[Users] That won't work.

Dave Howorth dave at howorth.org.uk
Sun Oct 11 23:19:33 CEST 2020 

On Sun, 11 Oct 2020 21:59:12 +0200
claws at dragony.name wrote:

> >BTW, I tried to send an email to myself with a quoted naughty command
> >appended to the address. It failed with an SMTP error without
> >reaching even my ISP - ** error occurred on SMTP session
> >*** Error occurred while sending the message:
> >501 ... malformed address ...
> >
> >If anybody thinks they could send me such a malformed address, please
> >do so. Please cc me as well so I can see you tried. (I'd rather you
> >didn't use an actual rm command just in case you succeed :)  
> 
> Try packing the naughty command in the name so you don't violate the
> RFC.
> 
> To: You <legit at address.com>, "Mr. Han';touch /tmp/boom;'"
> <whatever at you.name>
> 
> The exact magic chars needed depend on the claws code. Maybe claws
> uses system("") or system('') or system(string). I haven't checked
> the claws code, I am just a simple claws user. :(

I tried sending the exact quoting that you proposed. The to address was
dave-spam at howorth.org.uk, "xx';touch /tmp/boom;'" and tool.pl received
one argument:

 dave-spam at howorth.org.uk, "xx

FWIW I ran claws from a terminal and it output:

 sh: ": command not found

You may be right that the exact magic chars are different, but equally
Paul may be right that there isn't a problem. (I do agree with you that
passing single strings that are subsequently parsed into multiple args
is an inherently risky practice and that passing separate args is
better practice in general, though I haven't thought deeply about
whether it matters in this case a priori and I haven't read the code -
Paul has :)

But I'm an even more simple claws user than you :P and I think if you
want to make such claims then the onus is on you to read the code and
provide a reproducible test case :)

Last minute edit: actually no you don't. You already have. I just looked
and:

 $ ls -l /tmp/boom
 -rw-r--r-- 1 dhoworth users 0 Oct 11 22:03 /tmp/boom

So I would say there is a real problem. Paul?

> - Dragony

More information about the Users mailing list