[Users] That won't work.

[Jeremy Nicoll]

On Tue, 13 Oct 2020, at 10:37, Ralf Mardorf via Users wrote:

> If we add a script and something such as "|p{echo '%to'}" or
> "|p{echo -n `echo '%t%c'|grep -o '[a-zA-Z0-9]*@domain.com'`}" is a
> script, we are responsible for what our script is doing.

But no-one expects 

  echo %to

to (say) delete all their files.  And no-one expects

 |p{myscript.pl %to}

to do anything other than invoke "myscript.pl" and pass a single
parameter to it.

Claws could at least aprtially protect users by having an encoded
version of the parm, eg  "%encto"  available for use in this situation.

Then rather than plugging eg 

   You <legit at address.com>, "Mr. Han';touch /tmp/boom;'"

into the command string, Claws could insert instead

  596F75203C6C6567697440616464726573732E636F6D3E2C20224D722E2048616E273B746F756368202F746D702F626F6F6D3B2722

that being the hex representation of the troublesome string.  (That
is "59" is the hex representation of "Y", "6f" is "o", "75" is "u" and so 
on.)

It has two advantages: it's a single word/token (ie no spaces in it
so is easily recognised as a single argument (by a script), and
of course it's not got a command separator in it. 

 
> Btw. I'm not sure, if all the scripts I'm using are that safe as I
> think, but this is true not only for scripts used with Claws.

Yes, but it's not the user's script that is the problem.  It's the 
way that Claws invokes them.


-- 
Jeremy Nicoll - my opinions are my own.