Hi Rene, On Fri, Jan 31, 2020 at 05:28:58PM +0100, Rene Engelhard wrote:
Using mutt, I created a new email, added an attachment with a file namecontaining spaces (a pptx file, thus libreoffice), and without sendingno, MS Office. Which LibreOffice happens to be registered for.
I know. What I meant is that this is the reason I submit this to the libreoffice package.
Just that mutt is one thing. Maybe mutt does it correct, but unfortunately mutt users are not really the majority, people use thunderbird or evolution or so...
For thunderbird I find, e.g.: message/rfc822; /usr/bin/thunderbird %s; test=test -n "$DISPLAY" text/calendar; /usr/bin/thunderbird %s; test=test -n "$DISPLAY" text/x-vcard; /usr/bin/thunderbird %s; test=test -n "$DISPLAY" firefox:text/html; /usr/bin/firefox-esr %s; description=HTML Text; test=test -n "$DISPLAY"; nametemplate=%s.html text/xml; /usr/bin/firefox-esr %s; description=XML Text; test=test -n "$DISPLAY"; nametemplate=%s.xml
evolution: text/calendar; evolution -c tasks %s; test=test -n "$DISPLAY" text/x-vcard; evolution -c tasks %s; test=test -n "$DISPLAY" text/directory; evolution -c tasks %s; test=test -n "$DISPLAY" None of these tools use quotes.Searching through my /etc/mapcap, I find the vast majority not using quotes around %s, but some do, including libreoffice. It might be good to submit bugs to all of those, too. However, since I encountered this with libreoffice during regular work and the entries on my system are likely only a subset of the problematic ones, I'll leave it up to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928037 to care about a general solution.
Whether another tool assumes the libreoffice mailcap entries containing quotes already would not make a difference though. If, supposedly, another tool does not quote filenames (assuming mailcap does that), then this would still be a security problem. Instead of "file; echo Hello" one would name the file "'file; echo Hello'" or similar. As mentioned, no amount of quoting in the mailcap is able to prevent shell escapes. This is why the replacing program must be the one doing this. Thus, if any tool using mailcap does not quote filenames properly and only relies on mailcap to do it for them, that would be a (security) bug within that tool. On the other hand, using quotes in the entry unfortunately breaks those tools that work the intended way.
I agree that this is confusing. I commented on a related bug within mutt first, only later realizing that mutt actually does it the right way. #928037 contains thoughts about this, including links to other threads, that show the problem from a more or less neutral view. This is why #928037 exists: the RFC is rather unhelpful and other documentation does not really show users how those entries should be handled, right now.
Greetings, and thanks for your quick response, Frank
Attachment:
signature.asc
Description: PGP signature