Opening attachments with commands which use a subshell are racy? #276

romanofski · 2019-03-30T03:33:06Z

Describe the bug
I've seen instances in which opening attachments with firefox end up with an error: the file can not be opened because it can not be found. This seems to be happening at random, although opening the same attachment a second time seems to work (I have not determined what the success rate is).

One thing however which sticks out is that the typical firefox program on Linux is a bash script. Purebred runs the invocation of Firefox in a shell itself. Commands like elinks seem to not have any trouble. My suspicion is, that the shell itself returns and therefore causes Purebred to close and remove the temporary file.

To Reproduce
Steps to reproduce the behavior:

Open an e-mail.
See list of attachments
Pick an HTML attachment and open it with firefox (should be a shell script)
See error

Expected behavior
No random failures due to the removal of the temporary file.

Screenshots
none

Additional context
Not sure what a good solution here is other than not remove the temporary file when the sub process has exited.

The text was updated successfully, but these errors were encountered:

frasertweedale · 2019-03-30T04:19:43Z

Yep, for sure this is the child process exiting after signalling some other process (i.e. the already-running firefox instance) to open the file.

We need a knob that says whether or not to delete the file after child process returns.

romanofski · 2019-04-01T00:44:59Z

After merging #275 I think fixing this item could also add a bit of cleanup for our open and pipe actions. I envision using a data type which can do a bracket style side effect. I haven't thought it through how exactly it will look like and how to incorporate the recent work on #269 but I hope it can be used to cleanup the duplication with invokeEditor, pipeCommand and openCommand.

romanofski · 2019-04-04T06:43:51Z

I've investigated the problem a bit further and stumbled over a script which employs inotify to watch when the file is closed by the child process. I suppose just watching if the file is closed will cause the same problem, but knowing about inotify I suppose an action could register a handler upon opening the file which removes it on a subsequent close.

The down side of this is, that it only works on Linux (or systems which support inotify) and therefore would restrict our portability (if that's even a thing).

I guess keeping the temporary file for now is the way to go and thinking about further fine grained management could be a thing if the need arises.

frasertweedale · 2019-04-04T07:49:23Z

Yikes, let's not go there. We just have a two-state knob, delete-after-child-termintes or not. The "not" case comes with the obvious caveat, and we move on.

This removes quite a bit of old code and introduces a function which takes care of most of the boring bits when handling attachments. It uses a bracket style pattern to either clean up or not the created temporary file, depending what type of command we're using (e.g. open vs. pipe). Fixes #276

This removes old cold of dealing with temporary files when opening and piping attachments. The patch introduces new data types for handling resources in order to be flexible enought to delete the temporary file or not after process exit. Furthermore, the patch removes any passing of commands to the shell (e.g. opening or piping). That was a very convenient way of passing additional arguments to the command which is not possible any more. However just passing arbitrary commands to the shell is inherently insecure and we better avoid it were possible. Related #276

When opening attachments with mailcap entries, it is sometimes possible that the actual binary just sends a message to the main program and exits. Deleting the temporary file upon process exit would cause the main program upon opening the temporary file to fail since the file would have been deleted by that time. Sometimes opening the file from the main program just works, because the time difference between exiting and opening is really quick, but mostly it doesn't. Instead, make the mailcap entry flexible so that depending on the command we either keep or delete the temporary file. Fixes #276