[Users] That won't work.
Jeremy Nicoll
jn.ml.clwm.729 at letterboxes.org
Tue Oct 13 16:25:54 CEST 2020
On Tue, 13 Oct 2020, at 10:37, Ralf Mardorf via Users wrote:
> If we add a script and something such as "|p{echo '%to'}" or
> "|p{echo -n `echo '%t%c'|grep -o '[a-zA-Z0-9]*@domain.com'`}" is a
> script, we are responsible for what our script is doing.
But no-one expects
echo %to
to (say) delete all their files. And no-one expects
|p{myscript.pl %to}
to do anything other than invoke "myscript.pl" and pass a single
parameter to it.
Claws could at least aprtially protect users by having an encoded
version of the parm, eg "%encto" available for use in this situation.
Then rather than plugging eg
You <legit at address.com>, "Mr. Han';touch /tmp/boom;'"
into the command string, Claws could insert instead
596F75203C6C6567697440616464726573732E636F6D3E2C20224D722E2048616E273B746F756368202F746D702F626F6F6D3B2722
that being the hex representation of the troublesome string. (That
is "59" is the hex representation of "Y", "6f" is "o", "75" is "u" and so
on.)
It has two advantages: it's a single word/token (ie no spaces in it
so is easily recognised as a single argument (by a script), and
of course it's not got a command separator in it.
> Btw. I'm not sure, if all the scripts I'm using are that safe as I
> think, but this is true not only for scripts used with Claws.
Yes, but it's not the user's script that is the problem. It's the
way that Claws invokes them.
--
Jeremy Nicoll - my opinions are my own.
More information about the Users
mailing list