Skip to content

Viewing Attachments

Gaute Hope edited this page Oct 29, 2013 · 11 revisions

Security concerns on opening and viewing attachments

Both mime-view and mime-decode takes input from the received e-mail (controlled by the sender). The relevant parts are the content_type and filename. None of these are run without direct action from you, the user, or a custom hook. It is very important that any link in your chain of either viewing (opening) an attachment or decoding (mime-decode) an attachment does not use content_type or filename directly in a command (like opening the attachment with an external application) without making sure it is safe.

Both content_type and filename are escaped so that they should be safe for use within a command. This is done using Rubys Shellwords.escape.

The resulting string is intended to be used un-quoted. It is therefore important that neither your .mailcap entries (default view action on non OS X systems), nor any of your mime-view or mime-decode hooks use content_type or filename quoted in a command.

Otherwise you might open Sup up for remote command injection.

Decoding attachments

Here is an example of how to read HTML only emails, using the mime-decode.rb hook:

require 'shellwords'
unless sibling_types.member? "text/plain"
  case content_type
  when "text/html"
    `/usr/bin/w3m -dump -T #{content_type} #{Shellwords.escape filename}`
  end
end

the Shellwords.escape is to prevent any commands to be injected from incoming mail. Be careful that all hooks taking input from mail are written so that no commands can be passed to them.

Here is the documentation for the hook:

mime-decode
-----------
File: ~/.sup/hooks/mime-decode.rb
Decodes a MIME attachment into text form. The text will be displayed
directly in Sup. For attachments that you wish to use a separate program
to view (e.g. images), you should use the mime-view hook instead.

Variables:
   content_type: the content-type of the attachment
        charset: the charset of the attachment, if applicable
       filename: the filename of the attachment as saved to disk
  sibling_types: if this attachment is part of a multipart MIME attachment,
                 an array of content-types for all attachments. Otherwise,
                 the empty array.
Return value:
  The decoded text of the attachment, or nil if not decoded.
Clone this wiki locally