Witold Filipczyk <[EMAIL PROTECTED]> writes: > On Sun, Feb 25, 2007 at 10:52:47AM +0200, Kalle Olavi Niemitalo wrote: >> spaces2 "Decode %20 in local filenames and enclose them with '"'." >> This seems suspicious. What if there is '"' or '\' in the >> filename? There is add_shell_quoted_to_string for such >> purposes. > > Fixed. Thanks. > spaces2 handles mailcap entries like this: > application/x-tar; /bin/tar tvf -; print=/bin/tar tvf - | print text/plain:-; > copiousoutput
Unfortunately, it seems this patch is not safe to apply. The
problem is that Debian's update-mime program automatically
changes %s to '%s' in mailcap entries. See Debian bugs 90483 and
221717. When ELinks' add_shell_quoted_to_string adds another
pair of single-quotes around the file name, the quotes cancel
out, and metacharacters in the file name can then cause the shell
to run arbitrary programs.
In RFC 1524, there is a sentence about mailcap %{parameter}
expansions: "The entire parameter should appear as a single
command line argument, regardless of embedded spaces." This
might be interpreted to mean that Debian does wrong. Still,
opening a security hole here would be a disservice to ELinks
users, even if it's really Debian's fault. The current code
passes the URL-encoded filename, which prevents spaces from
working, but also restricts the set of metacharacters available
and so prevents some (perhaps all) attacks.
There are a few ways to make the spaces work:
- Automatically detect whether and how the string has been
quoted, and adapt. This detection cannot be based solely on
whether the system is Debian, because the user's ~/.mailcap
may contain entries that are quoted differently. Also, if
the % is nested deeply inside backquotes and such, it may
not be obvious what should happen. In such cases, it would
be best to give an error message.
- Copy even local files to temporary files and ensure that the
name of the temporary file contains only safe characters and so
does not need to be quoted. If the temporary file is created
in $TMPDIR and $TMPDIR already contains unsafe characters, then
ELinks should refuse to run the MIME handler.
- As above but make hard or symbolic links instead of full copies.
- Disable mailcap support so that the user must manually specify
all MIME handlers in ELinks, and tell the user not to put
quotes around the % placeholder.
pgpdsssogJsRO.pgp
Description: PGP signature
_______________________________________________ elinks-dev mailing list elinks-dev@linuxfromscratch.org http://linuxfromscratch.org/mailman/listinfo/elinks-dev
