Using xdg-open in mailcap causes serious hole in Firefox!
Submitted by Manuel Reimer
Assigned to Portland Bugs
Created attachment 21642 The mailcap file, as it gets delivered with Slackware 12.2
i've attached the /etc/mailcap, Slackware 12.2 ships, by default, below.
Firefox uses mailcap to detect the default application. With the mailcap file, used in Slackware, Firefox uses xdg-open as default application for several "secure" mime types like audio files and PDF files. As xdg-open, itself, detects the "real" mime type (or better asks the desktop manager to detect it) it's possible to execute dangerous files by delivering them with a faked mime-type.
I've created a test page to demonstrate the problem (see URL above). Steps to test:
- Create a new user for the test (to be sure we are on default settings everywhere and to be secure the demonstration program doesn't kill something ;-)).
- Log into a KDE session with this user.
- Copy the attached mailcap to $HOME/.mailcap
- Start firefox
- Visit the above URL (you have to add a security exception, as the certificate belongs to mozdev.org), click the link and just hit "OK" to accept the default, selected by firefox.
Result: You'll see a small demonstration program, nested into the .desktop file.
I don't know why the Slackware developers got the idea to use xdg-open in mailcap, but you should add a note somewhere into your documentation (maybe the README file in your source) which warns to not use xdg-open too careless, as it may also execute potentially dangerous files. You should also add a note that xdg-open should not be used in mailcap files, as this may cause security problems if applications expect trusted "viewing applications", there (example: Firefox).
Attachment 21642, "The mailcap file, as it gets delivered with Slackware 12.2":