[Users] Suggestion: Make |p{...} more secure
claws at dragony.name
claws at dragony.name
Sun Oct 11 01:40:28 CEST 2020
Heyho!
I know, today this list is action-loaded but I promise I will stop stealing your time after this!
Just a suggestion and just ignore it if you don't care.
The following is used to execute a shell script:
|p{shellscript}
Since this is rather useless, people probably append parameters:
|p{shellscript %bla %bla2 %whatever}
It seems claws executes this the following way:
system("shellscript %bla %bla2 %whatever"); (Perl-Syntax)
This is insecure. Hackers can inject arbitrary shell codes and executes it on the user's system.
Better:
system(shellscript, arg0, arg1, arg2, ...);
This is secure, as the arguments are not being parsed by a shell.
Honestly I do not know about the internals of claws, but I tested with some ''-strings and I was able to execute additional commands.
- Dragony
More information about the Users
mailing list