mailcap shell command injection

Warning

This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.

The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the Open Source Vulnerability Database.

The mailcap module is vulnerable to shell code injection in filenames. If the filename contains a shell command, it will be executed if it is passed to os.system() as described in the documentation.

To prevent security issues with shell metacharacters (symbols that have special effects in a shell command line), the mailcap.findmatch() function now refuses to inject ASCII characters other than alphanumerics and @+=:,./-_ into the returned command line.

Dates:

• Disclosure date: 2015-08-02 (Python issue bpo-24778 reported)

Fixed In

• Python 3.7.16 (2022-12-06) fixed by commit 6e8e9e7 (branch 3.7) (2022-10-11)
• Python 3.8.16 (2022-12-06) fixed by commit 0a4f650 (branch 3.8) (2022-10-11)
• Python 3.9.16 (2022-12-06) fixed by commit c59a16e (branch 3.9) (2022-10-11)
• Python 3.10.8 (2022-10-11) fixed by commit 96739bc (branch 3.10) (2022-09-20)
• Python 3.11.0 (2022-10-24) fixed by commit fae93ab (branch 3.11) (2022-06-03)

Python issue

[CVE-2015-20107] mailcap.findmatch: document shell command Injection danger in filename parameter.

• Python issue: bpo-24778
• Creation date: 2015-08-02
• Reporter: Bernd Dietzel

CVE-2015-20107

In Python (aka CPython) through 3.10.4, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments).

• CVE ID: CVE-2015-20107
• Published: 2022-04-13
• CVSS Score: 10.0

Timeline

Timeline using the disclosure date 2015-08-02 as reference:

• 2015-08-02: Python issue bpo-24778 reported by Bernd Dietzel
• 2022-04-13 (+2446 days): CVE-2015-20107 published
• 2022-06-03 (+2497 days): commit b9509ba (branch 3.12)
• 2022-06-03 (+2497 days): commit fae93ab (branch 3.11)
• 2022-09-20 (+2606 days): commit 96739bc (branch 3.10)
• 2022-10-11 (+2627 days): commit 0a4f650 (branch 3.8)
• 2022-10-11 (+2627 days): commit 6e8e9e7 (branch 3.7)
• 2022-10-11 (+2627 days): commit c59a16e (branch 3.9)
• 2022-10-11 (+2627 days): Python 3.10.8 released
• 2022-10-24: Python 3.11.0 released
• 2022-12-06 (+2683 days): Python 3.7.16 released
• 2022-12-06 (+2683 days): Python 3.8.16 released
• 2022-12-06 (+2683 days): Python 3.9.16 released