Commit a9fb511c authored by Punit Jain's avatar Punit Jain
Browse files

bug #641069 - tnef plugin vulnerabilities

Resolves directory traversal and buffer overflow vulnerabilities.
parent c122f88a
......@@ -25,6 +25,7 @@
/* We include gi18n-lib.h so that we have strings translated directly for this package */
#include <glib/gi18n-lib.h>
#include <glib/gprintf.h>
#include <string.h>
#include <stdio.h>
......@@ -67,6 +68,19 @@ guchar getRruleCount (guchar a, guchar b);
guchar getRruleMonthNum (guchar a, guchar b);
gchar * getRruleDayname (guchar a);
static gchar*
sanitize_filename (const gchar *filename)
{
gchar * sanitized_name;
sanitized_name = g_path_get_basename (filename);
if (sanitized_name == NULL || !g_strcmp0 (sanitized_name, ".")) {
g_free (sanitized_name);
return NULL;
} else {
return g_strdelimit (sanitized_name, " ", '_');
}
}
void
org_gnome_format_tnef (gpointer ep, EMFormatHookTarget *t)
{
......@@ -216,8 +230,9 @@ void processTnef (TNEFStruct *tnef, const gchar *tmpdir) {
Attachment *p;
gint RealAttachment;
gint object;
gchar ifilename[256];
gint i, count;
gchar *ifilename = NULL;
gchar *absfilename, *file;
gint count;
gint foundCal=0;
FILE *fptr;
......@@ -255,10 +270,13 @@ void processTnef (TNEFStruct *tnef, const gchar *tmpdir) {
!= MAPI_UNDEFINED) {
variableLength buf;
if ((buf.data = (gchar *) DecompressRTF (filename, &buf.size)) != NULL) {
sprintf(ifilename, "%s/%s.rtf", tmpdir, tnef->subject.data);
for (i=0; i<strlen (ifilename); i++)
if (ifilename[i] == ' ')
ifilename[i] = '_';
file = sanitize_filename (tnef->subject.data);
if (!file)
return;
absfilename = g_strconcat (file, ".rtf", NULL);
ifilename = g_build_filename (tmpdir, file, NULL);
g_free (absfilename);
g_free (file);
if ((fptr = fopen(ifilename, "wb"))==NULL) {
printf("ERROR: Error writing file to disk!");
......@@ -347,13 +365,14 @@ void processTnef (TNEFStruct *tnef, const gchar *tmpdir) {
}
if (filename->size == 1) {
filename->size = 20;
sprintf(tmpname, "file_%03i.dat", count);
g_sprintf(tmpname, "file_%03i.dat", count);
filename->data = tmpname;
}
sprintf(ifilename, "%s/%s", tmpdir, filename->data);
for (i=0; i<strlen (ifilename); i++)
if (ifilename[i] == ' ')
ifilename[i] = '_';
absfilename = sanitize_filename (filename->data);
if (!absfilename)
return;
ifilename = g_build_filename (tmpdir, absfilename, NULL);
g_free (absfilename);
if ((fptr = fopen(ifilename, "wb"))==NULL) {
printf("ERROR: Error writing file to disk!");
......@@ -375,33 +394,43 @@ void processTnef (TNEFStruct *tnef, const gchar *tmpdir) {
} /* if size>0 */
p=p->next;
} /* while p!= null */
g_free (ifilename);
}
void saveVCard (TNEFStruct *tnef, const gchar *tmpdir) {
gchar ifilename[512];
gchar *ifilename;
gchar *absfilename, *file=NULL;
FILE *fptr;
variableLength *vl;
variableLength *pobox, *street, *city, *state, *zip, *country;
dtr thedate;
gint boolean, i;
gint boolean;
if ((vl = MAPIFindProperty (&(tnef->MapiProperties), PROP_TAG (PT_STRING8, PR_DISPLAY_NAME))) == MAPI_UNDEFINED) {
