On Wed, 10 Feb 1999, Pine Development Team wrote:
> While one could modify Pine to guard against the particular exploit
> permitted by the mailcap entries in question, it is very difficult to
> conceive of a truly safe "paranoid mode" other than disabling parameter
> substitution entirely. However, we suspect most people will find it far
> easier to remove any unsafe entries from their mailcap configuration file.
A truly safe "paranoid mode" would be to refuse to execute the command
if the substitution could lead to any undesired effects--i.e. if any of the
substituted values contains a suspicious character. This could break some
functionality (but in fact, strange characters should never appear
anywhere save from %{boundary}) but you can always show the command to the
user and ask him/her. Well, lusers would lose anyway...
Of course, a real solution would be to pass the information using a
channel that is not a subject of that much automagical interpretation as
the raw text of shell commands. Environment variables, perhaps? Anything
but the dangerous RFC-1524-Appendix-A(?) way.
--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"NSA GCHQ KGB CIA nuclear conspiration war weapon spy agent... Hi Echelon!"
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:34:24 PDT