[Users] That won't work.

[Dave Howorth]

On Tue, 13 Oct 2020 16:46:24 +0200
wwp <subscript at free.fr> wrote:

> Hello,
> 
> 
> On Tue, 13 Oct 2020 15:11:23 +0100 "Jeremy Nicoll"
> <jn.ml.clwm.729 at letterboxes.org> wrote:
> 
> > On Tue, 13 Oct 2020, at 11:12, Paul wrote:
> >   
> > > On Tue, 13 Oct 2020 11:55:10 +0200
> > > Michal Suchánek <msuchanek at suse.de> wrote: 
> > >     
> > > > In my view there is no way to use templates with commands
> > > > safely in Claws.    
> > > 
> > > Of course there is. But obviously using random input is
> > > foolish.    
> > 
> > The "random input" in the examples is the contents of a header 
> > in the email that's being processed.
> > 
> > Are you saying that no scripted processing of emails is safe?  
> 
> Safety is something vague that navigates between caution and stupidity
> (or innocence).

Agreed

> Malicious data passed to an external script/program can cause
> terrific damages, if the script/programs makes terrible things w/
> data it receives.

Agreed

> I think that our point here is to determine if Claws Mail may execute
> malicious commands that are placed in header values or not because of
> the way it executes the external command and passes data to it.

Agreed but ...

The point here made by myself, Michal and Dragony is that we have
*already* demonstrated that fact and posted the information here to
reproduce the problem yourself. Claws DOES execute malicious commands
that are placed in header values because of the way it executes the
external command and passes data to it.

To post again the information already posted upthread:

Dragony posted:

The "rm -rf /*" part is not even arriving at my script, so I can't do
anything about it in my script. Is there really nobody here seeing a
security risk with |p{/your/program %some_var_with_arbitrary_data}
while everything in {} is being passed unquoted to the shell??

Dragony posted the command that he might want to use:

|p{tool.pl %to}

Dragony then gave an exact formula for the bad guy to construct a
malicious email header:

To: You <legit at address.com>, "Mr. Han';touch /tmp/boom;'"

I then set up such a command, wrote a simple version of tool.pl that
simply prints its arguments, and sent myself an email with the
malicious header. My program received just one argument that did not
include the malicious payload and meanwhile claws created /tmp/boom :(

See
https://lists.claws-mail.org/pipermail/users/2020-October/027068.html

This is a well-known problem, so I'm quite surprised and frustrated to
find so many people apparently not understanding it and unwilling to
contemplate applying the equally well-known simple fix.

> What the external script does is off-topic.

Agreed