Le Sat, Feb 06, 2021 at 07:35:16AM +0100, Marriott NZ a écrit : > > run-mailcap fails if run as "open" on file names containing special > characters. > It also allows shell command injection from file names (again: > https://www.debian.org/security/2014/dsa-3114).
Thanks Mariott for the head-up. I totally forgot about this. > The problem originates from this commit: > https://salsa.debian.org/debian/mailcap/-/commit/66f82f13d86d565ebe249a8b56da8dd0cb63e2ef > > Prevent run-mailcap from creating a temporary copy when run as "open". I will revert it. > The man page is giving false information, please fix this too: Thanks for spotting this as well. > An alternative to making a temporary symlink would be to properly > quote special characters in the file name (as described here: > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980345). I will have a lood at this but first will upload the fix for /usr/bin/open. Have a nice day, Charles -- Charles Plessy Nagahama, Yomitan, Okinawa, Japan Tooting from work, https://mastodon.technology/@charles_plessy Tooting from home, https://framapiaf.org/@charles_plessy
