[issue24778] mailcap.findmatch: document shell command Injection danger in filename parameter

Wed, 06 Apr 2022 08:30:50 -0700 


STINNER Victor <vstin...@python.org> added the comment:

In 2022, Python 3.11 still has the issue:
----------------
vstinner@apu$ python3.11 -m mailcap
Mailcap files:
    /home/vstinner/.mailcap
    /etc/mailcap
    (...)
Mailcap entries:
(...)
text/html
  copiousoutput
  lineno          5
  view            /usr/bin/xdg-open %s

$ python3 -m mailcap text/html 'filename; pwd'
Executing: /usr/bin/xdg-open filename; pwd
(...)
/home/vstinner/python/main
----------------


Maybe subst() can be modified to work on a list (as Bernd Dietzel proposed) and 
then use subprocess to avoid shell and so avoid having to pass a single string, 
but pass a *list*
of arguments (strings).

The problem is that it would change the public mailcap.findmatch() API:
"Return a 2-tuple; the first element is a string containing the command line to 
be executed (which can be passed to os.system()), (...)"
https://docs.python.org/dev/library/mailcap.html#mailcap.findmatch

Adding a new findmatch_list() function avoids the backward compatibility issue, 
but the existing findmatch() function would remain vulnerable.

The other problem is that the mailcap.findmatch() function supports "test" 
command which
executes os.system() on string created by mailcap.subst().

Is the mailcap format (RFC 1524) still used in 2022? Does the mailcap module 
still belong to the Python stdlib in 2022?

I propose to:

* (1) Document the shell injection vulnerability: the caller is responsible to 
validate the filename
* (2) Deprecate the mailcap module


A code search in the top 5000 PyPI projects (at 2022-01-26) did not find any 
Python source code using the "mailcap" module. I only found the word "mailcap" 
used to refer to other things:

* https://docs.djangoproject.com/en/4.0/ref/contrib/staticfiles/ mentions a 
"mailcap" RHEL package:

  "This can be achieved, for example, by installing or updating the mailcap 
package on a Red Hat distribution, mime-support on a Debian distribution, or by 
editing the keys under HKEY_CLASSES_ROOT in the Windows registry."

* wxPython refers to "KDE< mailcap and mime.types"

https://docs.djangoproject.com/en/4.0/ref/contrib/staticfiles/

----------
nosy: +vstinner
versions: +Python 3.11 -Python 2.7, Python 3.5, Python 3.6, Python 3.7

_______________________________________
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue24778>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

Reply via email to