[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: merge sensible-browser in xdg-open AKA how to select the "best" browser

Hi Bernhard,

On Sat, Aug 1, 2009 at 18:41, Bernhard R. Link<brlink@debian.org> wrote:
> * Sandro Tosi <morph@debian.org> [090801 17:55]:
>> [ making sensible-browser a symlink to xdg-open]
>> Honestly, I don't that problem (but it won't surprise anyone if I'm
>> wrong) because it's something similar to double-click on a
>> malicious/dangerous executable in a file manager, hence why I wanted
>> to bring this to a wide audience.
>
> Please consider the following cases, which are usually considered
> security bugs:
>
> - some commercial mail program (you may guess one time which company
>  wrote it), automatically played audio files attached to an email
>  when opeing it. To determine it is an audio file it looked at the
>  mime type, to play it the usual generic file opening code is used.
>  You may guess one time what happens if such a file is called
>  "virus.exe".
>
> - The browser links (or one of its many derivatives) has a list of
>  external programs for the different file types. When it is about to
>  start and external program it shows what file and which content type
>  (and I think which program) it is about to start. Sadly that default

not always: iceweasel (just to name one) asks but you can skip that
window clicking on a box. Maybe you can skip that check for the every
file, didn't want to check.

> Even in the case of the file manager quoted above, I consider any
> program just calling xdg-open[2] with it as very likely a security problem.
> While users should not click on arbitrary stuff, they are usually shown
> a file-type of what they click on: some text in mail program's

they are usually shown a file extension (quite different from the
content of the file, if we consider a malicious situation) or an icon,
and I think a malicious guy can fake the "show the icon for the file"
algorithm.

> The possible problem with changing sensible-browser I see:
> Currently sensible-browser is opening a browser. All browsers I have yet
> met only show html (with enough ugly things like javascript and plugins,

I tried iceweasel with png, pdf, txt and also a odt, and guess what,
it opened it :) (end I was also surprised it opened the ooffice file
in an embedded tab, nice to know ;) ).

> but only what you also expose when surfing the net) or ask before
> starting an other program (or were told to never ask again).
>
> Thus it is quite thinkable that some program has some file downloaded
> it things is html and gives this file to s-b, which would not a problem
> now, but with xdg-open it likely could be.

So, I think that if you believe that x-o is so dangerous, you should
file a grave bug against it and against all the applications that use
it. But frankly I feel it too extreme.

Anyway, have you look at x-o code? the file opening utility (because
it seems that the main and only problem with this proposal) uses
run-mailcap to open a file, the standard way to open a file or no?

x-o is just a glue around other too to try to identify the best
candidate to open a file/URL. So there are 2 options: or is so damn
wrong that it must be removed from the archive, or there must be a
stronger reasoning to not merge s-b in x-o (even more that x-o already
uses s-b) then *hypothetical* security problems.

Cheers,
-- 
Sandro Tosi (aka morph, morpheus, matrixhasu)
My website: http://matrixhasu.altervista.org/
Me at Debian: http://wiki.debian.org/SandroTosi
Reply to: