}
gchar *
-modest_text_utils_get_secure_header (gchar *value,
+modest_text_utils_get_secure_header (const gchar *value,
const gchar *header)
{
- gchar *new_value = value;
+ const gint max_len = 128;
+ gchar *new_value = NULL;
gchar *needle = g_strrstr (value, header);
- if (needle) {
- gchar *tmp = value;
+ if (needle && value != needle)
new_value = g_strdup (needle + strlen (header));
- g_free (tmp);
+
+ if (!new_value)
+ new_value = g_strdup (value);
+
+ /* Do a max length check to prevent DoS attacks caused by huge
+ malformed headers */
+ if (g_utf8_validate (new_value, -1, NULL)) {
+ if (g_utf8_strlen (new_value, -1) > max_len) {
+ gchar *tmp = g_malloc0 (max_len * 4);
+ g_utf8_strncpy (tmp, (const gchar *) new_value, max_len);
+ g_free (new_value);
+ new_value = tmp;
+ }
+ } else {
+ if (strlen (new_value) > max_len) {
+ gchar *tmp = g_malloc0 (max_len);
+ strncpy (new_value, tmp, max_len);
+ g_free (new_value);
+ new_value = tmp;
+ }
}
return new_value;
*
* Returns: returns the secured header
**/
-gchar * modest_text_utils_get_secure_header (gchar *value, const gchar *header);
+gchar * modest_text_utils_get_secure_header (const gchar *value, const gchar *header);
#endif /* __MODEST_TEXT_UTILS_H__ */
}
/* Prevent DoS attacks caused by malformed emails */
- if (old_from)
- old_from = modest_text_utils_get_secure_header (old_from,
- from_header);
- if (old_reply_to)
- old_reply_to = modest_text_utils_get_secure_header (old_reply_to,
- reply_header);
+ if (old_from) {
+ gchar *tmp = old_from;
+ old_from = modest_text_utils_get_secure_header ((const gchar *) tmp, from_header);
+ g_free (tmp);
+ }
+ if (old_reply_to) {
+ gchar *tmp = old_reply_to;
+ old_reply_to = modest_text_utils_get_secure_header ((const gchar *) tmp, reply_header);
+ g_free (tmp);
+ }
/* for mailing lists, use both Reply-To and From if we did a
* 'Reply All:'
recipients = modest_text_utils_split_addresses_list (after_remove);
g_free (after_remove);
+ if (from)
+ g_free (from);
+ if (to)
+ g_free (to);
+ if (cc)
+ g_free (cc);
+ if (bcc)
+ g_free (bcc);
+
return recipients;
}
ModestDetailsDialogPrivate *priv;
guint n_rows = 0;
GtkWidget *label_w, *value_w;
+ gchar *secure_value;
priv = MODEST_DETAILS_DIALOG_GET_PRIVATE (self);
gtk_misc_set_alignment (GTK_MISC (label_w), 1.0, 0.0);
gtk_label_set_justify (GTK_LABEL (label_w), GTK_JUSTIFY_RIGHT);
+ /* Create secure value */
+ secure_value = modest_text_utils_get_secure_header (value, "");
+
/* Create value */
- value_w = gtk_label_new (value);
- gtk_label_set_line_wrap (GTK_LABEL (value_w), TRUE);
- gtk_label_set_line_wrap_mode (GTK_LABEL (value_w), PANGO_WRAP_WORD_CHAR);
+ value_w = gtk_label_new (secure_value);
+ gtk_label_set_line_wrap ((GtkLabel *) value_w, TRUE);
+ gtk_label_set_line_wrap_mode ((GtkLabel *) value_w, PANGO_WRAP_WORD_CHAR);
gtk_misc_set_alignment (GTK_MISC (value_w), 0.0, 0.0);
- gtk_label_set_justify (GTK_LABEL (value_w), GTK_JUSTIFY_LEFT);
+ gtk_label_set_justify ((GtkLabel *) value_w, GTK_JUSTIFY_LEFT);
/* Attach label and value */
gtk_table_attach (GTK_TABLE (priv->props_table),
GTK_EXPAND|GTK_FILL,
GTK_SHRINK|GTK_FILL,
0, 0);
+
+ g_free (secure_value);
}
static void