Security: Mutt and mailcap rules

Kevin J. McCarthy kevin at
Sat Jun 22 13:49:03 UTC 2019

On Sat, Jun 22, 2019 at 12:24:16PM +0200, Vincent Lefevre wrote:
>After reading the code, it appears that OPTMAILCAPSANITIZE is not 
>used for %s:
>      else if (*cptr == 's' && filename != NULL)
>      {
>        mutt_buffer_quote_filename (quoted, filename);
>        mutt_buffer_addstr (buf, mutt_b2s (quoted));
>        needspipe = FALSE;
>      }

It's sanitized externally by mutt_rfc1524_expand_filename() for 
receive-mode usage.  See mutt_view_attachment(), 
mutt_print_attachment(), and autoview_handler().

>If the filename is expected to be always sanitized, this should 
>probably be double-checked here to be sure and potentially avoid 
>future security bugs.

No, the setup code is complicated, as you can see from the above listed 
functions.  Send mode directly uses the filename if a nametemplate isn't 

Kevin J. McCarthy
GPG Fingerprint: 8975 A9B3 3AA3 7910 385C  5308 ADEF 7684 8031 6BDA
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <>

More information about the Mutt-dev mailing list