adium.1-3: 86fb8c0b: Untested backport(ish) of the three chan...
zacw at adiumx.com
zacw at adiumx.com
Mon Jan 11 20:50:37 EST 2010
-----------------------------------------------------------------
Revision: 86fb8c0bc74845a0bd5144ea4d8c8f30066396eb
Ancestor: 09a6948342ee7d1beaf292349edefb7d35ce8975
Author: zacw at adiumx.com
Date: 2010-01-12T01:47:42
Branch: im.pidgin.adium.1-3
URL: http://d.pidgin.im/viewmtn/revision/info/86fb8c0bc74845a0bd5144ea4d8c8f30066396eb
Modified files:
libpurple/protocols/msn/slp.c
ChangeLog:
Untested backport(ish) of the three changes for CVE-2010-0013.
-------------- next part --------------
============================================================
--- libpurple/protocols/msn/slp.c b99e72a625c7752110e77ab2b341162597f2e4cf
+++ libpurple/protocols/msn/slp.c d948baa90742f0f73f25eff8e43858b01d300563
@@ -244,6 +244,38 @@ send_decline(MsnSlpCall *slpcall, const
msn_slplink_queue_slpmsg(slplink, slpmsg);
}
+/* XXX: this could be improved if we tracked custom smileys
+ * per-protocol, per-account, per-session or (ideally) per-conversation
+ */
+static PurpleStoredImage *
+find_valid_emoticon(PurpleAccount *account, const char *path)
+{
+ GList *smileys;
+
+ if (!purple_account_get_bool(account, "custom_smileys", TRUE))
+ return NULL;
+
+ smileys = purple_smileys_get_all();
+
+ for (; smileys; smileys = g_list_delete_link(smileys, smileys)) {
+ PurpleSmiley *smiley;
+ PurpleStoredImage *img;
+
+ smiley = smileys->data;
+ img = purple_smiley_get_stored_image(smiley);
+
+ if (g_strcmp0(path, purple_imgstore_get_filename(img)) == 0) {
+ g_list_free(smileys);
+ return img;
+ }
+
+ purple_imgstore_unref(img);
+ }
+
+ purple_debug_error("msn", "Received illegal request for file %s\n", path);
+ return NULL;
+}
+
#define MAX_FILE_NAME_LEN 0x226
static void
@@ -259,7 +291,7 @@ got_sessionreq(MsnSlpCall *slpcall, cons
MsnSlpMessage *slpmsg;
MsnObject *obj;
char *msnobj_data;
- PurpleStoredImage *img;
+ PurpleStoredImage *img = NULL;
int type;
/* Send Ok */
@@ -278,52 +310,35 @@ got_sessionreq(MsnSlpCall *slpcall, cons
type = msn_object_get_type(obj);
g_free(msnobj_data);
- if ((type != MSN_OBJECT_USERTILE) && (type != MSN_OBJECT_EMOTICON))
- {
- purple_debug_error("msn", "Wrong object?\n");
- msn_object_destroy(obj);
- g_return_if_reached();
- }
-
if (type == MSN_OBJECT_EMOTICON) {
- char *path;
- path = g_build_filename(purple_smileys_get_storing_dir(),
- obj->location, NULL);
- img = purple_imgstore_new_from_file(path);
- g_free(path);
- } else {
+ img = find_valid_emoticon(slplink->session->account, obj->location);
+ } else if (type == MSN_OBJECT_USERTILE) {
img = msn_object_get_image(obj);
if (img)
purple_imgstore_ref(img);
}
msn_object_destroy(obj);
- if (img == NULL)
- {
+ if (img != NULL) {
+ /* DATA PREP */
+ slpmsg = msn_slpmsg_new(slplink);
+ slpmsg->slpcall = slpcall;
+ slpmsg->session_id = slpcall->session_id;
+ msn_slpmsg_set_body(slpmsg, NULL, 4);
+ slpmsg->info = "SLP DATA PREP";
+ msn_slplink_queue_slpmsg(slplink, slpmsg);
+
+ /* DATA */
+ slpmsg = msn_slpmsg_new(slplink);
+ slpmsg->slpcall = slpcall;
+ slpmsg->flags = 0x20;
+ slpmsg->info = "SLP DATA";
+ msn_slpmsg_set_image(slpmsg, img);
+ msn_slplink_queue_slpmsg(slplink, slpmsg);
+ purple_imgstore_unref(img);
+ } else {
purple_debug_error("msn", "Wrong object.\n");
- g_return_if_reached();
}
-
- /* DATA PREP */
- slpmsg = msn_slpmsg_new(slplink);
- slpmsg->slpcall = slpcall;
- slpmsg->session_id = slpcall->session_id;
- msn_slpmsg_set_body(slpmsg, NULL, 4);
-#ifdef MSN_DEBUG_SLP
- slpmsg->info = "SLP DATA PREP";
-#endif
- msn_slplink_queue_slpmsg(slplink, slpmsg);
-
- /* DATA */
- slpmsg = msn_slpmsg_new(slplink);
- slpmsg->slpcall = slpcall;
- slpmsg->flags = 0x20;
-#ifdef MSN_DEBUG_SLP
- slpmsg->info = "SLP DATA";
-#endif
- msn_slpmsg_set_image(slpmsg, img);
- msn_slplink_queue_slpmsg(slplink, slpmsg);
- purple_imgstore_unref(img);
}
else if (!strcmp(euf_guid, MSN_FT_GUID))
{
More information about the Commits
mailing list