Ken wrote:
There are two things here. First, the function we created called argsplit(),
which we use to generate an argv[] array. We space-split that, unless we
find a shell metacharacter; if we see one, we pass it to /bin/sh -c.
Has that turned out to be a good idea? For example:
I didn't envision a security problem there, because you have control over
your own .mh_profile.
But I don't have control over the contents of incoming email messages.
They way things are right now, a malicious sender could wreak havoc on my
files if I simply reference a C-T parameter in my profile, see the example in:
http://lists.nongnu.org/archive/html/nmh-workers/2018-01/msg00045.html
I consider that to be a security problem.
My
proposal is to simply edit out shell metacharacters (add # and ! like
David suggested) in those strings. That seems simple and reasonable to me.
Well, maybe replace them with an _ or something.
Paul V wrote in response:
% i think editing of that kind will violate the principle of least
astonishment.
+1 I'll go further, I think it's a bad idea.
My point in mentioning # and ! was that METACHARS was incomplete. Also,
it's dependent on the user's particular shell.
Would execve() solve all of these problems?
David
--
Nmh-workers
https://lists.nongnu.org/mailman/listinfo/nmh-workers