Re: Security: Mutt and mailcap rules

2019-06-23 Thread Cameron Simpson 

On 23Jun2019 12:36, vincent lefevre  wrote:

On 2019-06-23 14:44:36 +1000, Cameron Simpson wrote:

Were it a simple filename it would all be easy. Maybe a chdir(tmpdir)
before running the shell command with a simple filename?


I'm not sure whether this is a good idea. The temporary directory
may be (and often is) world-writable, and on multi-user machines,
this increases the risk of vulnerability. For instance, some
programs may consider configuration files in the current working
directory, and/or may write/re-read files there.


Ugh. Yes. Have we got some real world examples in mind? VCS programmes 
are the glaring ones to my mind.


Cheers,
Cameron Simpson

Re: meaning of number of lines in the message (%l in index_format)

2019-06-23 Thread Kurt Hackenberg 

On 2019-06-23 06:31, Vincent Lefevre wrote:


...the provided "Lines:" header is not necessarily reliable.


Right. I've seen it wrong many times.

Not from Mutt--when Mutt writes a message to an mbox file, it generates 
Lines: and Content-Length:, both correctly. But Mutt is not the only 
program in the world.

Re: Ticket 151 - strip leading '-' for mailcap sanitize

2019-06-23 Thread Kevin J. McCarthy 

On Sun, Jun 23, 2019 at 11:43:56AM +0200, Eike Rathke wrote:

Ah ok I thought sanitizing was also used when saving attachments.
As was mentioned elsewhere prefixing './' might be best if it starts
with '-' and a path is not prepended (can that even happen?).


Only in send mode (i.e. from the compose menu), and then only if the 
symlink fails and the user agrees to proceed anyways.  So I don't think 
this is an issue from Mutt's point of view.


The ticket submitter's issue was that he was writing a mailcap helper 
script, in which he extracted the filename and operated on it directly.


However, I'm still thinking about the cases for %{} and %t.  Those are 
not prefixed with anything.  On the other hand, use of those would tend 
to be as part of an option, (e.g. --charset=%{charset}).  I'm reluctant 
to modify $mailcap_sanitize if not necessary though.


--
Kevin J. McCarthy
GPG Fingerprint: 8975 A9B3 3AA3 7910 385C  5308 ADEF 7684 8031 6BDA


signature.asc
Description: PGP signature

Re: Security: Mutt and mailcap rules

2019-06-23 Thread Vincent Lefevre 
On 2019-06-23 14:44:36 +1000, Cameron Simpson wrote:
> Were it a simple filename it would all be easy. Maybe a chdir(tmpdir)
> before running the shell command with a simple filename?

I'm not sure whether this is a good idea. The temporary directory
may be (and often is) world-writable, and on multi-user machines,
this increases the risk of vulnerability. For instance, some
programs may consider configuration files in the current working
directory, and/or may write/re-read files there.

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Re: meaning of number of lines in the message (%l in index_format)

2019-06-23 Thread Vincent Lefevre 
On 2019-06-22 21:53:11 -0400, Kurt Hackenberg wrote:
> On 2019-06-22 16:47, Vincent Lefevre wrote:
> 
> > The manual says:
> > 
> > %l   number of lines in the message
> >   (does not work with maildir, mh,
> >   and possibly IMAP folders)
> 
> Seems not very useful if it mostly doesn't work. Maybe mbox read counts
> lines anyway, so this was easy? And originally there was nothing but mbox?

Note that I replaced "does not work" by "may not work", because
for maildir, mh (and IMAP), if there is a "Lines:" header, it will
be used. The "Lines:" header can be generated with a procmail rule
for instance, such as

:0 Bfh
* H ?? !^Lines:
* -1^0
* 1^1 ^.*$
| formail -A "Lines: $="

But perhaps it should be

:0 Bfh
* -1^0
* 1^1 ^.*$
| formail -I "Lines: $="

(forcing a regeneration), because the provided "Lines:" header is not
necessarily reliable.

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Re: Ticket 151 - strip leading '-' for mailcap sanitize

2019-06-23 Thread Eike Rathke 
Hi Kevin,

On Friday, 2019-06-21 13:26:22 -0700, Kevin J. McCarthy wrote:

> On Fri, Jun 21, 2019 at 10:03:23PM +0200, Eike Rathke wrote:
> > I would not like to have all '-' replaced by '_' in attachments
> > (specifically I personally use '-' instead of '_' except when I need
> > some differentiation). It may also complicate things if for some reason
> > the file name is mentioned or referenced elsewhere and not identical.
> > 
> > I'd rather much prefer to treat a leading '-' as a special case here.
> 
> This is referring to filename sanitizing for mailcap invocation:
> mutt_sanitize_filename().  The change isn't preserved outside of the
> invocation, and isn't used to otherwise modify the filenames of attachments.
> 
> Does your concern still apply in those circumstances?

Ah ok I thought sanitizing was also used when saving attachments.
As was mentioned elsewhere prefixing './' might be best if it starts
with '-' and a path is not prepended (can that even happen?).

  Eike

-- 
OpenPGP/GnuPG encrypted mail preferred in all private communication.
GPG key 0x6A6CD5B765632D3A - 2265 D7F3 A7B0 95CC 3918  630B 6A6C D5B7 6563 2D3A
Use LibreOffice! https://www.libreoffice.org/


signature.asc
Description: PGP signature