Security: Mutt and mailcap rules

Kevin J. McCarthy kevin at
Sat Jun 22 23:57:59 UTC 2019

On Sun, Jun 23, 2019 at 08:55:38AM +1000, Cameron Simpson wrote:
>Returning to the quotes-in-mailcap-recipes issue, I'd be all for mutt 
>noticing _and warning_ about mailcap entries with '%s' in them, and 
>maybe doing an aggressive filename sanitisation at that point to 
>provide an _unquoted_ but safe filename regardless of the source 
>filename. One which would be safe in quotes or not.

I'm -1 on this.  The manual clearly says not to add quotes, 
<>.  While not impossible, 
the code would not be dead-simple either, e.g. a "poor man's 
nametemplate" entry like:
   text/crazy; foo 'bar'%s'mysuffix'

Furthermore, the filename sanitization takes place outside the function, 
before tmpdir generation and data copy or symlink occur.  Adding the 
described aggressive sanitization inside mutt_rfc1524_expand_command() 
would simply lead to the wrong filename being in the invocation.

This is also why the existing sanitization can't be put inside for %s. 
If $tmpdir is set to "~/déchets", none of the resulting $tmpdir files 
would be readable, because the whole path is passed in.

Kevin J. McCarthy
GPG Fingerprint: 8975 A9B3 3AA3 7910 385C  5308 ADEF 7684 8031 6BDA
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <>

More information about the Mutt-dev mailing list