The BROWSER environment variable proposal is another wording proposal that's been sitting in the Policy bug queue for quite some time with plenty of seconds and a concrete wording proposal. I'd like to resurrect this discussion and put it permanently to rest one way or the other.
Copying Joey as the original proposer and Clint just in case you're not following debian-policy at the moment, since the outcome of this discussion may affect sensible-browser in debianutils and the resolution of Bug#289745. After reading through the bug log and reading some of the discussion of BROWSER at <http://www.dwheeler.com/browse/>, I'm inclined to agree with the following analysis from that page: In particular, a major debate is whether it's worth calling the shell. The shell call may be removed as being too dangerous. Options include: (1) BROWSER only having a list of program names, (2) BROWSER listing programs with constant arguments (no need for %s), and (3) Using "%" replacements but avoiding the shell. The "%" replacements are increasingly looking undesirable; they take more work to program, and handling Netscape/Mozilla properly requires writing a short program anyway (so they don't seem to be helpful). Accordingly, I think Debian should implement the alternative proposal that doesn't allow %s escapes. This is compatible with the proposal that does, and with what sensible-browser does today, except that people who have a BROWSER environment variable setting that uses %s will find that it won't work if this approach is adopted. I'm dubious how many people have gotten that to work successfully; see http://bugs.debian.org/289745 as noted above and the problems uncovered there. Here is a patch based heavily on Joey's original patch that describes that. This patch (similar to Joey's) doesn't include the URL canonicalization requirements of the secure BROWSER specification. They don't seem obviously necessary to me and are complex and would add a lot of additional wording to explain how to canonicalize URLs. Comments? Seconds? --- orig/policy.sgml +++ mod/policy.sgml @@ -8441,6 +8441,65 @@ for games (X and non-X games) should be installed in <file>/usr/share/man/man6</file>.</p> </sect> + + <sect> + <heading>Web browsers</heading> + + <p> + Some programs have the ability to launch a web browser to + display an URL. Since there are lots of different web browsers + available in the Debian distribution, the system administrator + and each user should have the possibility to choose a preferred + web browser. + </p> + + <p> + In addition, programs should choose a good default web browser + if none is selected by the user or system administrator. + </p> + + <p> + Thus, every program that launches a web browser with an URL + should use the BROWSER environment variable to determine what + browser the user wishes to use. + </p> + + <p> + The value of BROWSER may consist of a colon-separated series of + browser command parts. These should be tried in order until one + succeeds. A command part consists of the command to executed + followed by 0 or more arguments separated by one or more spaces. + The command and arguments should be separated at the spaces, the + URL added as a final argument, and the resulting command + executed directly (not via the shell).<footnote> + This protects against bugs and security problems caused by + shell metacharacters in the browser arguments or URL. This + specification is compatible with the + <url id="http://www.dwheeler.com/browse/"; + name="Alternative Secure BROWSER Definition">. + </footnote> + </p> + + <p> + If the BROWSER environment variable is not set, the program can + use <file>/usr/bin/x-www-browser</file> if DISPLAY is set, and + <file>/usr/bin/www-browser</file> if not. These two files are + managed through the dpkg alternatives mechanism. Thus every + package providing a general-purpose web browser must call the + <prgn>update-alternatives</prgn> program to register the + appopriate one of these alternatives. + </p> + + <p> + Instead of implementing the above in every program that runs a + web browser, programs in Debian may be configured to use + <file>/usr/bin/sensible-browser</file>. This is a program + provided by the Debian base system that checks the BROWSER + environment variable, and falls back to + <file>/usr/bin/x-www-browser</file> or + <file>/usr/bin/www-browser</file> if it is not set. + </p> + </sect> </chapt> -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
