Re: [Nmh-workers] I need help reading the mhstore man page
Ken wrote: > >If arbitrary means "what the user put into their profile", > >yes, but we can't prevent that. Is there a way to get > >mhstore to execute arbitrary code provided by the message? > > It does occur to me that there might be security concerns with using > %a with '|', depending on shell quoting, etc etc (%a inserts all of > the Content-Type parameters). I don't know how common that is. Again, that's an issue with '|', not -auto. I'll remove the recommendation in the man page not to use -auto, and add one to not use %a with '|'. That seems like an odd combination, though maybe it'd be useful for things like responding to calendar requests. Though I wouldn't do that from mhstore. David ___ Nmh-workers mailing list Nmh-workers@nongnu.org https://lists.nongnu.org/mailman/listinfo/nmh-workers
Re: [Nmh-workers] I need help reading the mhstore man page
>If arbitrary means "what the user put into their profile", >yes, but we can't prevent that. Is there a way to get >mhstore to execute arbitrary code provided by the message? It does occur to me that there might be security concerns with using %a with '|', depending on shell quoting, etc etc (%a inserts all of the Content-Type parameters). I don't know how common that is. --Ken ___ Nmh-workers mailing list Nmh-workers@nongnu.org https://lists.nongnu.org/mailman/listinfo/nmh-workers
Re: [Nmh-workers] I need help reading the mhstore man page
David Levine writes: >Norm wrote: > >> David Levine writes: >> > Is clobbering the only [mstore] security concern with -auto? >> >> Wouldn't the '|' feature, combined with an mhstore-store- in >> .mh_profile, alllow the execution of arbitrary code? > >If arbitrary means "what the user put into their profile", >yes, but we can't prevent that. Is there a way to get >mhstore to execute arbitrarycode provided by the message? On closer reading of the man page, I don't think so. You are right and I was wrong. Norman Shapiro ___ Nmh-workers mailing list Nmh-workers@nongnu.org https://lists.nongnu.org/mailman/listinfo/nmh-workers
Re: [Nmh-workers] I need help reading the mhstore man page
Norm wrote: > David Levine writes: > > Is clobbering the only [mstore] security concern with -auto? > > Wouldn't the '|' feature, combined with an mhstore-store- in > .mh_profile, alllow the execution of arbitrary code? If arbitrary means "what the user put into their profile", yes, but we can't prevent that. Is there a way to get mhstore to execute arbitrary code provided by the message? Also, '|' isn't affected by -auto: it is enabled even with -noauto. David ___ Nmh-workers mailing list Nmh-workers@nongnu.org https://lists.nongnu.org/mailman/listinfo/nmh-workers
Re: [Nmh-workers] I need help reading the mhstore man page
David Levine writes: > Is clobbering the only [mstore] security concern with -auto? Wouldn't the '|' feature, combined with an mhstore-store- in .mh_profile, alllow the execution of arbitrary code? Norman Shapiro ___ Nmh-workers mailing list Nmh-workers@nongnu.org https://lists.nongnu.org/mailman/listinfo/nmh-workers
Re: [Nmh-workers] I need help reading the mhstore man page
> >The man page for mhstore recommends that, for the sake of security, > >I not put the -auto switch in .mh_profile. Whatever the security > >risk is, would it not also be present if I invoke mhstore with that > >switch? But the man page does not seem to recommend against that. Yes, they're equivalent. Should we replace that recommendation with one that recommends nmh-storage and/or a non-default -clobber setting with -auto? mhstore has the noted checks on the filename, and doesn't pass it or a mhstore-store- string through the shell. Is clobbering the only security concern with -auto? > -auto uses the filename that may be present in the MIME headers as the > filename of the output file. So, for example, if I were to send you a > file named ".cshrc" (or .profile ... you get the idea), it could cause > an issue if you didn't notice what it was doing. Looking at it more > closely ... you know, I think -clobber always is a terrible default. I agree, but that default maintains backward compatibility. > I combine -auto with nmh-storage: /tmp. I think that's reasonable. I use -auto -clobber ask David ___ Nmh-workers mailing list Nmh-workers@nongnu.org https://lists.nongnu.org/mailman/listinfo/nmh-workers
Re: [Nmh-workers] I need help reading the mhstore man page
>The man page for mhstore recommends that, for the sake of security, I not put >the -auto switch in .mh_profile. Whatever the security risk is, would it not >also be present if I invoke mhstore with that switch? But the man page does >not seem to recommend against that. -auto uses the filename that may be present in the MIME headers as the filename of the output file. So, for example, if I were to send you a file named ".cshrc" (or .profile ... you get the idea), it could cause an issue if you didn't notice what it was doing. Looking at it more closely ... you know, I think -clobber always is a terrible default. I combine -auto with nmh-storage: /tmp. I think that's reasonable. --Ken ___ Nmh-workers mailing list Nmh-workers@nongnu.org https://lists.nongnu.org/mailman/listinfo/nmh-workers
[Nmh-workers] I need help reading the mhstore man page
The man page for mhstore recommends that, for the sake of security, I not put the -auto switch in .mh_profile. Whatever the security risk is, would it not also be present if I invoke mhstore with that switch? But the man page does not seem to recommend against that. The '|' facility is an obvious security risk, but as I read the man page it would never be invoked unless my .mh_profile specifies a formatting string. So assuming that my .mh_profile has no entries of the form mhstore-store- what are the security risks of the -auto switch? Norman Shapiro ___ Nmh-workers mailing list Nmh-workers@nongnu.org https://lists.nongnu.org/mailman/listinfo/nmh-workers