Comment 20 for bug 1909941

@dikiy-evrej I don't think that the recent change was in Thunderbird. The recent change here was to drop the attach= parameter from the mailto URL passed to Thunderbird, so that if you click a malicious mailto link in e.g. Chrome, it can't trick you into sending arbitrary files.

Problem was that xdg-email parses its command line arguments - supplied by e.g. simple-scan - and converts them to a mailto URL with attach= parameter - which it then drops before calling TB.

My hack in the simple-scan bug above is to only drop the attach parameter if the caller is Chrome or Chromium as those are the browsers used in my environment, but a better fix is required...