Bug#809318: bts: overrides user-specified value of sendmail
James McCoy
jamessan at debian.org
Tue Dec 29 13:39:31 UTC 2015
On Tue, Dec 29, 2015 at 10:15:15AM +0000, Daniel Shahaf wrote:
> bts(1) sent an email without my permission:
> ..
> % bts --sendmail='() { cat $1 > /dev/tty }' reopen 999999
> --sendmail command contained funny characters: ()
> Reverting to default value /usr/sbin/sendmail
> %
> ..
>
> I expected it to invoke «system('() { cat $1 > /dev/tty } /path/to/file')»¹,
> which would have printed the email to /dev/tty without sending it.
FWIW, the -n option could be useful here. ☺
% bts -n reopen 999999
From: James McCoy <jamessan at debian.org>
To: control at bugs.debian.org
Subject: reopening 999999
Date: Tue, 29 Dec 2015 08:31:25 -0500
User-Agent: devscripts bts/2.15.9
Message-ID: <1451395885-805-bts-jamessan at debian.org>
reopen 999999
thanks
> Personally, I don't see why bts(1) validates the user-specified value:
It's been like that since the functionality was first introduced.
> there's no trust boundary here so there's no need to guard for shell
> injections. That said, if validation is done and fails, bts(1) should
> simply error out hard.
On first blush, I'd agree with this but I'm open to feedback from
others.
> Also, the patch doesn't cause system() to be invoked on the argument
> value; the value is split on spaces and fed to exec(), which fails with
> «Can't exec "()": No such file or directory at scripts/bts.pl line 2651.».
Hmm, we should probably be using Text::ParseWords' shellwords function
instead.
Cheers,
--
James
GPG Key: 4096R/331BA3DB 2011-12-05 James McCoy <jamessan at debian.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/devscripts-devel/attachments/20151229/aef7efb5/attachment.sig>
More information about the devscripts-devel
mailing list