Firebird seems to be very half-assed about using mailcap entries -- it
will use the program name but nothing else, always putting the
filename as the first argument.  "man mailcap" says nothing about this
interpretation.  For example, this line from bittorrent in /etc/mailcap:

application/x-bittorrent; /usr/bin/btdownloadgui --responsefile '%s'; test=test -n "$DISPLAY"

causes mozilla-firebird to execute "/usr/bin/btdownloadgui <filename>"
rather than the specified command-line.

Since this, as far as I can tell, is an undocumented behavior, and it
is passing remotely-defined filenames to applications in a way not
specified by the system configuration files, it could also potentially
be a security issue, although I'll leave severity as wishlist for now.

Re: Jim Paris in <200402141944.i1EJivjC030817@neurosis.jim.sh>

Same here:

text/*; xterm -e less '%s'; test=test -n "$DISPLAY"

leads to

/usr/X11R6/bin/xterm:  bad command line option "/srv/tmp/debian-NEW-summary-update-1.sh"

Christoph

forwarded 232688 https://bugzilla.mozilla.org/show_bug.cgi?id=83305
thanks

* Christoph Berg (cb@df7cb.de) wrote:

Yup. Here's the upstream bug.

-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS d- s++: a-- C+++ UL+++ P++ L++ E++ W++ N+ o K- w+
O? M++ V-- PS+ PE Y+ PGP++ t++ 5++ X+ R tv++ b+++ DI+ D+
G e h! r- y+
------END GEEK CODE BLOCK------

Dear Firefox/Iceweasel user,

Thanks for your interest in Firefox/Iceweasel and the bug report you have contributed.

Your bug report [0] was done for a version which isn't a part of debian anymore. Debian 4.0 (Etch) was released with version 2.0.0.3.

Please reproduce your bug on an updated version of Iceweasel and confirm it
still exists, or close it as irrelevant for recent versions.

If you don't know or are not sure how to update or close your bug report,
please contact me directly, and I'll help you.

IMPORTANT: In any case, please provide version info, as we use it to determine
the relevance of the bug.

As this bug is quite old, I intend to close it if you don't update your bug
report in the next 6 weeks.

This is the time line for the old bugs cleanup:
1. October 1st - first notice.
2. October 15th - Second notice.
3. October 29th - Third notice.
4. November 12th - Closing the bug.

Please help the Firefox/Iceweasel maintainer to help you (:

[0] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=232688

Dear Firefox/Iceweasel user,

Thanks for your interest in Firefox/Iceweasel and the bug report you have contributed.

Your bug report [0] was done for a version which isn't a part of debian anymore. Debian 4.0 (Etch) was released with version 2.0.0.3.

Please reproduce your bug on an updated version of Iceweasel and confirm it
still exists, or close it as irrelevant for recent versions.

If you don't know or are not sure how to update or close your bug report,
please contact me directly, and I'll help you.

IMPORTANT: In any case, please provide version info, as we use it to determine
the relevance of the bug.

As this bug is quite old, I intend to close it if you don't update your bug
report in the next 6 weeks.

This is the time line for the old bugs cleanup:
1. October 1st - first notice.
2. October 15th - Second notice.
3. October 29th - Third notice.
4. November 12th - Closing the bug.

Please help the Firefox/Iceweasel maintainer to help you (:

[0] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=232688

tags 232688 security
thanks

Lior Kaplan wrote:

Yes, the bug still exists on 2.0.0.3, and I still consider it an
active security hole that absolutely needs attention.  Consider that
my .mailcap contains the entry

  application/postscript: /usr/bin/gv -safer "%s"

Iceweasel still half-ignores this and executes

  /usr/bin/gv <filename>

ignoring the important "-safer" argument.

Iceweasel also ignores the needsterminal flag in the mailcap files,
which means among other things that the default entry for text files
(text/plain; less '%s'; needsterminal) doesn't work at all.  Not pretty.