Patch mailcap to avoid CVE-2015-20107

Summary: and patch `test_mailcap` to validate `findmatch` is indeed blocked this module is [being removed in 3.13](python/cpython#104867) as part of [PEP-594](https://peps.python.org/pep-0594/) Reviewed By: amyreese, BrandonTheBuilder Differential Revision: D51567338 fbshipit-source-id: 6e6119413a5ce445cd6c2cd279095e146ef06b1b
facebookincubator · Dec 10, 2023 · 303a585 · 303a585
1 parent bbbe499
commit 303a585
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 21 deletions.
diff --git a/Lib/mailcap.py b/Lib/mailcap.py
@@ -175,23 +175,11 @@ def findmatch(caps, MIMEtype, key='view', filename="/dev/null", plist=[]):
     entry to use.
 
     """
-    if _find_unsafe(filename):
-        msg = "Refusing to use mailcap with filename %r. Use a safe temporary filename." % (filename,)
-        warnings.warn(msg, UnsafeMailcapInput)
-        return None, None
-    entries = lookup(caps, MIMEtype, key)
-    # XXX This code should somehow check for the needsterminal flag.
-    for e in entries:
-        if 'test' in e:
-            test = subst(e['test'], filename, plist)
-            if test is None:
-                continue
-            if test and os.system(test) != 0:
-                continue
-        command = subst(e[key], MIMEtype, filename, plist)
-        if command is not None:
-            return command, e
-    return None, None
+    # START META PATCH
+    # replace function body with a RuntimeError to avoid CVE-2015-20107
+    # (and accelerate the upstream removal in 3.13, https://github.com/python/cpython/pull/104867)
+    raise RuntimeError("Disabled @ Meta for CVE-2015-20107")
+    # END META PATCH
 
 def lookup(caps, MIMEtype, key=None):
     entries = []

diff --git a/Lib/test/test_mailcap.py b/Lib/test/test_mailcap.py
@@ -257,17 +257,20 @@ def test_unsafe_mailcap_input(self):
             unsafe_mimetype = mailcap.subst("echo %t", "audio/*", "foo.txt")
             self.assertEqual(unsafe_mimetype, None)
 
-        with self.assertWarnsRegex(mailcap.UnsafeMailcapInput,
-                                   'Refusing to use mailcap with filename.*'
-                                   'Use a safe temporary filename.'):
+        # START META PATCH
+        with self.assertRaises(RuntimeError):
             unsafe_filename = mailcap.findmatch(MAILCAPDICT,
                                                 "audio/wav",
                                                 filename="foo*.txt")
             self.assertEqual(unsafe_filename, (None, None))
+        # END META PATCH
 
     def _run_cases(self, cases):
         for c in cases:
-            self.assertEqual(mailcap.findmatch(*c[0], **c[1]), c[2])
+            # START META PATCH
+            with self.assertRaises(RuntimeError):
+                mailcap.findmatch(*c[0], **c[1])
+            # END META PATCH
 
 
 if __name__ == '__main__':