Bug#950319: libreoffice: filename replacements in mime entries for mailcap must not be quoted within the given command

To: Marriott NZ <marriott99@gmx.com>, 950319@bugs.debian.org
Subject: Bug#950319: libreoffice: filename replacements in mime entries for mailcap must not be quoted within the given command
From: Rene Engelhard <rene@debian.org>
Date: Thu, 17 Dec 2020 08:34:44 +0100
Message-id: <[🔎] d29080d1-6696-9021-a41c-1a8560a929ed@debian.org>
Reply-to: Rene Engelhard <rene@debian.org>, 950319@bugs.debian.org
In-reply-to: <[🔎] trinity-bc1fa104-3bf3-4ff4-b959-0e0628b64b68-1608162524233@3c-app-mailcom-bs16>
References: <[🔎] trinity-bc1fa104-3bf3-4ff4-b959-0e0628b64b68-1608162524233@3c-app-mailcom-bs16> <158046764907.8690.14404290701550485298.reportbug@topf.wg>

Hi,

Am 17.12.20 um 00:48 schrieb Marriott NZ:
> Unfortunately no progress yet on #928037, but I wanted to add here some info from related bug reports.
>
> 1) There is a Lintian test for this specific problem:
> https://lintian.debian.org/tags/quoted-placeholder-in-mailcap-entry.html
> Package libreoffice and 40 more, currently trigger the warning.
> The test was introduced in Lintian 2.42.0, 19 Dec 2019.
> The bug report requesting the test dates back to 17 Feb 1999:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=33486

I know and saw that one, and as long as there isn't a *definitive*
answer am continuing what I am doing already: ignoring it.

Or is lintians tag is a distro-wide decision? I don't take that for a
given since they introduce bogus tags all the time .oO ( "breakout-link" )

> 2) The problem has already been discussed in old bugs, usually reaching the conclusion that %-escapes should *not* be quoted in the rules:
*usually*?
> Unfortunately they decided not to document anything because "I would like to avoid divergence with other platforms":
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=90483#30

Fair point, IMHO.


> As a result, many years later, every piece of Debian concerning mailcap is still a vector for arbitrary command execution, while package maintainers have no way of knowing what to do, and bug reports keep resurrecting like zombies (my #928037 is a duplicate of 10yo #90483).

As we see here, too.


> 3) Thunderbird doesn't use the %-expansion in the rules at all.
> The parsing function extracts what it thinks is the "executable name" and returns just that.
>
> https://hg.mozilla.org/mozilla-central/file/661f0d8ae4c44db58e668c831b555dbc038b77d0/uriloader/exthandler/unix/nsOSHelperAppService.cpp
>
> From function UnescapeCommand:
>   "UnescapeCommand really needs some work -- it should actually do some unescaping"
> From function GetHandlerAndDescriptionFromMailcapFile:
>   // XXX ugly hack.  Just grab the executable name
>   ...
>   // XXX End ugly hack
>
> I don't know about Evolution.
>
That would be important info - and please don't forget mutt et al.


Regards,


Rene

Reply to:

References:
- Bug#950319: libreoffice: filename replacements in mime entries for mailcap must not be quoted within the given command
  - From: Marriott NZ <marriott99@gmx.com>

Prev by Date: Bug#950319: libreoffice: filename replacements in mime entries for mailcap must not be quoted within the given command
Next by Date: Bug#975481: marked as done (Use libmariadb-dev instead of legacy libmariadbclient-dev)
Previous by thread: Bug#950319: libreoffice: filename replacements in mime entries for mailcap must not be quoted within the given command
Next by thread: Bug#950319: libreoffice: filename replacements in mime entries for mailcap must not be quoted within the given command
Index(es):
- Date
- Thread