Bug#975370: xdg-utils: CVE-2020-27748: local file inclusion vulnerability

John Scott jscott at posteo.net
Sun Dec 6 18:36:03 GMT 2020 

On Sunday, November 29, 2020 1:40:17 AM EST Nicholas Guriev wrote:
> Proposed change offers to completely remove `attach` parameter. I don't
> like to break existing features.
It appears that it only removes the attach parameter for Thunderbird in that 
commit. Perhaps that's because other mail clients handle hidden attachments 
better. With xdg-email as packaged now KMail does in fact show an extra large 
warning about a hidden attachment (IIRC they had a related CVE not too long 
ago), but attachments seem to be visible in Thunderbird in any case.

It appears upstream versions of Thunderbird don't respect the ?attach 
parameter in mailto URIs, but xdg-email parses the URI into Thunderbird-style 
command-line arguments. These, as given from xdg-email, are considered trusted 
input and honored, as opposed to if mailto:foo?attach=bar were given to 
Thunderbird directly. xdg-email's conversion thus causes a misinterpretation 
of trust by Thunderbird.

Thunderbird's intent to not support the ?attach parameter for untrusted clicks 
from browsers, but still allow non-URI command-line specified attachments seems 
a reasonable compromise. A solution which might let xdg-email practice the 
same is to honor the attachment, and convert it to a Thunderbird command-line 
parameter, if invoked as
xdg-email --attach foo mailto:bar
but discard it if invoked as
xdg-email mailto:bar?attach=foo

Indeed this seems to have been the intent from the description of the merge 
request: https://gitlab.freedesktop.org/xdg/xdg-utils/-/merge_requests/28

It looks like Reportbug's xdg-email backend uses the latter functionality, but 
it would probably be a trivial change to switch to the --attach form. 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: This is a digitally signed message part.
URL: <http://alioth-lists.debian.net/pipermail/pkg-freedesktop-maintainers/attachments/20201206/c47b908d/attachment.sig>

More information about the Pkg-freedesktop-maintainers mailing list