gh-68966: Make mailcap refuse to match unsafe filenames/types/params #91993
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
vstinner
reviewed
Apr 28, 2022
| if _find_unsafe(filename): | ||
| msg = "Refusing to use mailcap with filename %r. Use a safe temporary filename." % (filename,) | ||
| warnings.warn(msg, UnsafeMailcapInput) | ||
| return None, None |
There was a problem hiding this comment.
Usually when a warning is displayed, the function still returns its regular result. For example, calling a deprecated function emits a DeprecationWarning, but the function is executed. If we go this way (reject filenames which look unsafe), I suggest to raise an exception instead.
There was a problem hiding this comment.
In this case, IMO since the caller should always do whatever it does on None result -- fall back to some other mechanism, or ask the user -- returning None is less disruptive.
gpshead
reviewed
May 11, 2022
Lib/mailcap.py
Outdated
| @@ -19,6 +20,11 @@ def lineno_sort_key(entry): | |||
| else: | |||
| return 1, 0 | |||
|
|
|||
| _find_unsafe = re.compile(r'[^\xa1-\U0010FFFF\w@%+=:,./-]').search | |||
There was a problem hiding this comment.
is % safe? DOS derived shells use that for variable expansion IIRC.
There was a problem hiding this comment.
Mailcap implements the “Implementation Details for UNIX” appendix of RFC-1524 (which is what specifies using % for the placeholders), and that says:
(Because of differences in shells and the implementation and behavior
of the same shell from one system to another, it is specified that
the command line be intended as input to the Bourne shell, i.e., that
it is implicitly preceded by "/bin/sh -c " on the command line.)
So I'd say it's safe for Python to allow %. But it also won't hurt much to disallow it, so I'll do that.
jpuhlman
pushed a commit
to MontaVista-OpenSourceTechnology/poky
that referenced
this pull request
May 18, 2022
…cond argument Source: python/cpython#91993 MR: 117402 Type: Security Fix Disposition: Backport from python/cpython@c3e7f13 ChangeID: 7118c5678a340cfcad95b0e5fb116b8919e389b8 Description: CVE-2015-20107 python(mailcap): findmatch() function does not sanitise the second argument. Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com>
|
I think it's good and it seems to work well. I like the regex. |
|
Thanks @encukou for the PR 🌮🎉.. I'm working now to backport this PR to: 3.11. |
miss-islington
pushed a commit
to miss-islington/cpython
that referenced
this pull request
Jun 3, 2022
…arams (pythonGH-91993) (cherry picked from commit b9509ba) Co-authored-by: Petr Viktorin <encukou@gmail.com>
|
GH-93458 is a backport of this pull request to the 3.11 branch. |
miss-islington
added a commit
that referenced
this pull request
Jun 3, 2022
jpuhlman
pushed a commit
to MontaVista-OpenSourceTechnology/poky
that referenced
this pull request
Jun 6, 2022
…cond argument Source: python/cpython#91993 MR: 117410 Type: Security Fix Disposition: Backport from python/cpython@c3e7f13 ChangeID: 6101cf28d6a5288fe07c654df016c3f5810c705a Description: CVE-2015-20107 python(mailcap): findmatch() function does not sanitise the second argument. Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com>
encukou
added
3.10
|
Thanks @encukou for the PR 🌮🎉.. I'm working now to backport this PR to: 3.10. |
|
GH-93543 is a backport of this pull request to the 3.10 branch. |
|
GH-98192 is a backport of this pull request to the 3.8 branch. |
miss-islington
pushed a commit
to miss-islington/cpython
that referenced
this pull request
Oct 11, 2022
…arams (pythonGH-91993) (cherry picked from commit b9509ba) Co-authored-by: Petr Viktorin <encukou@gmail.com>
miss-islington
pushed a commit
to miss-islington/cpython
that referenced
this pull request
Oct 11, 2022
…arams (pythonGH-91993) (cherry picked from commit b9509ba) Co-authored-by: Petr Viktorin <encukou@gmail.com>
|
Thanks @encukou for the PR 🌮🎉.. I'm working now to backport this PR to: 3.7. |
miss-islington
pushed a commit
to miss-islington/cpython
that referenced
this pull request
Oct 11, 2022
…arams (pythonGH-91993) (cherry picked from commit b9509ba) Co-authored-by: Petr Viktorin <encukou@gmail.com>
