Re: Security issues, PR, community

From: Havoc Pennington <hp redhat com>
To: GNOME Hackers <gnome-hackers gnome org>
Subject: Re: Security issues, PR, community
Date: Sat, 29 Mar 2003 14:47:43 -0500

On Sat, Mar 29, 2003 at 02:18:40PM +1100, Jeff Waugh wrote: 
> Given recent issues with EoG and Evolution, perhaps we need to have a better
> process for handling security announcements? Debian and Red Hat both have
> good pre-formatted emails with sensible (balanced!) information for security
> advisories.
> 
> Thoughts?

Focusing more short-term, can someone post which lines of code in EOG
are broken, so I can go see whether old versions have them?

I extracted the attached patch from CVS, is this the whole fix?

Longer term, we do need a process; this should not have gone public
before the distributions knew about it, and we should have details on
the exact fix, "upgrade" isn't a good enough thing (OS vendors don't
want to drag in unrelated changes, just make the minimum required
fix).

Havoc

Index: main.c
===================================================================
RCS file: /cvs/gnome/eog/shell/main.c,v
retrieving revision 1.28
retrieving revision 1.29
diff -u -p -r1.28 -r1.29
--- main.c	3 Mar 2003 09:37:23 -0000	1.28
+++ main.c	19 Mar 2003 03:28:15 -0000	1.29
@@ -9,6 +9,7 @@
 #include <gconf/gconf-client.h>
 #include <bonobo.h>
 #include <bonobo/bonobo-ui-main.h>
+#include <eel/eel-vfs-extensions.h>
 #include "eog-hig-dialog.h"
 #include "eog-window.h"
 #include "session.h"
@@ -133,51 +134,16 @@ create_empty_window (gpointer data)
 static GnomeVFSURI*
 make_canonical_uri (const char *path)
 {
-	GnomeVFSURI *uri = NULL;
+	char *uri_str;
+	GnomeVFSURI *uri;
 
-	g_return_val_if_fail (path != NULL, NULL);
+	uri_str = eel_make_uri_from_shell_arg (path);
 
-	/* check if it's some kind of URI */
-	if (g_strrstr (path, ":/") != NULL) {
-		/* an URI should be encoded/escaped already properly */
-		uri = gnome_vfs_uri_new (path);
-	}
-	else {
-		/* we assume that it's an local file path */
-		/* apply some encoding/escaping magic */
-		GError *error = NULL;
-		char *fullpath;
-		char *escape;
-		char *utf;
+	uri = NULL;
 
-		if (g_path_is_absolute (path)) {
-			fullpath = g_strdup (path);
-		}
-		else {
-			char *current_dir;
-			current_dir = g_get_current_dir ();
-			fullpath = g_build_filename (current_dir, path, NULL);
-			g_free (current_dir);
-		}
-
-		escape = gnome_vfs_escape_path_string (fullpath);
-		g_free (fullpath);
-
-		if (g_utf8_validate (escape, -1, NULL)) {
-			utf = g_strdup (escape);
-		}
-		else {
-			utf = g_filename_to_utf8 (escape, -1, NULL, NULL, &error);
-		}
-		g_free (escape);
-		
-		if (utf == NULL) {
-			g_error ("Couldn't utf encode path: %s", error != NULL ? error->message : "unknown error");
-		}
-		else {
-			uri = gnome_vfs_uri_new (utf);
-			g_free (utf);
-		}
+	if (uri_str) {
+		uri = gnome_vfs_uri_new (uri_str);
+		g_free (uri_str);
 	}
 
 	return uri;

References:
- Security issues, PR, community
  - From: Jeff Waugh

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]