[Users] That won't work.

[Michal Suchánek]

On Tue, Oct 13, 2020 at 09:14:41AM +0200, Ralf Mardorf via Users wrote:
> >The last section of this webpage 
> >
> > https://www.claws-mail.org/faq/index.php/Templates
> >
> >shows an example:
> >
> >  |p{echo -n `echo '%t%c'|grep -o '[a-zA-Z0-9]*@domain.com'`}
> >
> >I would expect that the syntax is the one expected/supported by Claws.
> 
> [rocketmouse at archlinux ~]$ echo "foo at domain.com; rm -i /tmp/*; bar at domain.com; Lorem ipsum" |grep -o '[a-zA-Z0-9]*@domain.com'
> foo at domain.com
> bar at domain.com
> 
> Neither "rm -i /tmp/*", nor "Lorem ipsum" does match, only the addresses
> do match.

This is not accurate. The syntax used is echo '%t%c'.
So you would get
echo 'foo at domain.com; rm -i /tmp/*; bar at domain.com; Lorem ipsum' |grep -o '[a-zA-Z0-9]*@domain.com'

However, there is nothing stopping %t%c from containing a single quote.
In fact many actual names people use do. Then the command can change to
echo 'foo at domain.com'; rm -i /tmp/*; 'bar at domain.com; Lorem ipsum' |grep -o '[a-zA-Z0-9]*@domain.com'
because %t%c was foo at domain.com'; rm -i /tmp/*; 'bar at domain.com; Lorem ipsum

Note that rm -i will probably fail to execute in this context because
claws likely does not attach a terminal to the filter command but rm
without -i will.

Other users already figured out the exect address to put into To: to
trigger this as was comfirmed by claws user seeing the script execute.

So this templating as suggested by the faq allows remote execution of
arbitrary commands on your system controlled by the sender.

Now, this part of Claws is seriusly underdocumented. The command used in
the test contained %to rather than '%t%c'. It is quite possible that
'%t%c' is safe and %to is not. However, while this distinction is not
documented that still makes the templating insecure.

Thanks

Michal