diff options
| author | George Hazan <george.hazan@gmail.com> | 2024-04-22 19:20:09 +0300 |
|---|---|---|
| committer | George Hazan <george.hazan@gmail.com> | 2024-04-22 19:20:09 +0300 |
| commit | 8a055f1fb6d9a0ccdeda38f4839840d4d3e549c0 (patch) | |
| tree | b5d80670c694fed65825c02b37a8b3263d0e2ca6 /plugins/NewStory | |
| parent | d0c5ccfc55ec85f56014f3d213325be4c32da00b (diff) | |
fixes #4372 (NewStory: possible remote code execution)
Diffstat (limited to 'plugins/NewStory')
| -rw-r--r-- | plugins/NewStory/src/webpage.cpp | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/plugins/NewStory/src/webpage.cpp b/plugins/NewStory/src/webpage.cpp index 716bfd6459..dbf2ba22b4 100644 --- a/plugins/NewStory/src/webpage.cpp +++ b/plugins/NewStory/src/webpage.cpp @@ -693,7 +693,16 @@ void NSWebPage::make_url(LPCWSTR url, LPCWSTR, std::wstring &out) void NSWebPage::on_anchor_click(const char *pszUtl, const element::ptr &) { - Utils_OpenUrlW(Utf2T(pszUtl)); + Utf2T wszUrl(pszUtl); + + DWORD dwType; + const wchar_t *p = (!mir_wstrncmp(wszUrl, L"file://", 7)) ? wszUrl.get() + 7 : wszUrl.get(); + if (GetBinaryTypeW(p, &dwType)) { + CMStringW wszText(FORMAT, L"%s\r\n\r\n%s", TranslateT("This url might launch an executable program or virus, are you sure?"), wszUrl.get()); + if (IDYES != MessageBoxW(0, wszText, TranslateT("Potentially dangerous URL"), MB_ICONWARNING | MB_YESNO)) + return; + } + Utils_OpenUrlW(wszUrl); } void NSWebPage::set_base_url(const char *) |