fix(mail): don't allow XML inline attachments

Alinto · Jan 20, 2022 · ca9d2d1 · ca9d2d1
1 parent 5575a4c
commit ca9d2d1
Showing 1 changed file with 12 additions and 6 deletions.
diff --git a/UI/MailerUI/UIxMailView.m b/UI/MailerUI/UIxMailView.m
@@ -221,12 +221,18 @@ - (id) contentViewerComponent
       for (count = 0; count < max; count++)
         {
           attributes = [[self attachmentAttrs] objectAtIndex: count];
-          filename = [NSString stringWithFormat: @"<%@>", [attributes objectForKey: @"filename"]];
-          [attachmentIds setObject: [attributes objectForKey: @"url"]
-                            forKey: filename];
-          if ([[attributes objectForKey: @"bodyId"] length])
-            [attachmentIds setObject: [attributes objectForKey: @"url"]
-                              forKey: [attributes objectForKey: @"bodyId"]];
+
+          // Don't allow XML inline attachments
+          if (![[attributes objectForKey: @"mimetype"] hasSuffix: @"xml"] &&
+              ![[[attributes objectForKey: @"filename"] lowercaseString] hasSuffix: @"svg"])
+            {
+              filename = [NSString stringWithFormat: @"<%@>", [attributes objectForKey: @"filename"]];
+              [attachmentIds setObject: [attributes objectForKey: @"url"]
+                                forKey: filename];
+              if ([[attributes objectForKey: @"bodyId"] length])
+                [attachmentIds setObject: [attributes objectForKey: @"url"]
+                                  forKey: [attributes objectForKey: @"bodyId"]];
+            }
         }
       // Attachment IDs will be decoded in UIxMailPartEncryptedViewer for
       // S/MIME encrypted emails with file attachments.