[Users] That won't work.
Michael A. Yetto
myetto at gmail.com
Mon Oct 12 02:28:36 CEST 2020
On Sun, 11 Oct 2020 21:17:37 +0200
claws at dragony.name writes, and having writ moves on:
> >> My solution IS working in that case, but has the stated security
> >> problems because claw seems to execute the shell script with the
> >> parameters "the easy way".
> >
> >But it's your script, and your choice. Should a bash shell prevent
> >you from running rm -rf /* if that's your choice? Or is a bash a
> >security risk too?
>
> The "rm -rf /*" part is not even arriving at my script, so I can't do
> anything about it in my script. Is there really nobody here seeing a
> security risk with |p{/your/program %some_var_with_arbitrary_data}
> while everything in {} is being passed unquoted to the shell??
>
> Yes, you can say "Then don't pass parameters to your program!" but
> calling a program without parameters is not very useful in most cases.
>
My suggestion is to refuse the script that you are sent by the person
trying to break-in. That way it won't be in your path when that
nefarious address is sent. At the very least do not mark it as
executable.
Mike Yetto
--
"Pluralitas non est ponenda sine necessitates."
- William of Ockham
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.claws-mail.org/pipermail/users/attachments/20201011/e815cb83/attachment.sig>
More information about the Users
mailing list