* Alexander Sack: >> Uhm, it's still exploitable anway. This time, the command is: >> >> mozilla-thunderbird --compose 'mailto:'\''`df`'\' >> > > Bad ... so this is the wrong approach. > > You have an idea on how to fix the original script in a minimal way?
A compromise between robustness and minimality is to use /bin/bash instead of /bin/sh (which doesn't change anything for most people) and real arrays instead of $@ (a bash-specific feature). The patch below implements this. By the way, [EMAIL PROTECTED]"$1" is actually an array append operation. [EMAIL PROTECTED] evaluates to the current number of elements, and arrays are zero-based, so the left-hand side of the assignment denotes an array element one past the current last element. (Maybe this should be included as a comment in the script; I'm not sure.) The "declare -a" directives are optional, but I've included them to reflect the previous initializations. I can't get the "@@ -334,9 +331,9 @@" hunk to execute on my machine, so more testing is needed. --- mozilla-thunderbird 2005/09/23 14:17:28 1.1 +++ mozilla-thunderbird 2005/09/23 14:31:25 @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash # # The contents of this file are subject to the Netscape Public License # Version 1.0 (the "NPL"); you may not use this file except in @@ -117,7 +117,7 @@ fi script_args="" -moreargs="" +declare -a moreargs debugging=0 MOZILLA_BIN="${progbase}-bin" @@ -220,9 +220,7 @@ shift 2 ;; *) - # Protect quotes and $ in command-line arguments from two shell evals - moreargs="$moreargs \"$(echo "$1" | sed -e 's/"/\\\\\\\"/g' \ - -e 's/[$]/\\\\\\\$/g')\"" + [EMAIL PROTECTED]"$1" shift 1 ;; esac @@ -293,11 +291,10 @@ LOCALE_ARGS="-contentLocale $MOZLOCALE -UILocale $MOZLOCALE" if [ $ALREADY_RUNNING -eq 1 ]; then LOCK_FILE=lock; else LOCK_FILE=; fi -MOZ_ARGS= +declare -a MOZ_ARGS donext= -eval "set -- $moreargs" -for opt_in in "$@" +for opt_in in "[EMAIL PROTECTED]" do if [ -z "$donext" ] then @@ -321,11 +318,11 @@ next=compose donext=true else - MOZ_ARGS="$MOZ_ARGS \"$opt_in\"" + [EMAIL PROTECTED]"$opt_in" donext= fi else - MOZ_ARGS="$MOZ_ARGS \"$opt_in\"" + [EMAIL PROTECTED]"$opt_in" donext= fi else @@ -334,9 +331,9 @@ then # cut off protocol mail_to="$(expr match "$opt_in" "mailto:\(.*\)")" - MOZ_ARGS="\"mailto($mail_to)\"" - eval "set -- $MOZ_ARGS" - "${run_moz}" "$MOZ_CLIENT_PROGRAM" -a 'mozilla-thunderbird' "$@" + [EMAIL PROTECTED]"mailto($mail_to)" + "${run_moz}" "$MOZ_CLIENT_PROGRAM" -a 'mozilla-thunderbird' \ + "[EMAIL PROTECTED]" exit $? fi donext= @@ -349,16 +346,16 @@ fi export MRE_HOME -eval "set -- $MOZ_ARGS" ## Start addon scripts moz_pis_startstop_scripts "start" if [ $debugging = 1 ] then - echo $dist_bin/run-mozilla.sh $script_args $dist_bin/$MOZILLA_BIN $LOCALE_ARGS "$@"@ + echo $dist_bin/run-mozilla.sh $script_args $dist_bin/$MOZILLA_BIN $LOCALE_ARGS "[EMAIL PROTECTED]"@ fi -"$dist_bin/run-mozilla.sh" $script_args "$dist_bin/$MOZILLA_BIN" $LOCALE_ARGS "$@" +"$dist_bin/run-mozilla.sh" $script_args "$dist_bin/$MOZILLA_BIN" $LOCALE_ARGS \ + "[EMAIL PROTECTED]" exitcode=$? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]