[Users] That won't work.

Dave Howorth dave at howorth.org.uk
Tue Oct 13 22:52:43 CEST 2020


On Tue, 13 Oct 2020 21:25:09 +0200
Michael Rasmussen via Users <users at lists.claws-mail.org> wrote:

> On Tue, 13 Oct 2020 16:58:57 +0100
> Dave Howorth <dave at howorth.org.uk> wrote:
> 
> The problem here is that it is very difficult to know want an
> individual person accept as legitimit input (one mans roof is another
> mans floor ;-) so to solve it requires some kind of input validation
> which uses either a black list or a white list - for security reasons
> I would prefer a white list.

I don't think that is the problem here. The problem is that the
invoking program (claws) invokes a shell and passes it stringified
arguments (presumably prepended by the stringified command).

If you'd care to tell me how to locate that invocation in the code, I
will propose a solution (i.e. a patch).


More information about the Users mailing list