[Users] That won't work.

Tue Oct 13 11:37:38 CEST 2020

On Tue, 13 Oct 2020 10:39:55 +0200, Ralf Mardorf wrote:
>On Tue, 13 Oct 2020 09:35:48 +0200, Michal Suchánek wrote:
>>However, there is nothing stopping %t%c from containing a single
>>quote. In fact many actual names people use do. Then the command can
>>change to echo 'foo at domain.com'; rm -i /tmp/*; 'bar at domain.com; Lorem
>>ipsum' |grep -o '[a-zA-Z0-9]*@domain.com' because %t%c was
>>foo at domain.com'; rm -i /tmp/*; 'bar at domain.com; Lorem ipsum
>>
>>So this templating as suggested by the faq allows remote execution of
>>arbitrary commands on your system controlled by the sender.
>>
>>Now, this part of Claws is seriusly underdocumented. The command used
>>in the test contained %to rather than '%t%c'. It is quite possible
>>that '%t%c' is safe and %to is not. However, while this distinction
>>is not documented that still makes the templating insecure.  

My apologies for sending the messages without a reply off-list. It
happened by accident, when testing templates.

Ok, if "To:" is

  You <legit at address.com>, "Mr. Han';touch /tmp/boom;'"

and the template does use

  |p{echo '%to'}

or

  |p{echo -n `echo '%t%c'|grep -o '[a-zA-Z0-9]*@domain.com'`}

the issue happens.

It does not happen, if the template does use

  %to

and nothing else.

That's nothing new to us. I still wouldn't say it's a Claws bug, but
the documentation should warn, to avoid this approach, instead of
providing it as an example.

If we add a script and something such as "|p{echo '%to'}" or
"|p{echo -n `echo '%t%c'|grep -o '[a-zA-Z0-9]*@domain.com'`}" is a
script, we are responsible for what our script is doing.

Btw. I'm not sure, if all the scripts I'm using are that safe as I
think, but this is true not only for scripts used with Claws.