[Users] That won't work.

[Ralf Mardorf]

On Mon, 12 Oct 2020 22:58:43 +0200, Ralf Mardorf wrote:
>On Mon, 12 Oct 2020 21:34:37 +0100, Jeremy Nicoll wrote:
>>On Mon, 12 Oct 2020, at 21:19, Ralf Mardorf via Users wrote:  
>>> On Mon, 12 Oct 2020 20:36:59 +0100, Dave Howorth wrote:    
>>> >You're definitely not understanding the problem. Please read again
>>> >the bit about "a script that *you* have written" and engage the
>>> >brain and try to understand the whole picture.    
>>> 
>>> Hi Dave,
>>> 
>>> from 2001: "Dave: What's the problem?
>>>             HAL : I think you know what the problem is just as well
>>> as I do."
>>> 
>>> The scripts I wrote, that are executed by Claws, cannot execute
>>> third party commands/software ...    
>>
>>I'm not sure if I understand the problem correctly, but I have the 
>>impression that it's got nothing to do with the contents of any
>>script.
>>
>>Instead, it seems to be a weakness of the mechanism that invokes a 
>>script, where what's meant to be one or more parameter to that script 
>>is instead executed by the method Claws uses to invoke scripts.
>>
>>So if Claws would attempt to run
>>
>> <scriptname> <parm1> <parm2> <parm4> ...
>>
>>but one of those parameters is specially crafted and that command 
>>line looks like 
>>
>>  <scriptname> <parm1> <cmdseparator> <dangerouscommand>
>>
>>two commands get executed, namely
>>
>>  <scriptname> <parm1>        and
>> <dangerouscommand>
>>
>>
>>Have I misunderstood?  
>
>My understanding is, that it depends on the way you invoke a script.
>IIUC invoking a script not necessarily makes it possible for somebody
>executing something, when sending you an email, that adds ";", "&&" or
>"||" followed by a command to a header ;) unless you decide to do
>something freakish.

Heck, nitpicking, it obviously depends on what you decide to pass
through.

You refer to

|p{tool.pl '%to'}
   ^^^^^^^

being the script.

To me

|p{tool.pl '%to'}
^^^^^^^^^^^^^^^^^

is the script (in the first place ;).