.. _mailcap-shell-injection: mailcap shell command injection ================================ .. warning:: This resource is maintained for historical reference and **does not contain the latest vulnerability info for Python**. The `canonical database for vulnerabilities affecting Python `_ is available on GitHub in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the `Open Source Vulnerability Database `_. The ``mailcap`` module is vulnerable to shell code injection in filenames. If the filename contains a shell command, it will be executed if it is passed to ``os.system()`` as described in the documentation. To prevent security issues with shell metacharacters (symbols that have special effects in a shell command line), the ``mailcap.findmatch()`` function now refuses to inject ASCII characters other than alphanumerics and ``@+=:,./-_`` into the returned command line. Dates: * Disclosure date: **2015-08-02** (Python issue bpo-24778 reported) Fixed In -------- * Python **3.7.16** (2022-12-06) fixed by `commit 6e8e9e7 (branch 3.7) `_ (2022-10-11) * Python **3.8.16** (2022-12-06) fixed by `commit 0a4f650 (branch 3.8) `_ (2022-10-11) * Python **3.9.16** (2022-12-06) fixed by `commit c59a16e (branch 3.9) `_ (2022-10-11) * Python **3.10.8** (2022-10-11) fixed by `commit 96739bc (branch 3.10) `_ (2022-09-20) * Python **3.11.0** (2022-10-24) fixed by `commit fae93ab (branch 3.11) `_ (2022-06-03) Python issue ------------ [CVE-2015-20107] mailcap.findmatch: document shell command Injection danger in filename parameter. * Python issue: `bpo-24778 `_ * Creation date: 2015-08-02 * Reporter: Bernd Dietzel CVE-2015-20107 -------------- In Python (aka CPython) through 3.10.4, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments). * CVE ID: `CVE-2015-20107 `_ * Published: 2022-04-13 * `CVSS Score `_: 10.0 Timeline -------- Timeline using the disclosure date **2015-08-02** as reference: * 2015-08-02: `Python issue bpo-24778 `_ reported by Bernd Dietzel * 2022-04-13 (**+2446 days**): CVE-2015-20107 published * 2022-06-03 (**+2497 days**): `commit b9509ba (branch 3.12) `_ * 2022-06-03 (**+2497 days**): `commit fae93ab (branch 3.11) `_ * 2022-09-20 (**+2606 days**): `commit 96739bc (branch 3.10) `_ * 2022-10-11 (**+2627 days**): `commit 0a4f650 (branch 3.8) `_ * 2022-10-11 (**+2627 days**): `commit 6e8e9e7 (branch 3.7) `_ * 2022-10-11 (**+2627 days**): `commit c59a16e (branch 3.9) `_ * 2022-10-11 (**+2627 days**): Python 3.10.8 released * 2022-10-24: Python 3.11.0 released * 2022-12-06 (**+2683 days**): Python 3.7.16 released * 2022-12-06 (**+2683 days**): Python 3.8.16 released * 2022-12-06 (**+2683 days**): Python 3.9.16 released