Bug#1034875: kitty: Should not handle application/x-sh mime type by executing the script

Sat, 06 May 2023 07:09:15 -0700 

Hi,


In the mean time, it's probably a good idea to drop
"application/x-sh;application/x-shellscript" from the list of supported
mime type to limit the risk. (I assume that even with "text/plain" and a
.sh file extension or a shebang, kitty might still decide to execute the script... so the issue is not entirely fixed, but it reduces the number of 
cases where "kitty +open" is invoked on shell scripts)



Indeed, you can use a file with MIME type such as text/ascii or 
x-scheme-handler/kitty and a .tool file extension and it will be 
executed through kitty.



Affected software include: mail clients (mutt, Thunderbird [3,4]), 
browsers (Firefox [1,2]), PDF viewers (Okular [5]).


[1] https://www.gabriel.urdhr.fr/img/kitty-firefox1.png
[2] https://www.gabriel.urdhr.fr/img/kitty-firefox2.png
[3] https://www.gabriel.urdhr.fr/img/kitty-thunderbird1.png
[4] https://www.gabriel.urdhr.fr/img/kitty-thunderbird2.png
[5] https://www.gabriel.urdhr.fr/img/kitty-okular.png


And yet having shell scripts opened in the shell is a perfectly
reasonable thing to do, for example when browsing shell scripts in your
file manager.



This kind of things should probably only happen if the file is marked as 
executable.



File and MIME type associations which can trigger arbitrary code 
execution without user confirmation are very dangerous. They might be be 
triggered through unexpected ways. The user might be tricked into 
believing he is opening a "safe" file. These associations should 
probably not be enabled by default.



In this case, mutt should be modified to have a separate view vs open
action.


It is not only mutt (see above for other examples).


Or it's the users responsibility to configure their system to
view shell files rather than execute them, if they are in the habit of
clicking exe's attached to emails or otherwise clicking untrusted shell
scripts.


Or it is our responsibility to ship with a secure by default configuration?


The user might not be aware that he is opening a shell script either 
because he has been tricked (using different MIME type and file 
extension) or because he is not especially skilled in computer/security.



Even if he is aware that he is opening a shell script (which might 
trigger arbitrary code execution and take control of his computer) he 
might not be aware that "opening" means "executing" in this context.


Regards,

Gabriel



Attachment:
OpenPGP_signature

Description: OpenPGP digital signature






















					Reply via email to