On Wed, Feb 03, 2016 at 12:42:34AM +0100, Dmitrij D. Czarkoff wrote: > Stuart Henderson said: > > On 2016/02/03 00:25, Dmitrij D. Czarkoff wrote: > > > Stuart Henderson said: > > > > On 2016/02/02 21:58, Landry Breuil wrote: > > > > > Oh, and the code in src/int/file_magic.c even has a fallback to use > > > > > file > > > > > %s -b --mime-type called via popen().. > > > > > > > > It would be nice to kill the other options and use file(1) from base > > > > as the only detection method, it is *loads* safer. > > > > > > Well, the actual code is: > > > > > > | snprintf(command, sizeof(command), "file \"%s\" -b --mime-type", > > > filename); > > > > > > Note double quotes. Of course no quoting is performed on filename. > > > Thus: > > > > > > 1. If filename contains double quote, vifm sigfaults. > > > 2. If filename is nasty, nasty things happen. Eg. I renamed a png image > > > to "$(echo text)", and vifm opened it in vi. I guess filename > > > "`doas rm -Rf $HOME/*`" will also pleasantly surprise user. > > > > Ugh. I have seen CVEs assigned for smaller problems than that! > > I've added a naive patch to openbsd-wip version of this port. Vifm > still opens renamed png in vi, but at least does not execute commands.
better report it directly upstream then ? :) Landry
