[Users] That won't work.
Ralf Mardorf
kde.lists at yahoo.com
Mon Oct 12 23:41:29 CEST 2020
On Mon, 12 Oct 2020 23:26:19 +0200, claws at dragony.name wrote:
>>I'm not sure if I understand the problem correctly, but I have the
>>impression that it's got nothing to do with the contents of any
>>script.
>>
>>Instead, it seems to be a weakness of the mechanism that invokes a
>>script, where what's meant to be one or more parameter to that script
>>is instead executed by the method Claws uses to invoke scripts.
>>
>>So if Claws would attempt to run
>>
>> <scriptname> <parm1> <parm2> <parm4> ...
>>
>>but one of those parameters is specially crafted and that command
>>line looks like
>>
>> <scriptname> <parm1> <cmdseparator> <dangerouscommand>
>>
>>two commands get executed, namely
>>
>> <scriptname> <parm1> and
>> <dangerouscommand>
>>
>>
>>Have I misunderstood?
>
>Don't worry. You have correctly understood the problem. :)
>
>It is unsettling how many people do not see the problem. No matter how
>bullet-proof your script is, the weakness lies before the execution of
>the script.
>
>As long as this behaviour is not fixed, I just do not use that feature
>and honestly I think I have wasted enough of my time trying to explain
>this problem to this list. Now its up to this list and the devs to
>make whatever one wants to make out of it.
>
>Just be assured that if there should be a CVE assigned to that problem
>one day, I didn't do it, because I just don't care enough about it.
You are executing your secure script, by an insecure script in the
first place. What do you think are the curly braces or parentheses for?
More information about the Users
mailing list