gh-68966: Make mailcap refuse to match unsafe filenames/types/params (GH-91993)

author: Petr Viktorin <encukou@gmail.com> 2022-06-03 09:43:35 (GMT)
committer: GitHub <noreply@github.com> 2022-06-03 09:43:35 (GMT)
commit: b9509ba7a9c668b984dab876c7926fe1dc5aa0ba (patch)
tree: 87acb264c690572842b87aa4d21679dd26623b14 /Misc/NEWS.d/next/Security
parent: 5a80e8580e2eb9eac4035d81439ed51523fcc4d2 (diff)
download: cpython-b9509ba7a9c668b984dab876c7926fe1dc5aa0ba.zip
cpython-b9509ba7a9c668b984dab876c7926fe1dc5aa0ba.tar.gz
cpython-b9509ba7a9c668b984dab876c7926fe1dc5aa0ba.tar.bz2
1 files changed, 4 insertions, 0 deletions
diff --git a/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst b/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst
new file mode 100644
index 0000000..da81a1f
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst
@@ -0,0 +1,4 @@
+The deprecated mailcap module now refuses to inject unsafe text (filenames,
+MIME types, parameters) into shell commands. Instead of using such text, it
+will warn and act as if a match was not found (or for test commands, as if
+the test failed).
author	Petr Viktorin <encukou@gmail.com>	2022-06-03 09:43:35 (GMT)
committer	GitHub <noreply@github.com>	2022-06-03 09:43:35 (GMT)
commit	b9509ba7a9c668b984dab876c7926fe1dc5aa0ba (patch)
tree	87acb264c690572842b87aa4d21679dd26623b14 /Misc/NEWS.d/next/Security
parent	5a80e8580e2eb9eac4035d81439ed51523fcc4d2 (diff)
download	cpython-b9509ba7a9c668b984dab876c7926fe1dc5aa0ba.zip cpython-b9509ba7a9c668b984dab876c7926fe1dc5aa0ba.tar.gz cpython-b9509ba7a9c668b984dab876c7926fe1dc5aa0ba.tar.bz2