Miroirs/slackware-current
1
0
Fork 0
mirror of git://slackware.nl/current.git synced 2024-11-16 07:48:02 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
slackware-current/source/x/xdg-utils/doinst.sh
Patrick J Volkerding 5a12e7c134 Slackware 13.0 
Wed Aug 26 10:00:38 CDT 2009
Slackware 13.0 x86_64 is released as stable!  Thanks to everyone who
helped make this release possible -- see the RELEASE_NOTES for the
credits.  The ISOs are off to the replicator.  This time it will be a
6 CD-ROM 32-bit set and a dual-sided 32-bit/64-bit x86/x86_64 DVD.
We're taking pre-orders now at store.slackware.com.  Please consider
picking up a copy to help support the project.  Once again, thanks to
the entire Slackware community for all the help testing and fixing
things and offering suggestions during this development cycle.
As always, have fun and enjoy!  -P.
2018-05-31 22:41:17 +02:00

100 lines
4 KiB
Bash
Raw Blame History

#!/bin/sh
# Regarding xdg-open in /etc/mailcap:
#
# It turns out that xdg-open is not very smart about what it
# passes off control to, leading to security problems where (for
# example) a file could be provided on a web site as a PDF, but
# rather than send it to a PDF viewer, xdg-open sends it to kfmclient
# which uses a whole different set of criteria to determine what sort
# of file it is. It's trivial to make something that's detected as
# a PDF at first, but then is executed as a .desktop file later,
# resulting in the execution of arbitrary code as the user.
#
# This is not acceptable, and we see no way to fix it as long as
# xdg-open passes off the resolution of the file type (again) to
# something else. In light of the potential security risks, we
# will turn off the use of xdg-open if it appears to have been
# added by a previous version of the xdg-utils package.
#
# Vulnerability code: CVE-2009-0068
# First, we will detect an automatically modified mailcap by
# looking for the comment "# Sample xdg-open entries:"
if [ -r etc/mailcap ]; then
if grep -q "^# Sample xdg-open entries:$" etc/mailcap ; then
COOKIE=$(usr/bin/mcookie)
if [ -z $COOKIE ]; then
exit 1
fi
# First, add a space to the end of the comment used to detect this
# junk so that we won't detect it again (in case the user decides
# to enable this themselves later on -- their call). Add a warning
# about this type of xdg-open use being insecure. Finally, comment
# out any lines like this.
echo "# Sample xdg-open entries: " > tmp/mailcap-$COOKIE
cat << EOF >> tmp/mailcap-$COOKIE
#
# NOTE: Using xdg-open in /etc/mailcap in this way has been
# shown to be insecure and is not recommended (CVE-2009-0068)!
# A remote attacker can easily make a filetype such as a
# .desktop script appear to xdg-open as a PDF file causing its
# arbitrary contents to be executed. Consider these to be
# examples of what NOT to do. The xdg-utils package no longer
# adds any lines such as these to /etc/mailcap.
#
EOF
cat etc/mailcap \
| grep -v "# Sample xdg-open entries:" \
| sed -e 's/^audio\/\*; \/usr\/bin\/xdg-open %s/#audio\/\*; \/usr\/bin\/xdg-open %s/g' \
| sed -e 's/^image\/\*; \/usr\/bin\/xdg-open %s/#image\/\*; \/usr\/bin\/xdg-open %s/g' \
| sed -e 's/^application\/msword; \/usr\/bin\/xdg-open %s/#application\/msword; \/usr\/bin\/xdg-open %s/g' \
| sed -e 's/^application\/pdf; \/usr\/bin\/xdg-open %s/#application\/pdf; \/usr\/bin\/xdg-open %s/g' \
| sed -e 's/^application\/postscript ; \/usr\/bin\/xdg-open %s/#application\/postscript ; \/usr\/bin\/xdg-open %s/g' \
| sed -e 's/^text\/html; \/usr\/bin\/xdg-open %s ; copiousoutput/#text\/html; \/usr\/bin\/xdg-open %s ; copiousoutput/g' >> tmp/mailcap-$COOKIE
cat tmp/mailcap-$COOKIE > etc/mailcap
rm -f tmp/mailcap-$COOKIE
fi
fi
## BEGIN (HERE IS WHAT CAUSED THIS MESS):
## Add some reasonable default values for xdg-open to /etc/mailcap,
## since this is where many programs look for this information:
#
#if ! grep -q '# Sample xdg-open entries:' etc/mailcap 1> /dev/null 2> /dev/null ; then
# echo "# Sample xdg-open entries:" >> etc/mailcap
# echo >> etc/mailcap
#fi
#if ! grep -q 'audio/' etc/mailcap ; then
# echo 'audio/*; /usr/bin/xdg-open %s' >> etc/mailcap
# echo >> etc/mailcap
#fi
#if ! grep -q 'image/' etc/mailcap ; then
# echo 'image/*; /usr/bin/xdg-open %s' >> etc/mailcap
# echo >> etc/mailcap
#fi
#if ! grep -q 'application/msword' etc/mailcap ; then
# echo 'application/msword; /usr/bin/xdg-open %s' >> etc/mailcap
# echo >> etc/mailcap
#fi
#if ! grep -q 'application/pdf' etc/mailcap ; then
# echo 'application/pdf; /usr/bin/xdg-open %s' >> etc/mailcap
# echo >> etc/mailcap
#fi
#if ! grep -q 'application/postscript' etc/mailcap ; then
# echo 'application/postscript ; /usr/bin/xdg-open %s' >> etc/mailcap
# echo >> etc/mailcap
#fi
#if ! grep -q '#text/html' etc/mailcap ; then
# echo '#text/html; /usr/bin/xdg-open %s ; copiousoutput' >> etc/mailcap
# echo >> etc/mailcap
#fi
## END
Reference in a new issue View git blame Copy permalink