[3.10] gh-68966: Make mailcap refuse to match unsafe filenames/types/params (GH-91993) (GH-93543)

* gh-68966: Make mailcap refuse to match unsafe filenames/types/params (GH-91993) (cherry picked from commit b9509ba7a9) * Add a What's New entry for 3.10.8. Co-authored-by: Petr Viktorin <encukou@gmail.com> Co-authored-by: Gregory P. Smith <greg@krypto.org>
2025-08-19 00:00:48 +00:00 · 2022-09-20 04:12:35 -07:00 · 2022-09-20 04:12:35 -07:00 · 96739bccf2
commit 96739bccf2
parent 7b6021b060
5 changed files with 54 additions and 4 deletions
--- a/Lib/mailcap.py
+++ b/Lib/mailcap.py
@ -2,6 +2,7 @@

 import os
 import warnings
+import re

 __all__ = ["getcaps","findmatch"]

@ -13,6 +14,11 @@ def lineno_sort_key(entry):
    else:
        return 1, 0

+_find_unsafe = re.compile(r'[^\xa1-\U0010FFFF\w@+=:,./-]').search
+
+class UnsafeMailcapInput(Warning):
+    """Warning raised when refusing unsafe input"""
+

 # Part 1: top-level interface.

@ -165,15 +171,22 @@ def findmatch(caps, MIMEtype, key='view', filename="/dev/null", plist=[]):
    entry to use.

    """
+    if _find_unsafe(filename):
+        msg = "Refusing to use mailcap with filename %r. Use a safe temporary filename." % (filename,)
+        warnings.warn(msg, UnsafeMailcapInput)
+        return None, None
    entries = lookup(caps, MIMEtype, key)
    # XXX This code should somehow check for the needsterminal flag.
    for e in entries:
        if 'test' in e:
            test = subst(e['test'], filename, plist)
+            if test is None:
+                continue
            if test and os.system(test) != 0:
                continue
        command = subst(e[key], MIMEtype, filename, plist)
-        return command, e
+        if command is not None:
+            return command, e
    return None, None

 def lookup(caps, MIMEtype, key=None):
@ -206,6 +219,10 @@ def subst(field, MIMEtype, filename, plist=[]):
            elif c == 's':
                res = res + filename
            elif c == 't':
+                if _find_unsafe(MIMEtype):
+                    msg = "Refusing to substitute MIME type %r into a shell command." % (MIMEtype,)
+                    warnings.warn(msg, UnsafeMailcapInput)
+                    return None
                res = res + MIMEtype
            elif c == '{':
                start = i
@ -213,7 +230,12 @@ def subst(field, MIMEtype, filename, plist=[]):
                    i = i+1
                name = field[start:i]
                i = i+1
-                res = res + findparam(name, plist)
+                param = findparam(name, plist)
+                if _find_unsafe(param):
+                    msg = "Refusing to substitute parameter %r (%s) into a shell command" % (param, name)
+                    warnings.warn(msg, UnsafeMailcapInput)
+                    return None
+                res = res + param
            # XXX To do:
            # %n == number of parts if type is multipart/*
            # %F == list of alternating type and filename for parts