Security: Mutt and mailcap rules
gero-mutt at innocircle.com
Sat Jun 22 11:40:36 UTC 2019
On Sat, Jun 22, 2019 at 12:24:16PM +0200, Vincent Lefevre wrote:
> FYI, due to incorrect mailcap rules, which use '%s' or similar
> instead of just %s, the filename quoting system in Mutt eventually
> makes the filename *unquoted*, i.e. reversing its purpose, e.g.
> "less ''/var/tmp/_.txt''"
> I've reported a general bug in Debian:
There is a related "bug" with similar conclusion:
As the plain %s looks insane (but isn't here because it's the caller
responsible for providing only safe filenames) and probably continues to
attract people to imprudently disimprove the situation, what about some
I don't want the executable to be bloated, but what do you think about a
script checking mailcap at build time regarding this issue?
IMO then it pops up for the right audience of "interested" people
building systems ;-)
More information about the Mutt-dev