Open an explorer.exe window at the location of the file when clicking
authorMark Doliner <markdoliner@pidgin.im>
Thu, 18 Aug 2011 08:38:23 +0000
changeset4377067bda01 pushlog
parent f3fa240fea6c
child 619f32df41f1
Open an explorer.exe window at the location of the file when clicking
on a file link instead of executing the file, because executing a file
can be potentially dangerous. Problem discovered by James Burton of
Insomnia Security. Fixed by Eion Robb.
ChangeLog
pidgin/gtkutils.c
      1.1 --- a/ChangeLog
      1.2 +++ b/ChangeLog
      1.3 @@ -53,6 +53,12 @@
      1.4  	* Fix coming out of idle while in an unavailable state
      1.5  	* Fix logging into Yahoo! JAPAN.  (#14259)
      1.6  
      1.7 +	Windows-Specific Changes:
      1.8 +	* Open an explorer.exe window at the location of the file when clicking
      1.9 +	  on a file link instead of executing the file, because executing a file
     1.10 +	  can be potentially dangerous.  Problem discovered by James Burton of
     1.11 +	  Insomnia Security.  Fixed by Eion Robb.
     1.12 +
     1.13  version 2.9.0 (06/23/2011):
     1.14  	Pidgin:
     1.15  	* Fix a potential remote denial-of-service bug related to displaying
      2.1 --- a/pidgin/gtkutils.c
      2.2 +++ b/pidgin/gtkutils.c
      2.3 @@ -3282,13 +3282,26 @@
      2.4  #ifdef _WIN32
      2.5  	/* If using Win32... */
      2.6  	int code;
      2.7 -	wchar_t *wc_filename = g_utf8_to_utf16(
      2.8 -			uri, -1, NULL, NULL, NULL);
      2.9 -
     2.10 -	code = (int)ShellExecuteW(NULL, NULL, wc_filename, NULL, NULL,
     2.11 -			SW_SHOW);
     2.12 -
     2.13 -	g_free(wc_filename);
     2.14 +	if (purple_str_has_prefix(uri, "file://"))
     2.15 +	{
     2.16 +		gchar *escaped = g_shell_quote(uri);
     2.17 +		gchar *param = g_strconcat("/select,\"", uri, "\"", NULL);
     2.18 +		gchar *wc_param = g_utf8_to_utf16(param, -1, NULL, NULL, NULL);
     2.19 +
     2.20 +		code = (int)ShellExecuteW(NULL, "OPEN", L"explorer.exe", wc_param, NULL, SW_NORMAL);
     2.21 +
     2.22 +		g_free(wc_param);
     2.23 +		g_free(param);
     2.24 +		g_free(escaped);
     2.25 +	} else {
     2.26 +		wchar_t *wc_filename = g_utf8_to_utf16(
     2.27 +				uri, -1, NULL, NULL, NULL);
     2.28 +
     2.29 +		code = (int)ShellExecuteW(NULL, NULL, wc_filename, NULL, NULL,
     2.30 +				SW_SHOW);
     2.31 +
     2.32 +		g_free(wc_filename);
     2.33 +	}
     2.34  
     2.35  	if (code == SE_ERR_ASSOCINCOMPLETE || code == SE_ERR_NOASSOC)
     2.36  	{