Robert de Bath <list-fetchmail(_at_)mayday(_dot_)cix(_dot_)co(_dot_)uk> writes:
This makes the %F into a null string; which then made the argument of
the '-f' the config file and so the mail goes into the default box.
I've put single quotes around the %F and that solves the immediate
problem, HOWEVER, I haven't tested but I suspect you could do some
serious damage using something like this:
From: "|rm -rf /;: "@nowhere.com.
Am I wrong ?
SUMMARY:
DO NOT QUOTE the %F.
DO USE bare %F in the mda option.
GOOD: mda 'procmail -f %F' is fine and safe.
BAD: mda "procmail -f '%F'" IS INSECURE.
VERBOSE:
Your concerns apply to the envelope sender address (usually in
Return-Path), not to the From: address. Null from addresses are fine.
As far as I am reading the open_mda_sink function in sink.c (current
version, 6.2.2), fetchnews takes care of that already: it changes all
single quotes to underscores and then surrounds the %F expansion with
single quotes, thus your adding single quotes is harmful. You cannot
break out of single quotes with double quotes, so the From header you're
quoting is harmless if you put a bare procmail -f %F:
Trying this in the real world also confirms this:
ltrace prints:
popen("maildrop -f '"|touch /tmp/tryme ;:"@blah.example.org'", "w") = 0x080a9840
.fetchmailrc snippet:
poll localhost with proto pop3
user 'test' there with password 'blah' is 'ma' here
mda 'maildrop -f %F' ssl
$ LANG=C ls -l /tmp/tryme
ls: /tmp/tryme: No such file or directory
However, you should remove the single quotes from your mda string (DO
NOT WRITE mda "maildrop -f '%F'"!) because that's evil:
popen("maildrop -f ''|touch(_at_)example(_dot_)org''", "w"sh: line 1:
touch(_at_)example(_dot_)org: command not found
I cannot currently exploit this because Postfix strips down the
malformatted envelope string. I tried /usr/sbin/sendmail -t -f '|touch
/tmp/tryme ;:@blah'.
--
Matthias Andree