[Possible bug] Lister-ExplorerPreview and Thumbs, FontPreview: simplified font preview still shown by default

Please report only one bug per message!

Moderators: white, Hacker, petermad, Stefan2

Post Reply
User avatar
DrShark
Power Member
Power Member
Posts: 1872
Joined: 2006-11-03, 22:26 UTC
Location: Kyiv, 68/262
Contact:

[Possible bug] Lister-ExplorerPreview and Thumbs, FontPreview: simplified font preview still shown by default

Post by *DrShark »

In TC 9.22, due to known security bug in Windows font handler, font previews in Lister's ExplorerPreview are disabled by default:
HISTORY.TXT wrote:24.03.20 Fixed: Lister: Disallow Explorer preview (mode '8') for font files due to a security hole in Windows font handler. Can be enabled manually after Microsoft releases a patch via wincmd.ini [Configuration] FontPreview=1 or FontPreview=2 for only Windows 10 1607 or newer, where fonts are loaded outside the kernel (32/64)
Here on Windows 7 32-bit, this change actually disables the full font preview, which should show an alphabet using a font, and also a sample text in different sizes, in TC.

However, I still see simplified 3-character font previews in some cases:
1) in \\Fonts, opened by cm_OpenFonts, there are 3-letter previews in TC's thumbnails view (Lister, though, doesn't open fonts at all in \\Fonts, because Lister only works in virtual folders for which TC can retrieve a real directory, which TC can't do in \\Fonts\ - a strange distinction from TC's Thumbs view);
2) in some virtual paths (it seems where TC can get a real directory): e.g. add some dir, except %windir%\fonts, to a new Windows Library named Fonts, then in cm_OpenDesktop, open Libraries, then Fonts. And when TC is in \\Fonts\ library, Lister/QuickView and TC's thumbnails both show 3-character font previews.
3) for font files stored in locations other than other than %windir%\fonts\, there are simplified previews both Lister in ExplorerPreview mode and TC's thumbnail view.

I get here simplified previews for, at least, fonts with *.fon, *.otf and *.ttf extensions.

Here's how a simplified font preview looks like in Lister:
http://live.staticflickr.com/65535/51019086522_c4e84e2b4d_m.jpg

Even though here Lister doesn't show "<Explorer>" text in the title (like "Lister <Explorer> - [<path_to_file>]"), which is usually an indication that ExplorerPreview is used, I actually get such a preview when I press 8 in Lister. Maybe this is because in that case Lister uses IThumbnailProvider instead of IPreviewHandler to show the preview.

By email, Christian Ghisler told that he doesn't get such simplified previews in own environment, and his guess is that on my system such font previews are generated by some 3rd party Explorer extenstions. Since I doubt this is the case, I'm posting it here to hear from users whether they get such simplified font previews in Lister and/or Thumbs mode too.

P.S. I'm not a security expert, and don't know whether such simplified font previews, probably generated by IThumbnailProvider, are safe in context of Windows font security bugs, but
there are recommendations, if I understand it right, to disable all kinds of font previews on unpatched Windows:
https://www.tenforums.com/windows-10-news/152790-type-1-font-parsing-remote-code-execution-vulnerability-windows.html
https://www.ghacks.net/2020/03/24/critical-font-parsing-issue-in-windows-revealed-fix-inside/
Donate for Ukraine to help stop Russian invasion!
Ukraine's National Bank special bank account:
UA843000010000000047330992708
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48005
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Re: [Possible bug] Lister-ExplorerPreview and Thumbs, FontPreview: simplified font preview still shown by default

Post by *ghisler(Author) »

This looks like a thumbnail requested from Explorer.

I added this back then because it was a very recent issue, but in the meantime most Windows versions should be patched - otherwise it's the users's fault to have no security.
Author of Total Commander
https://www.ghisler.com
User avatar
petermad
Power Member
Power Member
Posts: 14700
Joined: 2003-02-05, 20:24 UTC
Location: Denmark
Contact:

Re: [Possible bug] Lister-ExplorerPreview and Thumbs, FontPreview: simplified font preview still shown by default

Post by *petermad »

2DrShark
By email, Christian Ghisler told that he doesn't get such simplified previews in own environment, and his guess is that on my system such font previews are generated by some 3rd party Explorer extenstions. Since I doubt this is the case, I'm posting it here to hear from users whether they get such simplified font previews in Lister and/or Thumbs mode too.
I cannot confirm your findings for Windows 7 x64.

Here in Windows 7 x64 i get standard Windows full preview of .ttf and .fon and .otf files when using Lister's ExplorerPreview if FontPreview=1

That goes for both files in %windir%\fonts and elsewhere in file system - but NOT for "files" in \\Fonts (virtual folder) - here I get the message "Search path not found" if I press F3 on a file. If I explicitly try to open a file in \\Fonts via %COMMANDER_EXE% /i="%COMMANDER_INI%" /S=L:T8 - then Lister opens with a ? in the window (it looks like Lister tries to open the "files" as dirs).

In Thumbnail view I only see icons with a white folder with a blue "A" in the lower left corner.
License #524 (1994)
Danish Total Commander Translator
TC 11.03 32+64bit on Win XP 32bit & Win 7, 8.1 & 10 (22H2) 64bit, 'Everything' 1.5.0.1371a
TC 3.50b4 on Android 6 & 13
Try: TC Extended Menus | TC Languagebar | TC Dark Help | PHSM-Calendar
User avatar
DrShark
Power Member
Power Member
Posts: 1872
Joined: 2006-11-03, 22:26 UTC
Location: Kyiv, 68/262
Contact:

Re: [Possible bug] Lister-ExplorerPreview and Thumbs, FontPreview: simplified font preview still shown by default

Post by *DrShark »

petermad wrote: 2021-03-10, 01:48 UTCI cannot confirm your findings for Windows 7 x64.

Here in Windows 7 x64 i get standard Windows full preview of .ttf and .fon and .otf files when using Lister's ExplorerPreview if FontPreview=1
The issue is that I get the 3-character preview thumbnails even with default TC settings, which for Windows 7 I guess means TC uses FontPreview=0.

Another part of the problem is that I don't know which thumbnail provider gives TC that thumbnail, and, as explained in email by Christian Ghisler, TC doesn't have that information either:
Christian Ghisler by email wrote:I get the IID_IThumbnailProvider for a file, and then call GetThumbnail. I have no idea which thumbnail provider handles it.
Does anyoune know how to get names/IDs of thumbnail providers used by Explorer to generate thumbnails for TC (there is no such problem with preview handlers - TC communicates with them in more direct way)?
Donate for Ukraine to help stop Russian invasion!
Ukraine's National Bank special bank account:
UA843000010000000047330992708
Post Reply