posix
March 27, 2022, 11:35am
#1
Under macOS, Mailspring does create quicklookpreview for the attachments of email.
async function _generateQuicklookPreview({ filePath }: { filePath: string }) {
const dirQuoted = `"${path.dirname(filePath).replace(/"/g, '\\"')}"`;
const pathQuoted = `"${filePath.replace(/"/g, '\\"')}"`;
return new Promise(resolve => {
const cmd = `qlmanage -t -f ${window.devicePixelRatio} -s ${ThumbnailWidth} -o ${dirQuoted} ${pathQuoted}`;
exec(cmd, (error, stdout, stderr) => {
// Note: sometimes qlmanage outputs to stderr but still successfully
// produces a thumbnail. It complains about bad plugins pretty often.
if (
error ||
stdout.match(/No thumbnail created/i) ||
(stderr && !stdout.includes('produced one thumbnail'))
) {
resolve(false);
} else {
resolve(true);
}
});
show original
They put the filename into command line with some sanitizing of removing double quote to create quicklookview.
So, email with a attachment named “$(command).md” will execute the arbitrary command when reading the mail.
Phylu
March 28, 2022, 2:50pm
#2
@posix Thanks a lot for bringing this to our attention. I will take a look at this as soon as possible!
Cheers
Phylu
March 28, 2022, 4:09pm
#4
@posix After confirming this issue, I just unlisted it from the discourse overview and search until we are able to resolve this.
1 Like
Phylu
March 30, 2022, 10:12am
#6
This has been resolved with the latest version 10.0.2 .@posix
system
April 29, 2022, 10:12am
#7
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.