[Portland-bugs] [Bug 19377] New: Using xdg-open in mailcap causes serious hole in Firefox!

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Sat Jan 3 05:28:54 PST 2009 

http://bugs.freedesktop.org/show_bug.cgi?id=19377

           Summary: Using xdg-open in mailcap causes serious hole in
                    Firefox!
           Product: Portland
           Version: unspecified
          Platform: All
               URL: https://prefbar.mozdev.org/testxdgopen.html
        OS/Version: All
            Status: NEW
          Keywords: security
          Severity: major
          Priority: medium
         Component: xdg-utils
        AssignedTo: portland-bugs at lists.freedesktop.org
        ReportedBy: Manuel.Spam at nurfuerspam.de


Created an attachment (id=21642)
 --> (http://bugs.freedesktop.org/attachment.cgi?id=21642)
The mailcap file, as it gets delivered with Slackware 12.2

Hello,

i've attached the /etc/mailcap, Slackware 12.2 ships, by default, below.

Firefox uses mailcap to detect the default application. With the mailcap file,
used in Slackware, Firefox uses xdg-open as default application for several
"secure" mime types like audio files and PDF files. As xdg-open, itself,
detects the "real" mime type (or better asks the desktop manager to detect it)
it's possible to execute dangerous files by delivering them with a faked
mime-type.

I've created a test page to demonstrate the problem (see URL above). Steps to
test:

- Create a new user for the test (to be sure we are on default settings
everywhere and to be secure the demonstration program doesn't kill something
;-)).
- Log into a KDE session with this user.
- Copy the attached mailcap to $HOME/.mailcap
- Start firefox
- Visit the above URL (you have to add a security exception, as the certificate
belongs to mozdev.org), click the link and just hit "OK" to accept the default,
selected by firefox.

Result: You'll see a small demonstration program, nested into the .desktop
file.

I don't know why the Slackware developers got the idea to use xdg-open in
mailcap, but you should add a note somewhere into your documentation (maybe the
README file in your source) which warns to not use xdg-open too careless, as it
may also execute potentially dangerous files. You should also add a note that
xdg-open should not be used in mailcap files, as this may cause security
problems if applications expect trusted "viewing applications", there (example:
Firefox).


-- 
Configure bugmail: http://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the Portland-bugs mailing list