Security: Mutt and mailcap rules

Gero Treuner gero-mutt at
Sat Jun 22 11:40:36 UTC 2019


On Sat, Jun 22, 2019 at 12:24:16PM +0200, Vincent Lefevre wrote:
> FYI, due to incorrect mailcap rules, which use '%s' or similar
> instead of just %s, the filename quoting system in Mutt eventually
> makes the filename *unquoted*, i.e. reversing its purpose, e.g.
>   "less ''/var/tmp/_.txt''"
> I've reported a general bug in Debian:

There is a related "bug" with similar conclusion:

As the plain %s looks insane (but isn't here because it's the caller
responsible for providing only safe filenames) and probably continues to
attract people to imprudently disimprove the situation, what about some

I don't want the executable to be bloated, but what do you think about a
script checking mailcap at build time regarding this issue?

IMO then it pops up for the right audience of "interested" people
building systems ;-)

Kind regards,

More information about the Mutt-dev mailing list