Created attachment 2077 [details] possible patch Claws Mail supports the undocumented "insert" field within the mailto URI. Setting this field to a valid path should result in Claws Mail setting the specific file's content as the new mail's body. Contrary to the code for the attach functionality, there are no parameter checks. This allows the creation of an mailto URI to send, for example, /etc/passwd. Furthermore, there is also no check if the parameter is a regular file. Passing a device results in copying all its data into memory. By selecting /dev/zero my system has hung within seconds. A patch is attached which hopefully fixes these problems.
fixed in git. thanks for that patch!