GNOME Bugzilla – Bug 170493
Handle "unsafe" files better
Last modified: 2016-02-28 05:36:29 UTC
(1) install gnome-btdownload, ensure that it is set up to open a .torrent file in nautilus. (2) go to http://torrent.dulug.duke.edu/ and try to open the gnome-2.10-livecd.iso torrent. (3) note that it says it doesn't have a handler for .torrent files (4) edit $prefix/share/epiphany/mime-types-permissions.xml, adding application/x-bittorrent to the 'safe' section (5) note that you can now open the file from torrent.dulug.duke.edu In very poor form, this is two bugs: (1) that torrents are not in the 'safe' mime type list (2) that if your mimetype is not 'safe', you get told you don't have a handler, and are allowed to download it anyway.
Created attachment 39149 [details] [review] Consider unknown mime types as unsafe.
Created attachment 39152 [details] [review] Easier.
Thanks for the patch! Committed to HEAD and gnome-2-10. Leaving bug open for the mime type work.
I propose to add the following mime types to safe part <mime-type type="application/vnd.corel-draw"/> <mime-type type="application/vnd.mozilla.xul+xml"/> <mime-type type="application/vnd.wordperfect"/> <mime-type type="application/x-xbel"/> <mime-type type="application/x-bittorrent"/> <mime-type type="application/x-blender"/> <mime-type type="application/x-font-type1"/> <mime-type type="application/x-font-otf"/> <mime-type type="application/x-javascript"/> <mime-type type="application/x-magicpoint"/> <mime-type type="application/x-matroska"/> <mime-type type="application/x-mozilla-bookmarks"/> <mime-type type="application/x-netscape-bookmarks"/> <mime-type type="application/x-wpg"/> <mime-type type="audio/x-flac"/> <mime-type type="audio/x-ms-asx"/> <mime-type type="image/jpeg2000"/> <mime-type type="image/x-pict"/> <mime-type type="image/rle"/> <mime-type type="image/x-dcm"/> <mime-type type="image/x-dib"/> <mime-type type="image/vnd.djvu"/> <mime-type type="image/dpx"/> <mime-type type="image/x-fits"/> <mime-type type="image/x-fpx"/> <mime-type type="image/x-icb"/> <mime-type type="image/x-sgi"/> <mime-type type="image/x-sun-raster"/> <mime-type type="image/x-win-bitmap"/> <mime-type type="text/x-gettext-translation-template"/> <mime-type type="text/x-csharp"/> <mime-type type="text/x-uil"/> <mime-type type="text/x-xmi"/> <mime-type type="video/x-nsv"/> And for the unsafe ones: <mime-type type="application/vnd.palm"/> <mime-type type="application/vnd.hp-hpgl"/> <mime-type type="application/vnd.hp-pcl"/> <mime-type type="application/x-ipod-firmware"/> <mime-type type="application/x-macbinary"/> <mime-type type="application/x-ms-dos-executable"/> <mime-type type="application/x-ole-storage"/> <mime-type type="inode/mount-point"/>
Created attachment 39220 [details] [review] Patch to check-mime.py
Safe part: <mime-type type="application/vnd.corel-draw"/> <mime-type type="application/vnd.wordperfect"/> <mime-type type="application/x-xbel"/> <mime-type type="application/x-bittorrent"/> <mime-type type="application/x-blender"/> <mime-type type="application/x-font-type1"/> <mime-type type="application/x-font-otf"/> <mime-type type="application/x-javascript"/> <mime-type type="application/x-magicpoint"/> <mime-type type="application/x-matroska"/> <mime-type type="application/x-mozilla-bookmarks"/> <mime-type type="application/x-netscape-bookmarks"/> <mime-type type="application/x-wpg"/> <mime-type type="audio/x-flac"/> <mime-type type="audio/x-ms-asx"/> <mime-type type="image/jpeg2000"/> <mime-type type="image/x-pict"/> <mime-type type="image/rle"/> <mime-type type="image/x-dcm"/> <mime-type type="image/x-dib"/> <mime-type type="image/vnd.djvu"/> <mime-type type="image/dpx"/> <mime-type type="image/x-fits"/> <mime-type type="image/x-fpx"/> <mime-type type="image/x-icb"/> <mime-type type="image/x-sgi"/> <mime-type type="image/x-sun-raster"/> <mime-type type="image/x-win-bitmap"/> <mime-type type="text/x-gettext-translation-template"/> <mime-type type="text/x-csharp"/> <mime-type type="text/x-uil"/> <mime-type type="text/x-xmi"/> <mime-type type="video/x-nsv"/> Unsafe category: <mime-type type="application/vnd.mozilla.xul+xml"/> <mime-type type="application/vnd.palm"/> <mime-type type="application/vnd.hp-hpgl"/> <mime-type type="application/vnd.hp-pcl"/> <mime-type type="application/x-ipod-firmware"/> <mime-type type="application/x-macbinary"/> <mime-type type="application/x-ms-dos-executable"/> <mime-type type="application/x-ole-storage"/> <mime-type type="inode/mount-point"/>
Created attachment 39402 [details] [review] New safe and unsafe mime types (syncho with freedesktop) The patch sorts the mime types so the big difference with the old mime-types-permissions.xml. And I'm suspicious of: <mime-type type="inode/blockdevice"/> <mime-type type="inode/chardevice"/> <mime-type type="inode/directory"/> <mime-type type="inode/fifo"/> <mime-type type="inode/socket"/> <mime-type type="inode/symlink"/> <mime-type type="application/x-shared-library-la"/> <mime-type type="application/x-sharedlib"
Looks mostly good, thanks for the patch! Only thing I'm not sure about is application/x-*-rom ... move them to unsafe? And the inode/* shouldn't occur on downloads, it's okay to remove them IMHO.
