[Users] That won't work.
Ralf Mardorf
kde.lists at yahoo.com
Tue Oct 13 00:26:38 CEST 2020
On Mon, 12 Oct 2020 23:16:59 +0100, Jeremy Nicoll wrote:
>On Mon, 12 Oct 2020, at 22:28, Ralf Mardorf via Users wrote:
>
>> Heck, nitpicking, it obviously depends on what you decide to pass
>> through.
>
>Not really, The user in this case decided to pass the value of "To".
>There's nothing unreasonable about that. Scripts would be more or
>less useless if they couldn't be passed headers from the emails
>concerned. (The alternative would be to pass a pointer to the
>entire mal but then every script author would have to parse that
>for themselves, duplicating effort that Claws has already done).
>
>> You refer to
>>
>> |p{tool.pl '%to'}
>> ^^^^^^^
>>
>> being the script.
>
>I quoted someone-else's example. But as a programmer I would
>say that "tool.pl" is the script in this case, and:
>
>p{tool.pl '%to'}
>
>is the Claws magic that invokes the tool.pl script, passing to it (in
>theory) just a sensible "to" value.
>
>The problem is that if "To" in a specific mail has an embedded
>command in it.
>
>
>/If/ claws were to encode the whole parameter string then run
>
> tool.pl <encodedparms>
>
>then it would be up to the author of tool.pl to decode the entire
>encoded set of parameters and validate them properly, and only
>act on the legitmate ones. /If/ that was the problem then your
>idea that the fault lies with the author of the script would be
>reasonable.
>
>But at the moment, others have already demonstrated that Claws
>will execute unintended commands this way.
Please, explain what are "()" or "{}" for! You are obviously missing
the forest for the trees, or I'm missing the forest for the trees ;).
In this particular case, is it Claws executing commands or the invoked
shell?
More information about the Users
mailing list