STINNER Victor <[email protected]> added the comment:
In 2022, Python 3.11 still has the issue:
----------------
vstinner@apu$ python3.11 -m mailcap
Mailcap files:
/home/vstinner/.mailcap
/etc/mailcap
(...)
Mailcap entries:
(...)
text/html
copiousoutput
lineno 5
view /usr/bin/xdg-open %s
$ python3 -m mailcap text/html 'filename; pwd'
Executing: /usr/bin/xdg-open filename; pwd
(...)
/home/vstinner/python/main
----------------
Maybe subst() can be modified to work on a list (as Bernd Dietzel proposed) and
then use subprocess to avoid shell and so avoid having to pass a single string,
but pass a *list*
of arguments (strings).
The problem is that it would change the public mailcap.findmatch() API:
"Return a 2-tuple; the first element is a string containing the command line to
be executed (which can be passed to os.system()), (...)"
https://docs.python.org/dev/library/mailcap.html#mailcap.findmatch
Adding a new findmatch_list() function avoids the backward compatibility issue,
but the existing findmatch() function would remain vulnerable.
The other problem is that the mailcap.findmatch() function supports "test"
command which
executes os.system() on string created by mailcap.subst().
Is the mailcap format (RFC 1524) still used in 2022? Does the mailcap module
still belong to the Python stdlib in 2022?
I propose to:
* (1) Document the shell injection vulnerability: the caller is responsible to
validate the filename
* (2) Deprecate the mailcap module
A code search in the top 5000 PyPI projects (at 2022-01-26) did not find any
Python source code using the "mailcap" module. I only found the word "mailcap"
used to refer to other things:
* https://docs.djangoproject.com/en/4.0/ref/contrib/staticfiles/ mentions a
"mailcap" RHEL package:
"This can be achieved, for example, by installing or updating the mailcap
package on a Red Hat distribution, mime-support on a Debian distribution, or by
editing the keys under HKEY_CLASSES_ROOT in the Windows registry."
* wxPython refers to "KDE< mailcap and mime.types"
https://docs.djangoproject.com/en/4.0/ref/contrib/staticfiles/
----------
nosy: +vstinner
versions: +Python 3.11 -Python 2.7, Python 3.5, Python 3.6, Python 3.7
_______________________________________
Python tracker <[email protected]>
<https://bugs.python.org/issue24778>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
