Bug#172436: [PROPOSAL] web browser url viewing

To: Joey Hess <joeyh@debian.org>
Cc: 172436@bugs.debian.org, Clint Adams <schizo@debian.org>
Subject: Bug#172436: [PROPOSAL] web browser url viewing
From: Russ Allbery <rra@debian.org>
Date: Tue, 01 Jan 2008 21:08:30 -0800
Message-id: <[🔎] 873atgizld.fsf@windlord.stanford.edu>
Reply-to: Russ Allbery <rra@debian.org>, 172436@bugs.debian.org
In-reply-to: <20021209225026.GA6240@dragon.kitenet.net> (Joey Hess's message of "Mon\, 9 Dec 2002 17\:50\:26 -0500")
References: <20021209225026.GA6240@dragon.kitenet.net>

The BROWSER environment variable proposal is another wording proposal
that's been sitting in the Policy bug queue for quite some time with
plenty of seconds and a concrete wording proposal.  I'd like to resurrect
this discussion and put it permanently to rest one way or the other.

Copying Joey as the original proposer and Clint just in case you're not
following debian-policy at the moment, since the outcome of this
discussion may affect sensible-browser in debianutils and the resolution
of Bug#289745.

After reading through the bug log and reading some of the discussion of
BROWSER at <http://www.dwheeler.com/browse/>, I'm inclined to agree with
the following analysis from that page:

    In particular, a major debate is whether it's worth calling the
    shell. The shell call may be removed as being too dangerous. Options
    include: (1) BROWSER only having a list of program names, (2) BROWSER
    listing programs with constant arguments (no need for %s), and (3)
    Using "%" replacements but avoiding the shell. The "%" replacements
    are increasingly looking undesirable; they take more work to program,
    and handling Netscape/Mozilla properly requires writing a short
    program anyway (so they don't seem to be helpful).

Accordingly, I think Debian should implement the alternative proposal that
doesn't allow %s escapes.  This is compatible with the proposal that does,
and with what sensible-browser does today, except that people who have a
BROWSER environment variable setting that uses %s will find that it won't
work if this approach is adopted.  I'm dubious how many people have gotten
that to work successfully; see http://bugs.debian.org/289745 as noted
above and the problems uncovered there.

Here is a patch based heavily on Joey's original patch that describes
that.  This patch (similar to Joey's) doesn't include the URL
canonicalization requirements of the secure BROWSER specification.  They
don't seem obviously necessary to me and are complex and would add a lot
of additional wording to explain how to canonicalize URLs.

Comments?  Seconds?

--- orig/policy.sgml
+++ mod/policy.sgml
@@ -8441,6 +8441,65 @@
 	  for games (X and non-X games) should be installed in
 	  <file>/usr/share/man/man6</file>.</p>
       </sect>
+
+      <sect>
+	<heading>Web browsers</heading>
+
+	<p>
+	  Some programs have the ability to launch a web browser to
+	  display an URL.  Since there are lots of different web browsers
+	  available in the Debian distribution, the system administrator
+	  and each user should have the possibility to choose a preferred
+	  web browser.
+	</p>
+
+	<p>
+	  In addition, programs should choose a good default web browser
+	  if none is selected by the user or system administrator.
+	</p>
+
+	<p>
+	  Thus, every program that launches a web browser with an URL
+	  should use the BROWSER environment variable to determine what
+	  browser the user wishes to use.
+	</p>
+
+	<p>
+	  The value of BROWSER may consist of a colon-separated series of
+	  browser command parts.  These should be tried in order until one
+	  succeeds.  A command part consists of the command to executed
+	  followed by 0 or more arguments separated by one or more spaces.
+	  The command and arguments should be separated at the spaces, the
+	  URL added as a final argument, and the resulting command
+	  executed directly (not via the shell).<footnote>
+	    This protects against bugs and security problems caused by
+	    shell metacharacters in the browser arguments or URL.  This
+	    specification is compatible with the
+	    <url id="http://www.dwheeler.com/browse/";
+		name="Alternative Secure BROWSER Definition">.
+	  </footnote>
+	</p>
+
+	<p>
+	  If the BROWSER environment variable is not set, the program can
+	  use <file>/usr/bin/x-www-browser</file> if DISPLAY is set, and
+	  <file>/usr/bin/www-browser</file> if not.  These two files are
+	  managed through the dpkg alternatives mechanism.  Thus every
+	  package providing a general-purpose web browser must call the
+	  <prgn>update-alternatives</prgn> program to register the
+	  appopriate one of these alternatives.
+	</p>
+
+	<p>
+	  Instead of implementing the above in every program that runs a
+	  web browser, programs in Debian may be configured to use
+	  <file>/usr/bin/sensible-browser</file>.  This is a program
+	  provided by the Debian base system that checks the BROWSER
+	  environment variable, and falls back to
+	  <file>/usr/bin/x-www-browser</file> or
+	  <file>/usr/bin/www-browser</file> if it is not set.
+	</p>
+      </sect>
     </chapt>
 
-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Bug#172436: [PROPOSAL] web browser url viewing
  - From: Clint Adams <schizo@debian.org>

Prev by Date: www.diavetes.com.ar
Next by Date: Processed: tagging 172436
Previous by thread: www.diavetes.com.ar
Next by thread: Bug#172436: [PROPOSAL] web browser url viewing
Index(es):
- Date
- Thread