From ca9d2d1cdcec0a2deaa6e6635b4ed04a85c1ff45 Mon Sep 17 00:00:00 2001
From: Francis Lachapelle <flachapelle@inverse.ca>
Date: Thu, 20 Jan 2022 14:47:23 -0500
Subject: [PATCH] fix(mail): don't allow XML inline attachments

---
 UI/MailerUI/UIxMailView.m | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/UI/MailerUI/UIxMailView.m b/UI/MailerUI/UIxMailView.m
index 54ed8ef34..e7be2fe13 100644
--- a/UI/MailerUI/UIxMailView.m
+++ b/UI/MailerUI/UIxMailView.m
@@ -221,12 +221,18 @@ static NSString *mailETag = nil;
       for (count = 0; count < max; count++)
         {
           attributes = [[self attachmentAttrs] objectAtIndex: count];
-          filename = [NSString stringWithFormat: @"<%@>", [attributes objectForKey: @"filename"]];
-          [attachmentIds setObject: [attributes objectForKey: @"url"]
-                            forKey: filename];
-          if ([[attributes objectForKey: @"bodyId"] length])
-            [attachmentIds setObject: [attributes objectForKey: @"url"]
-                              forKey: [attributes objectForKey: @"bodyId"]];
+
+          // Don't allow XML inline attachments
+          if (![[attributes objectForKey: @"mimetype"] hasSuffix: @"xml"] &&
+              ![[[attributes objectForKey: @"filename"] lowercaseString] hasSuffix: @"svg"])
+            {
+              filename = [NSString stringWithFormat: @"<%@>", [attributes objectForKey: @"filename"]];
+              [attachmentIds setObject: [attributes objectForKey: @"url"]
+                                forKey: filename];
+              if ([[attributes objectForKey: @"bodyId"] length])
+                [attachmentIds setObject: [attributes objectForKey: @"url"]
+                                  forKey: [attributes objectForKey: @"bodyId"]];
+            }
         }
       // Attachment IDs will be decoded in UIxMailPartEncryptedViewer for
       // S/MIME encrypted emails with file attachments.