mailcap shell command injection

The mailcap module is vulnerable to shell code injection in filenames. If the filename contains a shell command, it will be executed if it is passed to os.system() as described in the documentation.

To prevent security issues with shell metacharacters (symbols that have special effects in a shell command line), the mailcap.findmatch() function now refuses to inject ASCII characters other than alphanumerics and @+=:,./-_ into the returned command line.

Dates:

  • Disclosure date: 2015-08-02 (Python issue bpo-24778 reported)

Fixed In

Vulnerable Versions

  • Python 3.7 (need release)
  • Python 3.8 (need release)
  • Python 3.9 (need release)

Python issue

[CVE-2015-20107] mailcap.findmatch: document shell command Injection danger in filename parameter.

  • Python issue: bpo-24778
  • Creation date: 2015-08-02
  • Reporter: Bernd Dietzel

CVE-2015-20107

In Python (aka CPython) through 3.10.4, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments).

Timeline

Timeline using the disclosure date 2015-08-02 as reference: