Hi Bernhard, On Sat, Aug 1, 2009 at 18:41, Bernhard R. Link<brl...@debian.org> wrote: > * Sandro Tosi <mo...@debian.org> [090801 17:55]: >> [ making sensible-browser a symlink to xdg-open] >> Honestly, I don't that problem (but it won't surprise anyone if I'm >> wrong) because it's something similar to double-click on a >> malicious/dangerous executable in a file manager, hence why I wanted >> to bring this to a wide audience. > > Please consider the following cases, which are usually considered > security bugs: > > - some commercial mail program (you may guess one time which company > wrote it), automatically played audio files attached to an email > when opeing it. To determine it is an audio file it looked at the > mime type, to play it the usual generic file opening code is used. > You may guess one time what happens if such a file is called > "virus.exe". > > - The browser links (or one of its many derivatives) has a list of > external programs for the different file types. When it is about to > start and external program it shows what file and which content type > (and I think which program) it is about to start. Sadly that default
not always: iceweasel (just to name one) asks but you can skip that window clicking on a box. Maybe you can skip that check for the every file, didn't want to check. > Even in the case of the file manager quoted above, I consider any > program just calling xdg-open[2] with it as very likely a security problem. > While users should not click on arbitrary stuff, they are usually shown > a file-type of what they click on: some text in mail program's they are usually shown a file extension (quite different from the content of the file, if we consider a malicious situation) or an icon, and I think a malicious guy can fake the "show the icon for the file" algorithm. > The possible problem with changing sensible-browser I see: > Currently sensible-browser is opening a browser. All browsers I have yet > met only show html (with enough ugly things like javascript and plugins, I tried iceweasel with png, pdf, txt and also a odt, and guess what, it opened it :) (end I was also surprised it opened the ooffice file in an embedded tab, nice to know ;) ). > but only what you also expose when surfing the net) or ask before > starting an other program (or were told to never ask again). > > Thus it is quite thinkable that some program has some file downloaded > it things is html and gives this file to s-b, which would not a problem > now, but with xdg-open it likely could be. So, I think that if you believe that x-o is so dangerous, you should file a grave bug against it and against all the applications that use it. But frankly I feel it too extreme. Anyway, have you look at x-o code? the file opening utility (because it seems that the main and only problem with this proposal) uses run-mailcap to open a file, the standard way to open a file or no? x-o is just a glue around other too to try to identify the best candidate to open a file/URL. So there are 2 options: or is so damn wrong that it must be removed from the archive, or there must be a stronger reasoning to not merge s-b in x-o (even more that x-o already uses s-b) then *hypothetical* security problems. Cheers, -- Sandro Tosi (aka morph, morpheus, matrixhasu) My website: http://matrixhasu.altervista.org/ Me at Debian: http://wiki.debian.org/SandroTosi -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
