I didn't envision a security problem there, because you have control over
your own .mh_profile.
But I don't have control over the contents of incoming email messages.
That's an excellent point, and one which I overlooked yesterday.
Would execve() solve all of these problems?
I believe it would, at least as far as nmh is concerned.
Since no parameters would be passed to the shell directly, the shell
(whichever shell is being used) would have no opportunity to intervene
and do the wrong thing; essentially mhshow[*] would be acting as its
own mini-shell, which doesn't interpret any metacharacters other than
its own escape sequences.
Of course, it would then be up to whatever program or script is invoked by
the profile entry to sanitize its own input and not misinterpret anything
itself.
...but at least this would prevent nmh programs from causing harm directly.
- Steven
[*] (or any other program which reads a profile entry and processes it in
the way we're discussing)
--
___________________________________________________________________________
Steven Winikoff |
Concordia University | "It is never too late to be what you
Montreal, QC, Canada | might have been."
Steven.Winikoff@concordia.ca | - George Eliot
--
Nmh-workers
https://lists.nongnu.org/mailman/listinfo/nmh-workers