Witold Filipczyk <[EMAIL PROTECTED]> writes: > On Sun, Feb 25, 2007 at 10:52:47AM +0200, Kalle Olavi Niemitalo wrote: >> spaces2 "Decode %20 in local filenames and enclose them with '"'." >> This seems suspicious. What if there is '"' or '\' in the >> filename? There is add_shell_quoted_to_string for such >> purposes. > > Fixed. Thanks. > spaces2 handles mailcap entries like this: > application/x-tar; /bin/tar tvf -; print=/bin/tar tvf - | print text/plain:-; > copiousoutput
Unfortunately, it seems this patch is not safe to apply. The problem is that Debian's update-mime program automatically changes %s to '%s' in mailcap entries. See Debian bugs 90483 and 221717. When ELinks' add_shell_quoted_to_string adds another pair of single-quotes around the file name, the quotes cancel out, and metacharacters in the file name can then cause the shell to run arbitrary programs. In RFC 1524, there is a sentence about mailcap %{parameter} expansions: "The entire parameter should appear as a single command line argument, regardless of embedded spaces." This might be interpreted to mean that Debian does wrong. Still, opening a security hole here would be a disservice to ELinks users, even if it's really Debian's fault. The current code passes the URL-encoded filename, which prevents spaces from working, but also restricts the set of metacharacters available and so prevents some (perhaps all) attacks. There are a few ways to make the spaces work: - Automatically detect whether and how the string has been quoted, and adapt. This detection cannot be based solely on whether the system is Debian, because the user's ~/.mailcap may contain entries that are quoted differently. Also, if the % is nested deeply inside backquotes and such, it may not be obvious what should happen. In such cases, it would be best to give an error message. - Copy even local files to temporary files and ensure that the name of the temporary file contains only safe characters and so does not need to be quoted. If the temporary file is created in $TMPDIR and $TMPDIR already contains unsafe characters, then ELinks should refuse to run the MIME handler. - As above but make hard or symbolic links instead of full copies. - Disable mailcap support so that the user must manually specify all MIME handlers in ELinks, and tell the user not to put quotes around the % placeholder.
pgpdsssogJsRO.pgp
Description: PGP signature
_______________________________________________ elinks-dev mailing list elinks-dev@linuxfromscratch.org http://linuxfromscratch.org/mailman/listinfo/elinks-dev