eog r4816 - in trunk: . src

From: csaavedra svn gnome org
To: svn-commits-list gnome org
Subject: eog r4816 - in trunk: . src
Date: Sun, 12 Oct 2008 11:53:42 +0000 (UTC)
Author: csaavedra
Date: Sun Oct 12 11:53:42 2008
New Revision: 4816
URL: http://svn.gnome.org/viewvc/eog?rev=4816&view=rev

Log:
2008-10-12  Claudio Saavedra  <csaavedra igalia com>

	* src/eog-error-message-area.c:
	(eog_image_load_error_message_area_new),
	(eog_no_images_error_message_area_new): Use
	g_markup_escape_text() to avoid possible markup "injection attack".
	Fixes bug #555940 (Martin Olsson)



Modified:
   trunk/ChangeLog
   trunk/src/eog-error-message-area.c

Modified: trunk/src/eog-error-message-area.c
==============================================================================
--- trunk/src/eog-error-message-area.c	(original)
+++ trunk/src/eog-error-message-area.c	Sun Oct 12 11:53:42 2008
@@ -127,12 +127,18 @@
 	GtkWidget *message_area;
 	gchar *error_message = NULL;
 	gchar *message_details = NULL;
+	gchar *pango_escaped_caption = NULL;
 
 	g_return_val_if_fail (caption != NULL, NULL);
 	g_return_val_if_fail (error != NULL, NULL);
 
+	/* Escape the caption string with respect to pango markup.
+	   This is necessary because otherwise characters like "&" will
+	   be interpreted as the beginning of a pango entity inside
+	   the message area GtkLabel. */
+	pango_escaped_caption = g_markup_escape_text (caption, -1);
 	error_message = g_strdup_printf (_("Could not load image '%s'."),
-					 caption);
+					 pango_escaped_caption);
 
 	message_details = g_strdup (error->message); 
 
@@ -140,6 +146,7 @@
 						  message_details,
 						  TRUE);
 
+	g_free (pango_escaped_caption);
 	g_free (error_message);
 	g_free (message_details);
 
@@ -153,14 +160,21 @@
 	gchar *error_message = NULL;
 
 	if (file != NULL) {
-		gchar *uri_str, *unescaped_str;
+		gchar *uri_str, *unescaped_str, *pango_escaped_str;
 
 		uri_str = g_file_get_uri (file);
+		/* Unescape URI with respect to rules defined in RFC 3986. */
 		unescaped_str = g_uri_unescape_string (uri_str, NULL);
 
+		/* Escape the URI string with respect to pango markup.
+		   This is necessary because the URI string can contain
+		   for example "&" which will otherwise be interpreted
+		   as a pango markup entity when inserted into a GtkLabel. */
+		pango_escaped_str = g_markup_escape_text (unescaped_str, -1);
 		error_message = g_strdup_printf (_("No images found in '%s'."),
-						 unescaped_str);
+						 pango_escaped_str);
 
+		g_free (pango_escaped_str);
 		g_free (uri_str);
 		g_free (unescaped_str);
 	} else {
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]