Re: [maildropl] =?utf-8?q?security_ramification_of_SHELL=3D/bin/sh_an?= =?utf-8?q?d_cc=27ing_to_a_
Brought to you by:
mrsam
From: Sam V. <mr...@co...> - 2007-02-27 23:37:20
|
Fred J writes: > Hi again, > > I'm new to courier. So please excuse any redundancy. Also, I've read > http://www.courier-mta.org/?maildropfilter.html~ENVIRONMENT and looked > at archives. > > How secure is piping to a script with cc? As secure as your command and script is. > I mean: Is the message being shell-escaped when using SHELL=/bin/sh or > is it being passed directly to the script being cc'd to without going > through the shell? The message will be received by the shell script on standard input. > I assume that all values passed from mda are tainted in that > possibly included shell escape sequences are left as is. This correct? Correct. > Does getaddr(string) extract valid rfc2822 that can be assumed to be > safe/shell-scaped? No. You can use the escape function for that. > Would not setting the SHELL-env from /bin/false (assuming virtuser) to eg. > /bin/sh but to a jailshelli be a safer alternative? > > I'm sensible to _not_ using import SOEMTHING, btw. What you need to do is understand is how shell escaping works. There are two things happening here: 1) If the parameter to the cc, to, or any other command, is in double quotes, maildrop expands all variables in the string, before forming the shell command. Example: to "| bin/myscript '$SUBJECT'" If the SUBJECT variable contains, say the string "meeting", maildrop will expand the string argument to: | bin/myscript 'meeting' And internally execute: argv[0] = "/bin/sh" argv[1] = "-c" argv[2] = "bin/myscript 'meeting'" Of course, if the original SUBJECT variable was inherited from the incoming mail message, and contain shell escape characters, you'd be in trouble. To do this correctly: to '| /bin/myscript "$SUBJECT"' maildrop does not expand variables in text literals that are delimited by apostrophes. The resulting parameter to the to command is exactly: | /bin/myscript "$SUBJECT" And maildrop internally executes: argv[0] = "/bin/sh" argv[1] = "-c" argv[2] = "/bin/myscript \"$SUBJECT\"" As documented in maildropfilter, all maildrop variables get inherited by any process started by maildrop as environment variables. The shell will first word-split the command, and then perform variable substitution, resulting in /bin/myscript receiving "meeting", or whatever was in the original SUBJECT variable, without any further interpolation by the shell. Hope that helps. > What I'm basically asking is, should i always call escape() before > cc'ing to a script and how safe is this? Btw: How can I call escape() on > the entire message prior to cc'ing? You don't. Your script receives the message on standard input, exactly as it was received by your mail server. It is your responsibility to read standard input, and process it safely. |