This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author vstinner
Recipients TheRegRunner, docs@python, r.david.murray, vstinner
Date 2022-04-06.15:30:36
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
In 2022, Python 3.11 still has the issue:
vstinner@apu$ python3.11 -m mailcap
Mailcap files:
Mailcap entries:
  lineno          5
  view            /usr/bin/xdg-open %s

$ python3 -m mailcap text/html 'filename; pwd'
Executing: /usr/bin/xdg-open filename; pwd

Maybe subst() can be modified to work on a list (as Bernd Dietzel proposed) and then use subprocess to avoid shell and so avoid having to pass a single string, but pass a *list*
of arguments (strings).

The problem is that it would change the public mailcap.findmatch() API:
"Return a 2-tuple; the first element is a string containing the command line to be executed (which can be passed to os.system()), (...)"

Adding a new findmatch_list() function avoids the backward compatibility issue, but the existing findmatch() function would remain vulnerable.

The other problem is that the mailcap.findmatch() function supports "test" command which
executes os.system() on string created by mailcap.subst().

Is the mailcap format (RFC 1524) still used in 2022? Does the mailcap module still belong to the Python stdlib in 2022?

I propose to:

* (1) Document the shell injection vulnerability: the caller is responsible to validate the filename
* (2) Deprecate the mailcap module

A code search in the top 5000 PyPI projects (at 2022-01-26) did not find any Python source code using the "mailcap" module. I only found the word "mailcap" used to refer to other things:

* mentions a "mailcap" RHEL package:

  "This can be achieved, for example, by installing or updating the mailcap package on a Red Hat distribution, mime-support on a Debian distribution, or by editing the keys under HKEY_CLASSES_ROOT in the Windows registry."

* wxPython refers to "KDE< mailcap and mime.types"
Date User Action Args
2022-04-06 15:30:37vstinnersetrecipients: + vstinner, r.david.murray, docs@python, TheRegRunner
2022-04-06 15:30:37vstinnersetmessageid: <>
2022-04-06 15:30:37vstinnerlinkissue24778 messages
2022-04-06 15:30:36vstinnercreate