Bernd Dietzel added the comment:
# for the docs ... quoting of the filename when you call mailcap.findmatch()
f=";xterm;#.txt" # Shell Command Demo ... xterm will run if quote() fails
import mailcap
import random
try:
from shlex import quote
except ImportError:
from pipes import quote
d=mai
Bernd Dietzel added the comment:
Yes changing the docs is a good idea.
I was thinking about a patch :
import os
### patch
import random
try:
from shlex import quote
except ImportError:
from pipes import quote
###
... and so on
# Part 3: using the database.
def findmatch
R. David Murray added the comment:
Hmm. I see. The problem is that our desire to quote conflicts with mailcap's
attempts to quote.
I now agree with you that run-mailcap's approach is correct, but creating a
temporary alias is out of scope for findmatch. That would need to be done by
findma
Bernd Dietzel added the comment:
Exploid Demo wich works with quote() :
>>> commandline,MIMETYPE=mailcap.findmatch(d, 'text/*',
>>> filename=quote(';xterm;#.txt'))
>>> commandline
"less '';xterm;#.txt''"
>>> os.system(commandline)
### xterm starts
--
_
Bernd Dietzel added the comment:
@David
Thanks for the comment :-)
I think if you read the Documentation
https://docs.python.org/2/library/mailcap.html
this may lead new programmers, wich may never heard of Shell Injections before,
step by step directly to write insecure webbbrowsers and/or ma
R. David Murray added the comment:
In this case os.system is an appropriate API, because it mirrors the API of
mailcap itself (that is, mailcap entries are shell commands).
I'm not convinced there is a security bug here. It seems to me that there are
two cases: either the filename is determ
Bernd Dietzel added the comment:
Maybe it would be a good idea to do so as run-mailcap does :
theregrunner@mint17 : ~ € run-mailcap --debug "';xterm;#'.txt"
- parsing parameter "';xterm;#'.txt"
- Reading mime.types file "/etc/mime.types"...
- extension "txt" maps to mime-type "text/plain"
-
New submission from Bernd Dietzel:
if the filename contains Shell Commands they will be executed if they
are passed to os.system() as discribed in the docs.
Filename should be quoted with quote(filename) to fix the bug.
https://docs.python.org/2/library/mailcap.html
"mailcap.findmatch(/caps/, /