[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#172436: followup on browser proposal



I just noticed, somewhat to my suprise, that this proposal is not in
policy despite being fully implemented in debian now. Maybe it's because
of Ian's reply.

Ian writes:
> This is a bad idea because it will be very annoying if the URL is
> unfetchable - all the browsers will be launched in sequence.

In practice BROWSER is set to a list two of browsers (mozilla:w3m) if
someone wants to use one browser while in X, and another browser
otherwise. In that fairly ususal case, you're used to the first,
X-enabled browser failing part of the time, when there is no DISPLAY. If
the url is bad, they both fail, which seems not too suprising.

If someone sets BROWSER to something like w3m:lynx:links:wget then
the first question is what on earth do they hope to achieve by doing
this? Fall back to lynx is w3m cannot link today? It really doesn't make
much sense. Again, when every command in the sequence fails, it's only
doing what they requested, nonsensical as that was.

> How about we define an exit status which the command is required to
> give if it is not suitable for use at the moment ?  <sysexits.h> isn't
> particularly helpful, but we could pick one of those.

I would be happy to see this as a separate proposal, but someone else
will need to make it.

[ On the %s substitution stuff. ]
> I think this is a very bad idea.  What if the URL maliciously contains
> shell metacharacters ?  (I know they're not _supposed_ to.)

The code in Debian already (see the sensible-browser program) does not
let BROWSER touch a shell. If BROWSER contains a %s then the command is
all parsed into words, substituted, and the browser execed. Just as Ian
goes on to suggest we do, except we keep the %s available as the
upstream BROWSER environment variable spec calls for, with no additional
security issue. I think there was already a thread about this.

The only possible security problem comes if some badly behaved program
does this:

  system("sensible-browser '<url>'");

Such programs are broken, but it's breakage outside the scope of this
proposal. I'd be happy to see someone make a proposal that programs not
pass any kind of tainted data through the shell, ever, but someone else
will need to work on that. :-)

Every program I have converted to comply with the browser policy calls
sensible-browser safely, using exec, or parses BROWSER on its own and
runs the browser itself safely, using exec.


The rest of Ian's mail suggests wording tweaks that I agree with. Here
is a followup proposal that includes calling "sensible-www-browser" by
its real name, "sensible-browser". I've included change bars. 

I am looking for seconds, again.

  Web browsers
  ------------

  Some programs have the ability to launch a web browser to display an URL.
  Since there are lots of different web browsers available in the Debian
  distribution, the system administrator and each user should have the
  possibility to choose a preferred web browser.

  In addition, programs should choose a good default web browser if none
  is selected by the user or system administrator.

  Thus, every program that launches a web browser with an URL must use the
  BROWSER environment variable to determine what browser the user wishes
  to use.

  The value of BROWSER may consist of a colon-separated series of browser
  command parts. These should be tried in order until one succeeds. Each command
  part may optionally contain the string "%s"; if it does, the URL to be viewed
  is substituted there. If a command part does not contain %s, the browser is to
  be launched as if the URL had been supplied as its first argument. The string
  %% must be substituted as a single %
  <footnote>
  This browser variable was proposed by Eric Raymond at
  http://www.tuxedo.org/~esr/BROWSER/
  </footnote>

  If the BROWSER environment variable is not set, the program should use
| /usr/bin/x-www-browser if DISPLAY is set,
  and /usr/bin/www-browser if not. These two files are managed through the dpkg
  alternatives mechanism. Thus every package providing a general-purpose
  web browser must call the update-alternatives program to register
  the appopriate one of these alternatives.

| Instead of implementing the above in every program that runs a web browser,
| programs in Debian may be configured to use /usr/bin/sensible-browser .
| This is a program provided by the Debian base system that checks
  the BROWSER environment variable, and falls back to /usr/bin/x-www-browser
  or /usr/bin/www-browser if it is not set.

-- 
see shy jo

Attachment: pgpcKknDElS3H.pgp
Description: PGP signature


Reply to: