diff -up evolution-3.0.3/composer/e-msg-composer.c.CVE-2011-3201 evolution-3.0.3/composer/e-msg-composer.c --- evolution-3.0.3/composer/e-msg-composer.c.CVE-2011-3201 2011-07-15 02:42:06.000000000 -0500 +++ evolution-3.0.3/composer/e-msg-composer.c 2011-11-30 07:32:33.485560137 -0600 @@ -3893,6 +3893,35 @@ add_recipients (GList *list, const gchar return list; } +static const gchar *blacklist[] = { ".", "etc", ".." }; + +static gboolean +file_is_blacklisted (const gchar *filename) +{ + gboolean blacklisted = FALSE; + guint ii, jj, n_parts; + gchar **parts; + + parts = g_strsplit (filename, G_DIR_SEPARATOR_S, -1); + n_parts = g_strv_length (parts); + + for (ii = 0; ii < G_N_ELEMENTS (blacklist); ii++) { + for (jj = 0; jj < n_parts; jj++) { + if (g_str_has_prefix (parts[jj], blacklist[ii])) { + blacklisted = TRUE; + break; + } + } + } + + g_strfreev (parts); + + if (blacklisted) + g_message ("Skipping suspicious attachment: %s", filename); + + return blacklisted; +} + static void handle_mailto (EMsgComposer *composer, const gchar *mailto) { @@ -3985,6 +4014,8 @@ handle_mailto (EMsgComposer *composer, c EAttachment *attachment; camel_url_decode (content); + if (file_is_blacklisted (content)) + goto next; if (g_ascii_strncasecmp (content, "file:", 5) == 0) attachment = e_attachment_new_for_uri (content); else @@ -4004,6 +4035,7 @@ handle_mailto (EMsgComposer *composer, c e_msg_composer_add_header (composer, header, content); } +next: g_free (content); p += clen;