Security: Mutt and mailcap rules

Vincent Lefevre vincent at
Sat Jun 22 10:24:16 UTC 2019

FYI, due to incorrect mailcap rules, which use '%s' or similar
instead of just %s, the filename quoting system in Mutt eventually
makes the filename *unquoted*, i.e. reversing its purpose, e.g.

  "less ''/var/tmp/_.txt''"

I've reported a general bug in Debian:

After reading the code, it appears that OPTMAILCAPSANITIZE is not
used for %s:

      else if (*cptr == 's' && filename != NULL)
        mutt_buffer_quote_filename (quoted, filename);
        mutt_buffer_addstr (buf, mutt_b2s (quoted));
        needspipe = FALSE;

But it appears that the filename is usually or always sanitized.
The code is not enough documented about that.

If the filename is expected to be always sanitized, this should
probably be double-checked here to be sure and potentially avoid
future security bugs.

Vincent Lefèvre <vincent at> - Web: <>
100% accessible validated (X)HTML - Blog: <>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

More information about the Mutt-dev mailing list