Bug 4373 - attach mailto URI double free
Summary: attach mailto URI double free
Status: RESOLVED FIXED
Alias: None
Product: Claws Mail (GTK 2)
Classification: Unclassified
Component: Other (show other bugs)
Version: 3.17.7
Hardware: PC Linux
: P3 normal
Assignee: users
URL:
Depends on:
Blocks:
 
Reported: 2020-08-18 20:50 UTC by Alvar Penning
Modified: 2020-08-19 08:56 UTC (History)
0 users

See Also:

Attachments
possible patch (676 bytes, patch)
2020-08-18 20:50 UTC, Alvar Penning 		no flags Details | Diff
Add an attachment (proposed patch, testcase, etc.)

Description Alvar Penning 2020-08-18 20:50:44 UTC 
Created attachment 2076 [details]
possible patch

Claws Mail supports the undocumented "attach" field within the mailto URI. Setting this field to a valid path should result in Claws Mail adding the specific file as an attachment to the new mail.

This feature was also discussed in the recently published paper "Mailto: Me Your Secrets. On Bugs and Features in Email End-to-End Encryption" by Müller et al.

The scan_mailto_url function within common/utils.c checks the attach value against an array of forbidden URIs (forbidden_uris). In case of a match the file should not be attached.

This is done by "unsetting" the tmp variable which stores the attach value. However, the current code only frees the variable but does not NULLs it. The following "if (tmp) { … }" branch will be executed which results in another freeing. Thus, Claws Mail crashed on my machine.

This very if branch might has another bug. Even freeing a valid tmp will result in a freed pointer in the attach array. Thus, attaching a valid file errors.

A patch is attached which hopefully fixes these two problems.
Comment 1 Paul 2020-08-19 08:56:53 UTC 
fixed in git. thanks for that patch!
Note You need to log in before you can comment on or make changes to this bug.