Security: Mutt and mailcap rules

Vincent Lefevre vincent at vinc17.org
Sun Jun 23 10:36:07 UTC 2019


On 2019-06-23 14:44:36 +1000, Cameron Simpson wrote:
> Were it a simple filename it would all be easy. Maybe a chdir(tmpdir)
> before running the shell command with a simple filename?

I'm not sure whether this is a good idea. The temporary directory
may be (and often is) world-writable, and on multi-user machines,
this increases the risk of vulnerability. For instance, some
programs may consider configuration files in the current working
directory, and/or may write/re-read files there.

-- 
Vincent Lefèvre <vincent at vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)


More information about the Mutt-dev mailing list