Bug 4373

Summary: attach mailto URI double free
Product: Claws Mail (GTK 2) Reporter: Alvar Penning <post>
Component: OtherAssignee: users
Status: RESOLVED FIXED    
Severity: normal    
Priority: P3    
Version: 3.17.7   
Hardware: PC   
OS: Linux   
Attachments:
Description Flags
possible patch none

Description Alvar Penning 2020-08-18 20:50:44 UTC
Created attachment 2076 [details]
possible patch

Claws Mail supports the undocumented "attach" field within the mailto URI. Setting this field to a valid path should result in Claws Mail adding the specific file as an attachment to the new mail.

This feature was also discussed in the recently published paper "Mailto: Me Your Secrets. On Bugs and Features in Email End-to-End Encryption" by Müller et al.

The scan_mailto_url function within common/utils.c checks the attach value against an array of forbidden URIs (forbidden_uris). In case of a match the file should not be attached.

This is done by "unsetting" the tmp variable which stores the attach value. However, the current code only frees the variable but does not NULLs it. The following "if (tmp) { … }" branch will be executed which results in another freeing. Thus, Claws Mail crashed on my machine.

This very if branch might has another bug. Even freeing a valid tmp will result in a freed pointer in the attach array. Thus, attaching a valid file errors.

A patch is attached which hopefully fixes these two problems.
Comment 1 Paul 2020-08-19 08:56:53 UTC
fixed in git. thanks for that patch!