Created attachment 39424 [details] [review] New safe and unsafe mime types (syncho with freedesktop) Ok, I moved inode/* to unsafe category. And, application/x-dc-rom: Dreamcast ROM application/x-gameboy-rom: Game Boy ROM application/x-genesis-rom: Genesis ROM ... All are kind of executable, so I also moved them to unsafe category.
Committed the updated mime type list to HEAD and gnome-2-10. From comment 0: > (1) that torrents are not in the 'safe' mime type list This is now fixed. > (2) that if your mimetype is not 'safe', you get told you don't have a handler, > and are allowed to download it anyway. I don't understand this one: you mean we should disallow download of 'unsafe' types completely?
wrt my (2), it seems like the current system doesn't actually provide any safety- it gives an error message which implies that epiphany is broken, and then allows you to download and launch the 'dangerous' item anyway. Alternatives, off the top of my head: * actually have the dialog say 'this is unsafe', instead of 'we don't have a handler for it.' Explain why it is considered unsafe, what to do with it, etc. (Probably good, I guess; I'm not sure where this list comes from or why it is so unsafe, so I'm curious about the 'explain why' part myself :) * Refuse to download it at all. (Probably not a great option :) * Just ditch the dialog altogether, since as it currently stands, in 90% of cases, the user is just going to (1) briefly bitch about how gnome/epiphany sucks (2) download it (3) click on it in nautilus, presumably having the same security impact as if epiphany launched it. (Honestly, my preferred option, though maybe I'm missing something.) [As an aside, why isn't this a blacklist? Why should I have to modify epiphany every time I install a new mime-type handler?]
> * actually have the dialog say 'this is unsafe', instead of 'we don't have a > handler for it.' Hmm right, we only show the 'unsafe' warning when it's both unsafe and a handler exists. I'm not sure if that's wrong, though: if no handler exists, the 'unsafe' type becomes 'safe', because there's no program bug to exploit by opening it, no? > Explain why it is considered unsafe, what to do with it, etc. > (Probably good, I guess; I'm not sure where this list comes from or why it is > so unsafe, so I'm curious about the 'explain why' part myself :) We can do that; just need a good explanation. 'Unsafe' means 'we guessed it might be possible that this file type is dangerous'. Like, shell scripts, executables etc. And rpm/debs. > * Refuse to download it at all. (Probably not a great option :) Agreed, not a good option :) > * Just ditch the dialog altogether, since as it currently stands, in 90% of > cases, the user is just going to (1) briefly bitch about how gnome/epiphany > sucks (2) download it (3) click on it in nautilus, presumably having the same > security impact as if epiphany launched it. (Honestly, my preferred option, > though maybe I'm missing something.) AISI, there are 2 types of files: those that need another program to 'view' them, and those that are self-contained. The first category is (mostly) safe (except interpreted languages, and the like); the second is totally insecure. Should we really make it any easier for users to run arbitrary code from the net? > [As an aside, why isn't this a blacklist? Why should I have to modify epiphany > every time I install a new mime-type handler?] That's just a precaution, in case we overlooked an 'unsafe' format; we we treat 'unknown' like 'unsafe'.
> Should we really make it any easier for users to run arbitrary code from the > net? But you're not making it /hard/, you're just making it /irritating/. It's still only 2 additional clicks to download the unsafe whatever, hide all windows, find it on the desktop, and click to launch it. If we're really confident that this stuff is insecure* then either refuse to download it altogether, or work with the nautilus people to also block it there. * and I'm really unconvinced we should make this determination at the browser level, instead of at the handler/OS level.
*** Bug 134193 has been marked as a duplicate of this bug. ***
Adjusting summary.
My guess is this bug is why various MIME types cannot be opened nowadays. We probably have more recent bug reports as well, but there's so many to sort through....