int)ShellExecuteW(NULL, "OPEN", L"explorer.exe", wc_param, NULL, SW_NORMAL); + + g_free(wc_param); + g_free(param); + g_free(escaped); + } else { + wchar_t *wc_filename = g_utf8_to_utf16( + uri, -1, NULL, NULL, NULL); + + code = (int)ShellExecuteW(NULL, NULL, wc_filename, NULL, NULL, + SW_SHOW); + + g_free(wc_filename); + } if (code == SE_ERR_ASSOCINCOMPLETE || code == SE_ERR_NOASSOC) {