[Users] That won't work.
Ralf Mardorf
kde.lists at yahoo.com
Mon Oct 12 22:58:43 CEST 2020
On Mon, 12 Oct 2020 21:34:37 +0100, Jeremy Nicoll wrote:
>On Mon, 12 Oct 2020, at 21:19, Ralf Mardorf via Users wrote:
>> On Mon, 12 Oct 2020 20:36:59 +0100, Dave Howorth wrote:
>> >You're definitely not understanding the problem. Please read again
>> >the bit about "a script that *you* have written" and engage the
>> >brain and try to understand the whole picture.
>>
>> Hi Dave,
>>
>> from 2001: "Dave: What's the problem?
>> HAL : I think you know what the problem is just as well
>> as I do."
>>
>> The scripts I wrote, that are executed by Claws, cannot execute third
>> party commands/software ...
>
>I'm not sure if I understand the problem correctly, but I have the
>impression that it's got nothing to do with the contents of any script.
>
>Instead, it seems to be a weakness of the mechanism that invokes a
>script, where what's meant to be one or more parameter to that script
>is instead executed by the method Claws uses to invoke scripts.
>
>So if Claws would attempt to run
>
> <scriptname> <parm1> <parm2> <parm4> ...
>
>but one of those parameters is specially crafted and that command
>line looks like
>
> <scriptname> <parm1> <cmdseparator> <dangerouscommand>
>
>two commands get executed, namely
>
> <scriptname> <parm1> and
> <dangerouscommand>
>
>
>Have I misunderstood?
My understanding is, that it depends on the way you invoke a script.
IIUC invoking a script not necessarily makes it possible for somebody
executing something, when sending you an email, that adds ";", "&&" or
"||" followed by a command to a header ;) unless you decide to do
something freakish.
More information about the Users
mailing list