* Alexander Sack:
>> Uhm, it's still exploitable anway. This time, the command is:
>>
>> mozilla-thunderbird --compose 'mailto:'\''`df`'\'
>>
>
> Bad ... so this is the wrong approach.
>
> You have an idea on how to fix the original script in a minimal way?
A compromise between robustness and minimality is to use /bin/bash
instead of /bin/sh (which doesn't change anything for most people) and
real arrays instead of $@ (a bash-specific feature). The patch below
implements this.
By the way,
[EMAIL PROTECTED]"$1"
is actually an array append operation. [EMAIL PROTECTED] evaluates to
the current number of elements, and arrays are zero-based, so the
left-hand side of the assignment denotes an array element one past the
current last element. (Maybe this should be included as a comment in
the script; I'm not sure.) The "declare -a" directives are optional,
but I've included them to reflect the previous initializations.
I can't get the "@@ -334,9 +331,9 @@" hunk to execute on my machine,
so more testing is needed.
--- mozilla-thunderbird 2005/09/23 14:17:28 1.1
+++ mozilla-thunderbird 2005/09/23 14:31:25
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
#
# The contents of this file are subject to the Netscape Public License
# Version 1.0 (the "NPL"); you may not use this file except in
@@ -117,7 +117,7 @@
fi
script_args=""
-moreargs=""
+declare -a moreargs
debugging=0
MOZILLA_BIN="${progbase}-bin"
@@ -220,9 +220,7 @@
shift 2
;;
*)
- # Protect quotes and $ in command-line arguments from two shell evals
- moreargs="$moreargs \"$(echo "$1" | sed -e 's/"/\\\\\\\"/g' \
- -e 's/[$]/\\\\\\\$/g')\""
+ [EMAIL PROTECTED]"$1"
shift 1
;;
esac
@@ -293,11 +291,10 @@
LOCALE_ARGS="-contentLocale $MOZLOCALE -UILocale $MOZLOCALE"
if [ $ALREADY_RUNNING -eq 1 ]; then LOCK_FILE=lock; else LOCK_FILE=; fi
-MOZ_ARGS=
+declare -a MOZ_ARGS
donext=
-eval "set -- $moreargs"
-for opt_in in "$@"
+for opt_in in "[EMAIL PROTECTED]"
do
if [ -z "$donext" ]
then
@@ -321,11 +318,11 @@
next=compose
donext=true
else
- MOZ_ARGS="$MOZ_ARGS \"$opt_in\""
+ [EMAIL PROTECTED]"$opt_in"
donext=
fi
else
- MOZ_ARGS="$MOZ_ARGS \"$opt_in\""
+ [EMAIL PROTECTED]"$opt_in"
donext=
fi
else
@@ -334,9 +331,9 @@
then
# cut off protocol
mail_to="$(expr match "$opt_in" "mailto:\(.*\)")"
- MOZ_ARGS="\"mailto($mail_to)\""
- eval "set -- $MOZ_ARGS"
- "${run_moz}" "$MOZ_CLIENT_PROGRAM" -a 'mozilla-thunderbird' "$@"
+ [EMAIL PROTECTED]"mailto($mail_to)"
+ "${run_moz}" "$MOZ_CLIENT_PROGRAM" -a 'mozilla-thunderbird' \
+ "[EMAIL PROTECTED]"
exit $?
fi
donext=
@@ -349,16 +346,16 @@
fi
export MRE_HOME
-eval "set -- $MOZ_ARGS"
## Start addon scripts
moz_pis_startstop_scripts "start"
if [ $debugging = 1 ]
then
- echo $dist_bin/run-mozilla.sh $script_args $dist_bin/$MOZILLA_BIN
$LOCALE_ARGS "$@"@
+ echo $dist_bin/run-mozilla.sh $script_args $dist_bin/$MOZILLA_BIN
$LOCALE_ARGS "[EMAIL PROTECTED]"@
fi
-"$dist_bin/run-mozilla.sh" $script_args "$dist_bin/$MOZILLA_BIN" $LOCALE_ARGS
"$@"
+"$dist_bin/run-mozilla.sh" $script_args "$dist_bin/$MOZILLA_BIN" $LOCALE_ARGS \
+ "[EMAIL PROTECTED]"
exitcode=$?
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
