[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: merge sensible-browser in xdg-open AKA how to select the "best" browser

* Sandro Tosi <morph@debian.org> [090801 17:55]:
> [ making sensible-browser a symlink to xdg-open]
> Honestly, I don't that problem (but it won't surprise anyone if I'm
> wrong) because it's something similar to double-click on a
> malicious/dangerous executable in a file manager, hence why I wanted
> to bring this to a wide audience.

Please consider the following cases, which are usually considered
security bugs:

- some commercial mail program (you may guess one time which company
  wrote it), automatically played audio files attached to an email
  when opeing it. To determine it is an audio file it looked at the
  mime type, to play it the usual generic file opening code is used.
  You may guess one time what happens if such a file is called

- The browser links (or one of its many derivatives) has a list of
  external programs for the different file types. When it is about to
  start and external program it shows what file and which content type
  (and I think which program) it is about to start. Sadly that default
  was for images not 'see image/png:%' and so on, but only 'see %'.
  As wine was registering itself as program to open windows executables
  with, people suddenly got wine starting up, when they thought they
  had only authorized starting an image.

Even in the case of the file manager quoted above, I consider any
program just calling xdg-open[2] with it as very likely a security problem.
While users should not click on arbitrary stuff, they are usually shown
a file-type of what they click on: some text in mail program's
attachment list, an icon in a file manager and so on. Thus causing it
to start something else[1] is not the fault of the user, but that of the

The possible problem with changing sensible-browser I see:
Currently sensible-browser is opening a browser. All browsers I have yet
met only show html (with enough ugly things like javascript and plugins,
but only what you also expose when surfing the net) or ask before
starting an other program (or were told to never ask again).

Thus it is quite thinkable that some program has some file downloaded
it things is html and gives this file to s-b, which would not a problem
now, but with xdg-open it likely could be.

	Bernhard R. Link

[1] one could argue no such list should contain possible harmful things,
but especially with interpreters it is hard to be sure there is none
[2] without giving the mime-type as some option I do not know xdg-open
has got yet...

Reply to: