Security: Mutt and mailcap rules
Vincent Lefevre
vincent at vinc17.org
Sat Jun 22 10:24:16 UTC 2019
FYI, due to incorrect mailcap rules, which use '%s' or similar
instead of just %s, the filename quoting system in Mutt eventually
makes the filename *unquoted*, i.e. reversing its purpose, e.g.
"less ''/var/tmp/_.txt''"
I've reported a general bug in Debian:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930908
After reading the code, it appears that OPTMAILCAPSANITIZE is not
used for %s:
else if (*cptr == 's' && filename != NULL)
{
mutt_buffer_quote_filename (quoted, filename);
mutt_buffer_addstr (buf, mutt_b2s (quoted));
needspipe = FALSE;
}
But it appears that the filename is usually or always sanitized.
The code is not enough documented about that.
If the filename is expected to be always sanitized, this should
probably be double-checked here to be sure and potentially avoid
future security bugs.
--
Vincent Lefèvre <vincent at vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
More information about the Mutt-dev
mailing list