[Users] That won't work.
Michal Suchánek
msuchanek at suse.de
Sun Oct 11 21:26:35 CEST 2020
Hello,
On Sun, Oct 11, 2020 at 09:17:37PM +0200, claws at dragony.name wrote:
> >> My solution IS working in that case, but has the stated security problems
> >> because claw seems to execute the shell script with the parameters "the
> >> easy way".
> >
> >But it's your script, and your choice. Should a bash shell prevent you from
> >running rm -rf /* if that's your choice? Or is a bash a security risk too?
>
> The "rm -rf /*" part is not even arriving at my script, so I can't do anything about it in my script. Is there really nobody here seeing a security risk with |p{/your/program %some_var_with_arbitrary_data} while everything in {} is being passed unquoted to the shell??
>
> Yes, you can say "Then don't pass parameters to your program!" but calling a program without parameters is not very useful in most cases.
I would assume the program gets the message on it input as well and the
data is in the message then. By reading the message it can process
fields which Claws does not allow passing giving more accurate results.
Thanks
Michal
More information about the Users
mailing list