Package: lintian Version: 2.42.0 X-Debbugs-CC: felix.lech...@lease-up.com, atom...@gmail.com
Hello, thanks for your work on #33486 (check for unsafe mailcap entries). I want to report a couple of issues: 1) only %s is checked The top message in #33486 refers to "%-expansions", but the test only addresses "%s". I don't see a reason not to check for every possible %-expansion (%s, %t, %{name}, %n, %F). Mailcap rules are not required to have a "%s" because they can use stdin/stdout, but they may still contain other %-expansions, which are also unsafe if quoted. For example the replacement for %t or %{charset} may come directly from untrusted email headers. 2) false positives / false negatives The current algorithm to determine whether a %-expansion is inside quotes may work in the majority of cases, but it's easy to produce false positives and false negatives: False negatives: text/plain; foo --opt=\\' '%s' text/plain; foo --opt="\\"it's cool\\"" '%s' False positives: text/plain; foo --opt=\\' %s; print=bar --opt=\\' %s text/plain; foo "$(readlink %s)" Making a 100% correct check is a hairy business: it would require to take into account the entire shell grammar. I don't have a concrete proposal at the moment, I just wanted to make sure you are aware of the problem. I'm not suggesting to complicate the current check by adding special cases because it would just make it harder to reason about. Before I knew about the Lintian test I used to look for bad rules with these simple patterns: '.*%(s|t|{[^}]*}|n|F)' ".*%(s|t|{[^}]*}|n|F)" This also has both false positives and false negatives, but they should be unlikely to occur because %-expansions are usually intended to be placed at the end of a shell word. The current check also doesn't address %-expansions inside `back quotes` which, albeit improbable, are also affected by the same problem. I don't know what to do about point #2, but at least #1 should be easy to fix. Now that we have this Lintian test, is it still appropriate to file bugs for packages with bad quotation in mailcap rules, or should I assume that every maintainer runs Lintian and is already aware of the problem? For example we have libreoffice bug #950319 (bad mailcap rule), which is blocked by mailcap bug #928037 (document policy about quoting). The latter was reported by me (and not making any progress). Thanks, MNZ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=33486 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950319 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928037