From f7e524f1a7100545042241e68f83099a07c30086 Mon Sep 17 00:00:00 2001 From: Thomas Roessler Date: Tue, 7 Sep 1999 06:52:11 +0000 Subject: [PATCH] Adding notes from README.SECURITY. --- doc/manual.sgml.head | 37 ++++++++++++++++++++++++++++++++++--- 1 file changed, 34 insertions(+), 3 deletions(-) diff --git a/doc/manual.sgml.head b/doc/manual.sgml.head index 601c73cf..d5743ddd 100644 --- a/doc/manual.sgml.head +++ b/doc/manual.sgml.head @@ -2164,7 +2164,7 @@ text/plain; more %s Perhaps you would like to use lynx to interactively view a text/html message: -text/html; lynx "%s" +text/html; lynx %s In this case, lynx does not support viewing a file from stdin, so you must use the %s syntax. @@ -2177,17 +2177,48 @@ On the other hand, maybe you don't want to use lynx interactively, you just want to have it convert the text/html to text/plain, then you can use: -text/html; lynx -dump "%s" | more +text/html; lynx -dump %s | more Perhaps you wish to use lynx to view text/html files, and a pager on all other text formats, then you would use the following: -text/html; lynx "%s" +text/html; lynx %s text/*; more This is the simplest form of a mailcap file. +Secure use of mailcap +

+The interpretion of shell meta-characters embedded in MIME parameters +can lead to security problems in general. Mutt tries to quote parameters +in expansion of %s syntaxes properly, and avoids risky characters by +substituting them, see the variable. + +Although mutt's procedures to invoke programs with mailcap seem to be +safe, there are other applications parsing mailcap, maybe taking less care +of it. Therefore you should pay attention to the following rules: + + +text/test-mailcap-bug; cat %s; copiousoutput; test=charset=%{charset} \ + && test "`echo $charset | tr '[A-Z]' '[a-z]'`" != iso-8859-1 + + Advanced mailcap Usage

-- 2.40.0