|
#98191 is the 3.7 backport. Bedevere somehow missed the comment here. |
ambv
pushed a commit
that referenced
this pull request
Oct 11, 2022
ambv
pushed a commit
that referenced
this pull request
Oct 11, 2022
hroncok
pushed a commit
to fedora-python/cpython
that referenced
this pull request
Oct 12, 2022
Make mailcap refuse to match unsafe filenames/types/params (pythonGH-91993) Upstream: python#68966 Tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=2075390
hroncok
pushed a commit
to fedora-python/cpython
that referenced
this pull request
Oct 12, 2022
Make mailcap refuse to match unsafe filenames/types/params (pythonGH-91993) Upstream: python#68966 Tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=2075390
hroncok
pushed a commit
to fedora-python/cpython
that referenced
this pull request
Oct 12, 2022
Make mailcap refuse to match unsafe filenames/types/params (pythonGH-91993) Upstream: python#68966 Tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=2075390
slozier
pushed a commit
to IronLanguages/ironpython2
that referenced
this pull request
Jan 13, 2023
* Fix CVE-2015-20107 Implemented fix from python/cpython#91993 * Update regex Update regex to be Python 2 compatible.
hroncok
pushed a commit
to fedora-python/cpython
that referenced
this pull request
Oct 6, 2023
00382 # Make mailcap refuse to match unsafe filenames/types/params (pythonGH-91993) Upstream: python#68966 Tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=2075390 Backported from python3.
stratakis
pushed a commit
to stratakis/cpython
that referenced
this pull request
Mar 11, 2024
Make mailcap refuse to match unsafe filenames/types/params (pythonGH-91993) Upstream: python#68966 Tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=2075390
stratakis
pushed a commit
to stratakis/cpython
that referenced
this pull request
Mar 11, 2024
Make mailcap refuse to match unsafe filenames/types/params (pythonGH-91993) Upstream: python#68966 Tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=2075390
stratakis
pushed a commit
to stratakis/cpython
that referenced
this pull request
Mar 20, 2024
Make mailcap refuse to match unsafe filenames/types/params (pythonGH-91993) Upstream: python#68966 Tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=2075390
stratakis
pushed a commit
to stratakis/cpython
that referenced
this pull request
Mar 20, 2024
Make mailcap refuse to match unsafe filenames/types/params (pythonGH-91993) Upstream: python#68966 Tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=2075390
stratakis
pushed a commit
to stratakis/cpython
that referenced
this pull request
Mar 20, 2024
Make mailcap refuse to match unsafe filenames/types/params (pythonGH-91993) Upstream: python#68966 Tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=2075390
stratakis
pushed a commit
to stratakis/cpython
that referenced
this pull request
Mar 20, 2024
Make mailcap refuse to match unsafe filenames/types/params (pythonGH-91993) Upstream: python#68966 Tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=2075390
stratakis
pushed a commit
to stratakis/cpython
that referenced
this pull request
Mar 25, 2024
Make mailcap refuse to match unsafe filenames/types/params (pythonGH-91993) Upstream: python#68966 Tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=2075390
hroncok
pushed a commit
to fedora-python/cpython
that referenced
this pull request
Mar 26, 2024
Make mailcap refuse to match unsafe filenames/types/params (pythonGH-91993) Upstream: python#68966 Tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=2075390
mcepl
pushed a commit
to openSUSE-Python/cpython
that referenced
this pull request
Apr 2, 2024
Make mailcap refuse to match unsafe filenames/types/params (pythonGH-91993) Upstream: python#68966 Tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=2075390
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Here is a possible fix for CVE-2015-20107 for cases where mailcap needs to continue working, at least when following best practices: refuse to inject text into commands unless deemed safe by a list of allowed characters.