diff --git a/ChangeLog b/ChangeLog index 00fea734f..6ca179e1c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,12 @@ +2002-02-28 Darin Adler + + * src/nautilus-sidebar.c: (add_command_buttons): Use + eel_str_replace_substring to replace the %s rather than using + g_strdup_printf. It's not safe to use a string from a data + file as a strdup format string. + + * configure.in: Bump librsvg required verson. + 2002-02-28 Josh Barrow * icons/sierra/Makefile.am: diff --git a/configure.in b/configure.in index 2c459df93..5305bfb0a 100644 --- a/configure.in +++ b/configure.in @@ -16,7 +16,7 @@ GNOME_UI_REQUIRED=1.110.1 GNOME_VFS_REQUIRED=1.1 GTK_REQUIRED=1.3.10 MEDUSA_REQUIRED=0.5.1 -RSVG_REQUIRED=1.1.4 +RSVG_REQUIRED=1.1.5 XML_REQUIRED=2.4.7 AC_SUBST(EEL_REQUIRED) diff --git a/src/nautilus-information-panel.c b/src/nautilus-information-panel.c index cfee80332..af4e11c3f 100644 --- a/src/nautilus-information-panel.c +++ b/src/nautilus-information-panel.c @@ -1366,13 +1366,6 @@ add_command_buttons (NautilusSidebar *sidebar, GList *application_list) FALSE, FALSE, 0); - /* FIXME bugzilla.gnome.org 42510: Security hole? - * Unsafe to use a string from the MIME file as a - * printf format string without first checking it over - * somehow. We can do a search and replace on the "%s" - * part instead, which should work. - */ - /* Get the local path, if there is one */ file_path = gnome_vfs_get_local_path_from_uri (sidebar->details->uri); if (file_path == NULL) { @@ -1380,7 +1373,7 @@ add_command_buttons (NautilusSidebar *sidebar, GList *application_list) } temp_str = g_shell_quote (file_path); - id_string = g_strdup_printf (application->id, temp_str); + id_string = eel_str_replace_substring (application->id, "%s", temp_str); g_free (file_path); g_free (temp_str); diff --git a/src/nautilus-sidebar.c b/src/nautilus-sidebar.c index cfee80332..af4e11c3f 100644 --- a/src/nautilus-sidebar.c +++ b/src/nautilus-sidebar.c @@ -1366,13 +1366,6 @@ add_command_buttons (NautilusSidebar *sidebar, GList *application_list) FALSE, FALSE, 0); - /* FIXME bugzilla.gnome.org 42510: Security hole? - * Unsafe to use a string from the MIME file as a - * printf format string without first checking it over - * somehow. We can do a search and replace on the "%s" - * part instead, which should work. - */ - /* Get the local path, if there is one */ file_path = gnome_vfs_get_local_path_from_uri (sidebar->details->uri); if (file_path == NULL) { @@ -1380,7 +1373,7 @@ add_command_buttons (NautilusSidebar *sidebar, GList *application_list) } temp_str = g_shell_quote (file_path); - id_string = g_strdup_printf (application->id, temp_str); + id_string = eel_str_replace_substring (application->id, "%s", temp_str); g_free (file_path); g_free (temp_str);