Message 416878 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	vstinner
Recipients	TheRegRunner, docs@python, r.david.murray, vstinner
Date	2022-04-06.15:30:36
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1649259037.11.0.678724754083.issue24778@roundup.psfhosted.org>
In-reply-to

Content
In 2022, Python 3.11 still has the issue: ---------------- vstinner@apu$ python3.11 -m mailcap Mailcap files: /home/vstinner/.mailcap /etc/mailcap (...) Mailcap entries: (...) text/html copiousoutput lineno 5 view /usr/bin/xdg-open %s $ python3 -m mailcap text/html 'filename; pwd' Executing: /usr/bin/xdg-open filename; pwd (...) /home/vstinner/python/main ---------------- Maybe subst() can be modified to work on a list (as Bernd Dietzel proposed) and then use subprocess to avoid shell and so avoid having to pass a single string, but pass a list of arguments (strings). The problem is that it would change the public mailcap.findmatch() API: "Return a 2-tuple; the first element is a string containing the command line to be executed (which can be passed to os.system()), (...)" https://docs.python.org/dev/library/mailcap.html#mailcap.findmatch Adding a new findmatch_list() function avoids the backward compatibility issue, but the existing findmatch() function would remain vulnerable. The other problem is that the mailcap.findmatch() function supports "test" command which executes os.system() on string created by mailcap.subst(). Is the mailcap format (RFC 1524) still used in 2022? Does the mailcap module still belong to the Python stdlib in 2022? I propose to: * (1) Document the shell injection vulnerability: the caller is responsible to validate the filename * (2) Deprecate the mailcap module A code search in the top 5000 PyPI projects (at 2022-01-26) did not find any Python source code using the "mailcap" module. I only found the word "mailcap" used to refer to other things: * https://docs.djangoproject.com/en/4.0/ref/contrib/staticfiles/ mentions a "mailcap" RHEL package: "This can be achieved, for example, by installing or updating the mailcap package on a Red Hat distribution, mime-support on a Debian distribution, or by editing the keys under HKEY_CLASSES_ROOT in the Windows registry." * wxPython refers to "KDE< mailcap and mime.types" https://docs.djangoproject.com/en/4.0/ref/contrib/staticfiles/

In 2022, Python 3.11 still has the issue:
----------------
vstinner@apu$ python3.11 -m mailcap
Mailcap files:
    /home/vstinner/.mailcap
    /etc/mailcap
    (...)
Mailcap entries:
(...)
text/html
  copiousoutput
  lineno          5
  view            /usr/bin/xdg-open %s

$ python3 -m mailcap text/html 'filename; pwd'
Executing: /usr/bin/xdg-open filename; pwd
(...)
/home/vstinner/python/main
----------------


Maybe subst() can be modified to work on a list (as Bernd Dietzel proposed) and then use subprocess to avoid shell and so avoid having to pass a single string, but pass a *list*
of arguments (strings).

The problem is that it would change the public mailcap.findmatch() API:
"Return a 2-tuple; the first element is a string containing the command line to be executed (which can be passed to os.system()), (...)"
https://docs.python.org/dev/library/mailcap.html#mailcap.findmatch

Adding a new findmatch_list() function avoids the backward compatibility issue, but the existing findmatch() function would remain vulnerable.

The other problem is that the mailcap.findmatch() function supports "test" command which
executes os.system() on string created by mailcap.subst().

Is the mailcap format (RFC 1524) still used in 2022? Does the mailcap module still belong to the Python stdlib in 2022?

I propose to:

* (1) Document the shell injection vulnerability: the caller is responsible to validate the filename
* (2) Deprecate the mailcap module


A code search in the top 5000 PyPI projects (at 2022-01-26) did not find any Python source code using the "mailcap" module. I only found the word "mailcap" used to refer to other things:

* https://docs.djangoproject.com/en/4.0/ref/contrib/staticfiles/ mentions a "mailcap" RHEL package:

  "This can be achieved, for example, by installing or updating the mailcap package on a Red Hat distribution, mime-support on a Debian distribution, or by editing the keys under HKEY_CLASSES_ROOT in the Windows registry."

* wxPython refers to "KDE< mailcap and mime.types"

https://docs.djangoproject.com/en/4.0/ref/contrib/staticfiles/

History
Date	User	Action	Args
2022-04-06 15:30:37	vstinner	set	recipients: + vstinner, r.david.murray, docs@python, TheRegRunner
2022-04-06 15:30:37	vstinner	set	messageid: <1649259037.11.0.678724754083.issue24778@roundup.psfhosted.org>
2022-04-06 15:30:37	vstinner	link	issue24778 messages
2022-04-06 15:30:36	vstinner	create