if ((vl=MAPIFindProperty (&(tnef->MapiProperties), PROP_TAG (PT_STRING8, PR_COMPANY_NAME))) == MAPI_UNDEFINED) {
if (tnef->subject.size > 0) {
sprintf(ifilename, "%s/%s.vcard", tmpdir, tnef->subject.data);
} else {
sprintf(ifilename, "%s/unknown.vcard", tmpdir);
}
} else {
sprintf(ifilename, "%s/%s.vcard", tmpdir, vl->data);
file = sanitize_filename (tnef->subject.data);
if (!file)
return;
absfilename = g_strconcat (file, ".vcard", NULL);
} else
absfilename = g_strdup ("unknown.vcard");
} else {
file = sanitize_filename (vl->data);
if (!file)
return;
absfilename = g_strconcat (file, ".vcard", NULL);
}
} else {
sprintf(ifilename, "%s/%s.vcard", tmpdir, vl->data);
file = sanitize_filename (vl->data);
if (!file)
return;
absfilename = g_strconcat (file, ".vcard", NULL);
}
for (i=0; i<strlen (ifilename); i++)
if (ifilename[i] == ' ')
ifilename[i] = '_';
printf("%s\n", ifilename);
ifilename = g_build_filename (tmpdir, absfilename, NULL);
g_free (file);
g_free (absfilename);
if ((fptr = fopen(ifilename, "wb"))==NULL) {
printf("Error writing file to disk!");
......@@ -657,6 +686,7 @@ void saveVCard (TNEFStruct *tnef, const gchar *tmpdir) {
fprintf(fptr, "END:VCARD\n");
fclose (fptr);
}
g_free (ifilename);
}
guchar getRruleCount (guchar a, guchar b) {
......@@ -842,7 +872,7 @@ void printRrule (FILE *fptr, gchar *recur_data, gint size, TNEFStruct *tnef)
}
void saveVCalendar (TNEFStruct *tnef, const gchar *tmpdir) {
gchar ifilename[256];
gchar *ifilename;
variableLength *filename;
gchar *charptr, *charptr2;
FILE *fptr;
......@@ -851,7 +881,7 @@ void saveVCalendar (TNEFStruct *tnef, const gchar *tmpdir) {
DWORD dword_val;
dtr thedate;
sprintf(ifilename, "%s/calendar.ics", tmpdir);
ifilename = g_build_filename (tmpdir, "calendar.vcf", NULL);
printf("%s\n", ifilename);
if ((fptr = fopen(ifilename, "wb"))==NULL) {
......@@ -1088,13 +1118,15 @@ void saveVCalendar (TNEFStruct *tnef, const gchar *tmpdir) {
fprintf(fptr, "END:VCALENDAR\n");
fclose (fptr);
}
g_free (ifilename);
}
void saveVTask (TNEFStruct *tnef, const gchar *tmpdir) {
variableLength *vl;
variableLength *filename;
gint index,i;
gchar ifilename[256];
gint index;
gchar *ifilename;
gchar *absfilename, *file;
gchar *charptr, *charptr2;
dtr thedate;
FILE *fptr;
......@@ -1111,10 +1143,14 @@ void saveVTask (TNEFStruct *tnef, const gchar *tmpdir) {
while (vl->data[index] == ' ')
vl->data[index--] = 0;
sprintf(ifilename, "%s/%s.ics", tmpdir, vl->data);
for (i=0; i<strlen (ifilename); i++)
if (ifilename[i] == ' ')
ifilename[i] = '_';
file = sanitize_filename (vl->data);
if (!file)
return;
absfilename = g_strconcat (file, ".vcf", NULL);
ifilename = g_build_filename (tmpdir, absfilename, NULL);
g_free (file);
g_free (absfilename);
printf("%s\n", ifilename);
if ((fptr = fopen(ifilename, "wb"))==NULL) {
......@@ -1210,7 +1246,7 @@ void saveVTask (TNEFStruct *tnef, const gchar *tmpdir) {
fprintf(fptr, "END:VCALENDAR\n");
fclose (fptr);
}
g_free (ifilename);
}
void fprintProperty (TNEFStruct *tnef, FILE *fptr, DWORD proptype, DWORD propid, const gchar text[]) {
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment