[Users] That won't work.

claws at dragony.name claws at dragony.name
Mon Oct 12 23:26:19 CEST 2020


>I'm not sure if I understand the problem correctly, but I have the 
>impression that it's got nothing to do with the contents of any script.
>
>Instead, it seems to be a weakness of the mechanism that invokes a 
>script, where what's meant to be one or more parameter to that script 
>is instead executed by the method Claws uses to invoke scripts.
>
>So if Claws would attempt to run
>
> <scriptname> <parm1> <parm2> <parm4> ...
>
>but one of those parameters is specially crafted and that command 
>line looks like 
>
>  <scriptname> <parm1> <cmdseparator> <dangerouscommand>
>
>two commands get executed, namely
>
>  <scriptname> <parm1>        and
> <dangerouscommand>
>
>
>Have I misunderstood?

Don't worry. You have correctly understood the problem. :)

It is unsettling how many people do not see the problem. No matter how bullet-proof your script is, the weakness lies before the execution of the script.

As long as this behaviour is not fixed, I just do not use that feature and honestly I think I have wasted enough of my time trying to explain this problem to this list. Now its up to this list and the devs to make whatever one wants to make out of it.

Just be assured that if there should be a CVE assigned to that problem one day, I didn't do it, because I just don't care enough about it.

- Dragony


More information about the Users mailing list