--- a/ChangeLog Sat Jan 11 23:00:56 2014 -0800
+++ b/ChangeLog Sun Jan 12 00:50:02 2014 -0800
@@ -16,6 +16,9 @@
* Fix handling of multibyte UTF-8 characters in smiley themes. (#15756)
Windows-Specific Changes:
+ * When clicking file:// links, show the file in Explorer rather than + attempting to run the file. This reduces the chances of a user + clicking on a link and mistakenly running a malicious file. * Fix Tcl scripts. (#15520)
* Fix crash-on-startup when ASLR is always on. (#15521)
* Updates to dependencies:
--- a/pidgin/gtkutils.c Sat Jan 11 23:00:56 2014 -0800
+++ b/pidgin/gtkutils.c Sun Jan 12 00:50:02 2014 -0800
@@ -3267,33 +3267,28 @@
+ * @param filename The path to a file. Specifically this is the link target + * from a link in an IM window with the leading "file://" removed. -file_open_uri(GtkIMHtml *imhtml, const char *uri)
+open_file(GtkIMHtml *imhtml, const char *filename) /* Copied from gtkft.c:open_button_cb */
- if (purple_str_has_prefix(uri, "file://"))
- gchar *escaped = g_shell_quote(uri);
- gchar *param = g_strconcat("/select,\"", uri, "\"", NULL);
- wchar_t *wc_param = g_utf8_to_utf16(param, -1, NULL, NULL, NULL);
- code = (int)ShellExecuteW(NULL, L"OPEN", L"explorer.exe", wc_param, NULL, SW_NORMAL);
- wchar_t *wc_filename = g_utf8_to_utf16(
- uri, -1, NULL, NULL, NULL);
- code = (int)ShellExecuteW(NULL, NULL, wc_filename, NULL, NULL,
+ /* Escape URI by replacing double-quote with 2 double-quotes. */ + gchar *escaped = purple_strreplace(filename, "\"", "\"\""); + gchar *param = g_strconcat("/select,\"", escaped, "\"", NULL); + wchar_t *wc_param = g_utf8_to_utf16(param, -1, NULL, NULL, NULL); + /* TODO: Better to use SHOpenFolderAndSelectItems()? */ + code = (int)ShellExecuteW(NULL, L"OPEN", L"explorer.exe", wc_param, NULL, SW_NORMAL); if (code == SE_ERR_ASSOCINCOMPLETE || code == SE_ERR_NOASSOC)
@@ -3304,7 +3299,8 @@
purple_notify_error(imhtml, NULL,
_("An error occurred while opening the file."), NULL);
- purple_debug_warning("gtkutils", "filename: %s; code: %d\n", uri, code);
+ purple_debug_warning("gtkutils", "filename: %s; code: %d\n", @@ -3313,15 +3309,15 @@
if (purple_running_gnome())
- char *escaped = g_shell_quote(uri);
+ char *escaped = g_shell_quote(filename); command = g_strdup_printf("gnome-open %s", escaped);
else if (purple_running_kde())
- char *escaped = g_shell_quote(uri);
- if (purple_str_has_suffix(uri, ".desktop"))
+ char *escaped = g_shell_quote(filename); + if (purple_str_has_suffix(filename, ".desktop")) command = g_strdup_printf("kfmclient openURL %s 'text/plain'", escaped);
command = g_strdup_printf("kfmclient openURL %s", escaped);
@@ -3329,7 +3325,7 @@
- purple_notify_uri(NULL, uri);
+ purple_notify_uri(NULL, filename); @@ -3339,7 +3335,7 @@
if (!g_spawn_command_line_sync(command, NULL, NULL, &exit_status, &error))
tmp = g_strdup_printf(_("Error launching %s: %s"),
+ filename, error->message); purple_notify_error(imhtml, NULL, _("Unable to open file."), tmp);
@@ -3360,8 +3356,9 @@
file_clicked_cb(GtkIMHtml *imhtml, GtkIMHtmlLink *link)
- const char *uri = gtk_imhtml_link_get_url(link) + FILELINKSIZE;
- file_open_uri(imhtml, uri);
+ /* Strip "file://" from the URI. */ + const char *filename = gtk_imhtml_link_get_url(link) + FILELINKSIZE; + open_file(imhtml, filename); @@ -3369,7 +3366,7 @@
open_containing_cb(GtkIMHtml *imhtml, const char *url)
char *dir = g_path_get_dirname(url + FILELINKSIZE);
- file_open_uri(imhtml, dir);
+ open_file(imhtml, dir);