README.SECURITY at jcs · jcs.org/mutt

jcs.org / mutt
fork atom
mutt stable branch with some hacks
fork atom
mutt / README.SECURITY
at jcs 60 lines 2.5 kB view raw
wrap content
Vincent Lefevre Corrected various spelling mistakes (most of them reported by codespell). 11y ago
cbcd650e
 1$Id$
 2
 3Recently, there have been reports on security problems induced by
 4the interpretation of shell meta-characters embedded in MIME
 5parameters.  These reports were referring to Pine, but the problem
 6also applied when using mutt.
 7
 8More precisely, a mailcap entry like this one would lead to
 9problems:
10
11> text/test-mailcap-bug; cat %s; copiousoutput; \
12>	test=test "`echo %{charset} | tr '[A-Z]' '[a-z]'`" != iso-8859-1
13
14When expanded with a charset parameter of ``touch${IFS}ME``, a file
15named "ME" would be created in the current directory.
16
17While we don't completely agree that this is an actual MUA problem
18(see below), we have implemented a couple of fixes for this:
19
20- Backticks are handled specially when preparing % expandos for
21  mailcap entries.  This fix will keep the current problem from
22  occurring, but we are sure there are other possible mailcap entries
23  where this doesn't help.
24
25- We have added a configuration variable named $mailcap_sanitize,
26  which is set by default.  If set, mutt will restrict possible
27  characters in mailcap % expandos to a well-defined set of safe
28  characters.  This is the safe setting, but we are not sure it
29  doesn't break some more advanced MIME stuff.
30
31>>>  DON'T UNSET THIS OPTION UNLESS YOU KNOW WHAT YOU ARE DOING.
32
33
34Anyway, this problem is not necessarily a problem which should be
35solved inside the MUA, as it's difficult (maybe impossible) to solve
36there.  Additionally, there is more than one program which parses
37mailcap.  So writing secure mailcap statements is generally a good
38idea.  We encourage you to do this.
39
40The most basic rule is this one:
41
42>>>	     KEEP THE %-EXPANDOS AWAY FROM SHELL QUOTING.
43
44Don't quote them with single or double quotes.  Mutt does this for
45you, the right way, as should any other program which interprets
46mailcap.  Don't put them into backtick expansions - as you have seen
47above, this is a recipe for disaster.  Be highly careful with eval
48statements, and avoid them if possible at all.
49
50If you have to use the %-expandos' values in context where you need
51quoting or backtick expansions, put that value into a shell variable
52and reference the shell variable where necessary (possibly with the
53proper quoting put around it, like in "$charset").
54
55For example, a safe version of the mailcap statement above could
56look like this:
57
58> text/test-mailcap-bug; cat %s; copiousoutput; test=charset=%{charset} \
59>         && test "`echo \"$charset\" | tr '[A-Z]' '[a-z]'`" != iso-8859-1
60