--- a/ChangeLog Thu Aug 18 08:00:50 2011 +0000
+++ b/ChangeLog Thu Aug 18 08:38:23 2011 +0000
@@ -53,6 +53,12 @@
* Fix coming out of idle while in an unavailable state
* Fix logging into Yahoo! JAPAN. (#14259)
+ Windows-Specific Changes: + * Open an explorer.exe window at the location of the file when clicking + on a file link instead of executing the file, because executing a file + can be potentially dangerous. Problem discovered by James Burton of + Insomnia Security. Fixed by Eion Robb. version 2.9.0 (06/23/2011):
* Fix a potential remote denial-of-service bug related to displaying
--- a/pidgin/gtkutils.c Thu Aug 18 08:00:50 2011 +0000
+++ b/pidgin/gtkutils.c Thu Aug 18 08:38:23 2011 +0000
@@ -3282,13 +3282,26 @@
- wchar_t *wc_filename = g_utf8_to_utf16(
- uri, -1, NULL, NULL, NULL);
- code = (int)ShellExecuteW(NULL, NULL, wc_filename, NULL, NULL,
+ if (purple_str_has_prefix(uri, "file://")) + gchar *escaped = g_shell_quote(uri); + gchar *param = g_strconcat("/select,\"", uri, "\"", NULL); + gchar *wc_param = g_utf8_to_utf16(param, -1, NULL, NULL, NULL); + code = (int)ShellExecuteW(NULL, "OPEN", L"explorer.exe", wc_param, NULL, SW_NORMAL); + wchar_t *wc_filename = g_utf8_to_utf16( + uri, -1, NULL, NULL, NULL); + code = (int)ShellExecuteW(NULL, NULL, wc_filename, NULL, NULL, if (code == SE_ERR_ASSOCINCOMPLETE || code == SE_ERR_NOASSOC)