python · vstinner · Apr 28, 2022 · Apr 28, 2022 · Apr 28, 2022 · Apr 28, 2022
@@ -26,6 +26,18 @@ The mailcap format is documented in :rfc:`1524`, "A User Agent Configuration
 Mechanism For Multimedia Mail Format Information", but is not an internet
 standard.  However, mailcap files are supported on most Unix systems.
 
+.. _mailcap-shell-injection:
+
+.. warning::
+
+   The Python implementation is vulnerable to shell command injection. By
+   design, the mailcap format uses shell commands. The caller is responsible to
+   validate and sanitize input arguments.
+
+   For the filename, the caller can create a temporary filename, using
+   :func:`tempfile.NamedTemporaryFile` or :func:`tempfile.mkstemp` for example,
+   to get a safe filename.
+
 
 .. function:: findmatch(caps, MIMEtype, key='view', filename='/dev/null', plist=[])
 

diff --git a/Doc/library/security_warnings.rst b/Doc/library/security_warnings.rst
@@ -17,6 +17,7 @@ The following modules have specific security considerations:
   basic security checks
 * :mod:`logging`: :ref:`Logging configuration uses eval()
   <logging-eval-security>`
+* :mod:`mailcap`: :ref:`Shell command injection <mailcap-shell-injection>`
 * :mod:`multiprocessing`: :ref:`Connection.recv() uses pickle
   <multiprocessing-recv-pickle-security>`
 * :mod:`pickle`: :ref:`Restricting globals in pickle <pickle-restrict>`