Package: lintian
Version: 2.42.0
X-Debbugs-CC: felix.lech...@lease-up.com, atom...@gmail.com
Hello,
thanks for your work on #33486 (check for unsafe mailcap entries).
I want to report a couple of issues:
1) only %s is checked
The top message in #33486 refers to "%-expansions", but the test only addresses
"%s".
I don't see a reason not to check for every possible %-expansion (%s, %t,
%{name}, %n, %F).
Mailcap rules are not required to have a "%s" because they can use
stdin/stdout, but they may still contain other %-expansions, which are also
unsafe if quoted.
For example the replacement for %t or %{charset} may come directly from
untrusted email headers.
2) false positives / false negatives
The current algorithm to determine whether a %-expansion is inside quotes may
work in the majority of cases, but it's easy to produce false positives and
false negatives:
False negatives:
text/plain; foo --opt=\\' '%s'
text/plain; foo --opt="\\"it's cool\\"" '%s'
False positives:
text/plain; foo --opt=\\' %s; print=bar --opt=\\' %s
text/plain; foo "$(readlink %s)"
Making a 100% correct check is a hairy business: it would require to take into
account the entire shell grammar.
I don't have a concrete proposal at the moment, I just wanted to make sure you
are aware of the problem. I'm not suggesting to complicate the current check by
adding special cases because it would just make it harder to reason about.
Before I knew about the Lintian test I used to look for bad rules with these
simple patterns:
'.*%(s|t|{[^}]*}|n|F)'
".*%(s|t|{[^}]*}|n|F)"
This also has both false positives and false negatives, but they should be
unlikely to occur because %-expansions are usually intended to be placed at the
end of a shell word.
The current check also doesn't address %-expansions inside `back quotes` which,
albeit improbable, are also affected by the same problem.
I don't know what to do about point #2, but at least #1 should be easy to fix.
Now that we have this Lintian test, is it still appropriate to file bugs for
packages with bad quotation in mailcap rules, or should I assume that every
maintainer runs Lintian and is already aware of the problem?
For example we have libreoffice bug #950319 (bad mailcap rule), which is
blocked by mailcap bug #928037 (document policy about quoting). The latter was
reported by me (and not making any progress).
Thanks,
MNZ
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=33486
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950319
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928037
