[Portland-bugs] [Bug 19377] Using xdg-open in mailcap causes serious hole in Firefox!

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Wed Apr 8 10:13:00 PDT 2009


Ville Skyttä <ville.skytta at iki.fi> changed:

           What    |Removed                     |Added
                 CC|                            |ville.skytta at iki.fi

--- Comment #2 from Ville Skyttä <ville.skytta at iki.fi>  2009-04-08 10:12:59 PST ---
I'm afraid I'm responsible for suggesting this change to Fedora's mailcap file
without doing enough homework, and unfortunately it passed others' eyes as
well.  My sincere apologies.

But then again, I think there's something pretty disturbing in this picture,
running xdg-utils-1.0.2-5.20081121cvs.fc10.noarch on Fedora 10, with KDE 4.2.1:

$ echo -e '#!/bin/sh\necho hello' > foo.sh
$ chmod +x foo.sh
$ xdg-mime query filetype foo.sh
$ xdg-mime query default application/x-shellscript
$ xdg-open foo.sh

xdg-open is documented to open "a file or URL in the user's preferred
application".  In the above case it didn't, it caused foo.sh to be executed. 
And xdg-mime got it wrong as well; my preference order for
application/x-shellscript files in KDE file associations is XEmacs, Emacs, then

If I remove the executable bits from foo.sh, xdg-open opens it with XEmacs,
which is expected.  xdg-mime still shows application/x-shellscript.

FWIW, if I repeat the above otherwise exactly except using foo.png as the
filename instead of foo.sh, xdg-open opens it with my configured PNG viewer
(gwenview), and xdg-mime says it's image/png and the default is gwenview, no
matter whether foo.png is executable or not.

My conclusion of the above is that xdg-open has some "internal" security issues
as well (it executed the script despite my preferred app settings), at least in
my current setup.  And xdg-mime appears to be confused too in some scenarios
(why did it pick kwrite.desktop despite my app preference order?).

Some ideas how to gradually improve things, don't know about feasibility:

1) Fix "xdg-mime query default" or the things it invokes to really return the
default app for a file type.  Hmm, I don't know if "default" and "preferred"
can be used interchangeably here - but in my case it didn't return the
"preferred" app.  If this is expected behavior, it would be good to have it

2) Make xdg-open use the default/preferred app returned by xdg-mime for opening
the file.

3) Add e.g. a --check-mimetype="mime/type" option to xdg-open that first
verifies whether the thing opened really looks like the given "mime/type"
before proceeding with the open, and if not, display a failure message
(possibly in a GUI dialog) or asking confirmation whether to proceed
(preferably also displaying what app it is about to use for opening the file).

I realize some of these might not really be issues in xdg-{open,mime} per se
but the other executables it invokes, but perhaps there's a way to do something
about it in xdg-*.

Configure bugmail: http://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the Portland-bugs mailing list