Mercurial > pidgin
changeset 9520:cb7f26f30d02
[gaim-migrate @ 10347]
"I can put you in Queens on the night of the robbery."
"Really? I live in Queens. You got a crack team of
monkeys working around the clock back there?"
Thanks to Daniel Atallah for fixing this and to
Nathan Walp for pointing it out.
committer: Tailor Script <tailor@pidgin.im>
| author | Mark Doliner <mark@kingant.net> |
|---|---|
| date | Tue, 13 Jul 2004 01:37:00 +0000 |
| parents | 8cd47267c5bd |
| children | 9b2f1444811f |
| files | src/gtknotify.c |
| diffstat | 1 files changed, 15 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/src/gtknotify.c Mon Jul 12 19:47:46 2004 +0000 +++ b/src/gtknotify.c Tue Jul 13 01:37:00 2004 +0000 @@ -609,7 +609,21 @@ g_free(command); #else /* !_WIN32 */ - ShellExecute(NULL, NULL, uri, NULL, ".\\", 0); + /** + * Since this could be potentially dangerous, + * allowing a URI to try to perform some sort of malicious operation, + * we only allow execution when the URI starts with + * "http://", "https://", "ftp://", "mailto:" + */ + if (g_ascii_strncasecmp(uri, "http://", 7) == 0 + || g_ascii_strncasecmp(uri, "mailto:", 7) == 0 + || g_ascii_strncasecmp(uri, "https://", 8) == 0 + || g_ascii_strncasecmp(uri, "ftp://", 6) == 0 + ) { + ShellExecute(NULL, NULL, uri, NULL, ".\\", 0); + } else { + gaim_debug_misc("gtknotify", "Ignoring '%s' URI as it is not recognized as a secure URI.\n", uri); + } #endif /* !_WIN32 */ return NULL;