Bug#950319: libreoffice: filename replacements in mime entries for mailcap must not be quoted within the given command
Hello,
Unfortunately no progress yet on #928037, but I wanted to add here some info from related bug reports.
1) There is a Lintian test for this specific problem:
https://lintian.debian.org/tags/quoted-placeholder-in-mailcap-entry.html
Package libreoffice and 40 more, currently trigger the warning.
The test was introduced in Lintian 2.42.0, 19 Dec 2019.
The bug report requesting the test dates back to 17 Feb 1999:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=33486
2) The problem has already been discussed in old bugs, usually reaching the conclusion that %-escapes should *not* be quoted in the rules:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=33486#42
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=747050
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=745141
https://lists.debian.org/debian-user/2005/04/msg01185.html
Unfortunately they decided not to document anything because "I would like to avoid divergence with other platforms":
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=90483#30
As a result, many years later, every piece of Debian concerning mailcap is still a vector for arbitrary command execution, while package maintainers have no way of knowing what to do, and bug reports keep resurrecting like zombies (my #928037 is a duplicate of 10yo #90483).
3) Thunderbird doesn't use the %-expansion in the rules at all.
The parsing function extracts what it thinks is the "executable name" and returns just that.
https://hg.mozilla.org/mozilla-central/file/661f0d8ae4c44db58e668c831b555dbc038b77d0/uriloader/exthandler/unix/nsOSHelperAppService.cpp
>From function UnescapeCommand:
"UnescapeCommand really needs some work -- it should actually do some unescaping"
>From function GetHandlerAndDescriptionFromMailcapFile:
// XXX ugly hack. Just grab the executable name
...
// XXX End ugly hack
I don't know about Evolution.
Reply to: