[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#156572: update-mime: don't convert %s into '%s'

> The update-mime program seem to convert %s in /usr/lib/mime/packages/
> files into '%s'.  This seems to be a Bad Thing.  Applications using
> mailcap must escape filenames before the execute the command
> themselves.  Reason: how would you handle a filename containing the
> character ' otherwise?

This is incorrect.  A mailcap entry is allowed to have _anything_ in
its command.  Thus, a user could create a rule with ('%s') or (%s).  It
is up to the the calling program to be safe.  As such, since both are
legal constructs, the update-mime program "plays it safe" and always
converts a plain (%s) to ('%s'); it breaks no rules of the /etc/mailcap
file as it does so and helps be secure for many mailcap programs that
are too brain-dead to even escape any spaces or shell meta-characters.

> Admittedly, RFC 1524 is not clear on this, but at least it never uses
> '%s' in examples, but always %s.

   On a UNIX system, such commands will each be a full shell command
   line, including the path name for a program and its arguments.
   (Because of differences in shells and the implementation and behavior
   of the same shell from one system to another, it is specified that
   the command line be intended as input to the Bourne shell, i.e., that
   it is implicitly preceded by "/bin/sh -c " on the command line.)

It is quite clear.  Whatever is listed as the command must be passed
exactly to the shell.  While clear, though, it is not very useful and
the source of many problems.

> Most importantly though, other systems (e.g. RedHat) do not do this.
> This has caused problems in the mail reader Gnus which do escape
> filenames internally, to be able to handle filenames containing space
> or characters like '.

Those programs are incorrect.  Any and all commands must work (including
those with quote marks around the %s) when a filename is substituted in
to it.

A mailcap aware program should not try to escape characters before passing
it to the shell because it has no idea what kinds of commands a user may
write in their mailcap files; update-mime is only one of several ways
to create mailcap entries.

The only correct way I have come up with is to rename or link the file
in question to a name that has no shell meta-characters and pass that
in place of the (%s).  This is what the run-mailcap program does.

> Several other packages (with data in /usr/lib/mime/packages/) need to
> be updated too, I think.
> Is this discussed in some policy manual somewhere?  It should be
> improved too in that case, I see some files in /usr/lib/mime/packages/
> contain '%s' and others %s.

It's been discussed several times in the past, but I don't know if it's
policy or not.

                                  ( bcwhite@pobox.com )

                          Windows: Just another pane.

Reply to: