Re: [Nmh-workers] proposed patch for shell metacharacter failure in nmh-1.7

[David Levine]

Ken wrote:

> There are two things here.  First, the function we created called argsplit(),
> which we use to generate an argv[] array.  We space-split that, unless we
> find a shell metacharacter; if we see one, we pass it to /bin/sh -c.

Has that turned out to be a good idea?  For example:

> I didn't envision a security problem there, because you have control over
> your own .mh_profile.

But I don't have control over the contents of incoming email messages.
They way things are right now, a malicious sender could wreak havoc on my
files if I simply reference a C-T parameter in my profile, see the example in:

    http://lists.nongnu.org/archive/html/nmh-workers/2018-01/msg00045.html

I consider that to be a security problem.

> My
> proposal is to simply edit out shell metacharacters (add # and ! like
> David suggested) in those strings.  That seems simple and reasonable to me.
> Well, maybe replace them with an _ or something.

Paul V wrote in response:

% i think editing of that kind will violate the principle of least
astonishment.

+1  I'll go further, I think it's a bad idea.

My point in mentioning # and ! was that METACHARS was incomplete.  Also,
it's dependent on the user's particular shell.

Would execve() solve all of these problems?

David