Re: [Evolution] Sending photos from digKam: "Skipping suspicious attachment"

[Milan Crha <mcrha redhat com>]

On Sun, 2012-06-24 at 21:27 +0200, Jacob Nielsen wrote:
> For the record I first tried moving it into one of the XDG dirs, but
> that doesn't work:
>
> "composer-Message: Skipping suspicious attachment: 
> /home/snobel/.cache/kde/tmp-limoncello/kipiplugin-sendimagesDA8UIj/home/snobel/.cache/kde/tmp-limoncello/kipiplugin-sendimagesDA8UIj/667ZFW/IMG_2488.jpeg"
>
> Maybe because of the second hidden directory in the path?

        Hi,
does the file actually exist in that directory? I suppose you
copy&pasted the error message from console, thus it seems like either a
bug in evolution with the error printing or your plugin duplicates a
prefix of the file in the path, because the two parts are exactly the
same (see them separated):
  /home/snobel/.cache/kde/tmp-limoncello/kipiplugin-sendimagesDA8UIj
  /home/snobel/.cache/kde/tmp-limoncello/kipiplugin-sendimagesDA8UIj/667ZFW/IMG_2488.jpeg
thus it seems to me like only the second part of the file name is the
right one (the below one in above separation).

Anyway, reading the code in 3.2.3, the attachment is considered
suspicious if any of its path parts (like "home", "snobel", ".cache")
has one of the prefixes ".", "etc" or "..". I do not see there any
checking for XDG. The 3.4.x has there the final checking for XDG
prefixes, to whitelist blacklisted files.

I think it would be nice to create a table of skipped attachments in the
UI of a composer, inside the error message, with button "Attach anyway"
beside each file name, though, if I read the code properly, then there
is submitted an alert about suspicious attachment, but the file is
attached anyway, in 3.4.x+, thus this works way differently in current
stable than in 3.2.3.
        Bye,
        Milan