[Users] That won't work.
Jeremy Nicoll
jn.ml.clwm.729 at letterboxes.org
Tue Oct 13 00:16:59 CEST 2020
On Mon, 12 Oct 2020, at 22:28, Ralf Mardorf via Users wrote:
> Heck, nitpicking, it obviously depends on what you decide to pass
> through.
Not really, The user in this case decided to pass the value of "To".
There's nothing unreasonable about that. Scripts would be more or
less useless if they couldn't be passed headers from the emails
concerned. (The alternative would be to pass a pointer to the
entire mal but then every script author would have to parse that
for themselves, duplicating effort that Claws has already done).
> You refer to
>
> |p{tool.pl '%to'}
> ^^^^^^^
>
> being the script.
I quoted someone-else's example. But as a programmer I would
say that "tool.pl" is the script in this case, and:
p{tool.pl '%to'}
is the Claws magic that invokes the tool.pl script, passing to it (in
theory) just a sensible "to" value.
The problem is that if "To" in a specific mail has an embedded
command in it.
/If/ claws were to encode the whole parameter string then run
tool.pl <encodedparms>
then it would be up to the author of tool.pl to decode the entire
encoded set of parameters and validate them properly, and only
act on the legitmate ones. /If/ that was the problem then your
idea that the fault lies with the author of the script would be
reasonable.
But at the moment, others have already demonstrated that Claws
will execute unintended commands this way.
--
Jeremy Nicoll - my opinions are my own.
More information about the Users
mailing list