Open an explorer.exe window at the location of the file when clicking
authorMark Doliner <markdoliner@pidgin.im>
Thu, 18 Aug 2011 08:38:23 +0000
changeset4377067bda01 pushlog
parent f3fa240fea6c
child 619f32df41f1
Open an explorer.exe window at the location of the file when clicking
on a file link instead of executing the file, because executing a file
can be potentially dangerous. Problem discovered by James Burton of
Insomnia Security. Fixed by Eion Robb.
ChangeLog
pidgin/gtkutils.c
     1.1 --- a/ChangeLog
     1.2 +++ b/ChangeLog
     1.3 @@ -53,6 +53,12 @@
     1.4  	* Fix coming out of idle while in an unavailable state
     1.5  	* Fix logging into Yahoo! JAPAN.  (#14259)
     1.6  
     1.7 +	Windows-Specific Changes:
     1.8 +	* Open an explorer.exe window at the location of the file when clicking
     1.9 +	  on a file link instead of executing the file, because executing a file
    1.10 +	  can be potentially dangerous.  Problem discovered by James Burton of
    1.11 +	  Insomnia Security.  Fixed by Eion Robb.
    1.12 +
    1.13  version 2.9.0 (06/23/2011):
    1.14  	Pidgin:
    1.15  	* Fix a potential remote denial-of-service bug related to displaying
     2.1 --- a/pidgin/gtkutils.c
     2.2 +++ b/pidgin/gtkutils.c
     2.3 @@ -3282,13 +3282,26 @@
     2.4  #ifdef _WIN32
     2.5  	/* If using Win32... */
     2.6  	int code;
     2.7 -	wchar_t *wc_filename = g_utf8_to_utf16(
     2.8 -			uri, -1, NULL, NULL, NULL);
     2.9 -
    2.10 -	code = (int)ShellExecuteW(NULL, NULL, wc_filename, NULL, NULL,
    2.11 -			SW_SHOW);
    2.12 -
    2.13 -	g_free(wc_filename);
    2.14 +	if (purple_str_has_prefix(uri, "file://"))
    2.15 +	{
    2.16 +		gchar *escaped = g_shell_quote(uri);
    2.17 +		gchar *param = g_strconcat("/select,\"", uri, "\"", NULL);
    2.18 +		gchar *wc_param = g_utf8_to_utf16(param, -1, NULL, NULL, NULL);
    2.19 +
    2.20 +		code = (int)ShellExecuteW(NULL, "OPEN", L"explorer.exe", wc_param, NULL, SW_NORMAL);
    2.21 +
    2.22 +		g_free(wc_param);
    2.23 +		g_free(param);
    2.24 +		g_free(escaped);
    2.25 +	} else {
    2.26 +		wchar_t *wc_filename = g_utf8_to_utf16(
    2.27 +				uri, -1, NULL, NULL, NULL);
    2.28 +
    2.29 +		code = (int)ShellExecuteW(NULL, NULL, wc_filename, NULL, NULL,
    2.30 +				SW_SHOW);
    2.31 +
    2.32 +		g_free(wc_filename);
    2.33 +	}
    2.34  
    2.35  	if (code == SE_ERR_ASSOCINCOMPLETE || code == SE_ERR_NOASSOC)
    2.36  	{