[Users] That won't work.

Michal Suchánek msuchanek at suse.de
Mon Oct 12 13:20:18 CEST 2020 

On Mon, Oct 12, 2020 at 10:14:47AM -0000, Paul wrote:
> On Mon, 12 Oct 2020 10:56:35 +0100
> Dave Howorth <dave at howorth.org.uk> wrote: 
> 
> > I think you're misunderstanding the scenario. Which is that *you* have
> > used claws facilities to install a script that *you* have written or
> > obtained from elsewhere. The bad actor then sends you a mail
> > with specially crafted headers (either at random as part of a general
> > mailshot, or because they have reason to believe you use claws) and
> > that mail exploits the bug in claws that causes such text to be
> > executed. Resulting in bad things happening on *your* system.
> 
> This is not a bug.
> 
> What you are talking about is a powerful feature which should be used wisely.
> For power-users, say.
> 
> No-one suggested using a template in such a way as is being discussed here.
> There are all sorts of foolish things a user can do on their computer.
I don't see how you could use the tamplate sanely, though.

If you allow passing the header as an argument and the argument is
interpreted by the shell the user could quote it - if the header did not
include quoting characters as well.

So in my view allowing to pass usanitized header to a shell is a bug no
matter how you look at it. Either Claws should sanitize the string or it
should use an exec* mutation that does not use use the shell but passes
the argument verbatim.

> Anyway, (to acknowledge an earlier response to this thread), creating 400
> different email addresses is creating a problem. So, you look outside for
> solution to the problem that you created. Maybe scrapping the idea and
> rethinking how you want to achieve your goal is needed?

As has been pointed out there are problems out there that call for this
kind of solution. Maybe Claws is not fit to be part of such a solution.

However, if the whole message is passed on the standard input of the
executed process as the pipe symbol suggests the process is in the
position to read all headers and there is no need to pass any as
arguments.

Thanks

Michal

More information about the Users mailing list