mailcap shell command injection


This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.

The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the Open Source Vulnerability Database.

The mailcap module is vulnerable to shell code injection in filenames. If the filename contains a shell command, it will be executed if it is passed to os.system() as described in the documentation.

To prevent security issues with shell metacharacters (symbols that have special effects in a shell command line), the mailcap.findmatch() function now refuses to inject ASCII characters other than alphanumerics and @+=:,./-_ into the returned command line.


  • Disclosure date: 2015-08-02 (Python issue bpo-24778 reported)

Fixed In

Python issue

[CVE-2015-20107] mailcap.findmatch: document shell command Injection danger in filename parameter.

  • Python issue: bpo-24778
  • Creation date: 2015-08-02
  • Reporter: Bernd Dietzel


In Python (aka CPython) through 3.10.4, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments).


Timeline using the disclosure date 2015-08-02 as reference: