Bug#975370: xdg-utils: CVE-2020-27748: local file inclusion vulnerability
jscott at posteo.net
Sun Dec 6 18:36:03 GMT 2020
On Sunday, November 29, 2020 1:40:17 AM EST Nicholas Guriev wrote:
> Proposed change offers to completely remove `attach` parameter. I don't
> like to break existing features.
It appears that it only removes the attach parameter for Thunderbird in that
commit. Perhaps that's because other mail clients handle hidden attachments
better. With xdg-email as packaged now KMail does in fact show an extra large
warning about a hidden attachment (IIRC they had a related CVE not too long
ago), but attachments seem to be visible in Thunderbird in any case.
It appears upstream versions of Thunderbird don't respect the ?attach
parameter in mailto URIs, but xdg-email parses the URI into Thunderbird-style
command-line arguments. These, as given from xdg-email, are considered trusted
input and honored, as opposed to if mailto:foo?attach=bar were given to
Thunderbird directly. xdg-email's conversion thus causes a misinterpretation
of trust by Thunderbird.
Thunderbird's intent to not support the ?attach parameter for untrusted clicks
from browsers, but still allow non-URI command-line specified attachments seems
a reasonable compromise. A solution which might let xdg-email practice the
same is to honor the attachment, and convert it to a Thunderbird command-line
parameter, if invoked as
xdg-email --attach foo mailto:bar
but discard it if invoked as
Indeed this seems to have been the intent from the description of the merge
It looks like Reportbug's xdg-email backend uses the latter functionality, but
it would probably be a trivial change to switch to the --attach form.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 228 bytes
Desc: This is a digitally signed message part.
More information about the Pkg-freedesktop-maintainers