[Users] That won't work.

[Jeremy Nicoll]

On Mon, 12 Oct 2020, at 22:28, Ralf Mardorf via Users wrote:
 
> Heck, nitpicking, it obviously depends on what you decide to pass
> through.

Not really,  The user in this case decided to pass the value of "To".
There's nothing unreasonable about that.  Scripts would be more or 
less useless if they couldn't be passed headers from the emails
concerned.  (The alternative would be to pass a pointer to the 
entire mal but then every script author would have to parse that 
for themselves, duplicating effort that Claws has already done).

> You refer to
> 
> |p{tool.pl '%to'}
>    ^^^^^^^
> 
> being the script.  

I quoted someone-else's example.  But as a programmer I would 
say that "tool.pl" is the script in this case, and:

p{tool.pl '%to'}

is the Claws magic that invokes the tool.pl script, passing to it (in 
theory) just a sensible "to" value.

The problem is that if "To" in a specific mail has an embedded
command in it. 


/If/ claws were to encode the whole parameter string then run 

  tool.pl <encodedparms>

then it would be up to the author of tool.pl to decode the entire
encoded set of parameters and validate them properly, and only
act on the legitmate ones.  /If/ that was the problem then your 
idea that the fault lies with the author of the script would be 
reasonable.

But at the moment, others have already demonstrated that Claws
will execute unintended commands this way.

-- 
Jeremy Nicoll - my opinions are my own.