https://bugs.documentfoundation.org/show_bug.cgi?id=162632
--- Comment #9 from Buovjaga <[email protected]> --- (In reply to Mike Kaganski from comment #8) > Code pointer (already mentioned in the thread referenced in comment 1): > > https://opengrok.libreoffice.org/xref/core/shell/source/unix/misc/senddoc.sh Oh, I see one possible failure route in that script: the use of mailto: with xdg-email. mailto with attach parameter is considered an attack vector and support for it was first removed in Thunderbird and later in xdg-email: https://gitlab.freedesktop.org/xdg/xdg-utils/-/merge_requests/28 So while Thunderbird with --attach will work, maybe there is a case where xdg-email is invoked with mailto. The script should be updated. Quote from https://gitlab.freedesktop.org/xdg/xdg-utils/-/issues/177#note_2127982: "Note: the real problem here is not that the --attach option exists, that one is okay and useful. The security problem is that the mailto: URL may contain a property that has the same effect but may come from an untrusted source and passed to xdg-email without being filtered (after all xdg-email is supposed to handle that)." -- You are receiving this mail because: You are the assignee for the bug.
