@dikiy-evrej I don't think that the recent change was in Thunderbird.
The recent change here was to drop the attach= parameter from the mailto
URL passed to Thunderbird, so that if you click a malicious mailto link
in e.g. Chrome, it can't trick you into sending arbitrary files.

Problem was that xdg-email parses its command line arguments - supplied
by e.g. simple-scan - and converts them to a mailto URL with attach=
parameter - which it then drops before calling TB.

My hack in the simple-scan bug above is to only drop the attach
parameter if the caller is Chrome or Chromium as those are the browsers
used in my environment, but a better fix is required...

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to xdg-utils in Ubuntu.
https://bugs.launchpad.net/bugs/1909941

Title:
  xdg-email changes break simple-scan email functionality

Status in xdg-utils package in Ubuntu:
  Confirmed

Bug description:
  Observed on 16.04 to 20.04
  xdg-email no longer actions "-attach filename" arguments when running 
thunderbird following recent security fixes to protect against malicious use 
from browser ( https://security-tracker.debian.org/tracker/CVE-2020-27748 and 
https://ubuntu.com/security/CVE-2020-27748 )

  This breaks simple-scan "send by email" functionality and other
  applications too.

  https://gitlab.gnome.org/GNOME/simple-scan/-/issues/216
  https://forums.linuxmint.com/viewtopic.php?f=208&t=336053
  https://gitlab.freedesktop.org/xdg/xdg-utils/-/merge_requests/28 (see 
comments)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/xdg-utils/+bug/1909941/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to     : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to