Return-Path: X-Original-To: notmuch@notmuchmail.org Delivered-To: notmuch@notmuchmail.org Received: from localhost (localhost [127.0.0.1]) by arlo.cworth.org (Postfix) with ESMTP id A5D736DE17E7 for ; Sun, 3 Jan 2016 08:16:01 -0800 (PST) X-Virus-Scanned: Debian amavisd-new at cworth.org X-Spam-Flag: NO X-Spam-Score: -0.546 X-Spam-Level: X-Spam-Status: No, score=-0.546 tagged_above=-999 required=5 tests=[AWL=0.174, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01] autolearn=disabled Received: from arlo.cworth.org ([127.0.0.1]) by localhost (arlo.cworth.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4xhmmBYNxpUl for ; Sun, 3 Jan 2016 08:15:59 -0800 (PST) Received: from mail-wm0-f52.google.com (mail-wm0-f52.google.com [74.125.82.52]) by arlo.cworth.org (Postfix) with ESMTPS id D9E386DE17DC for ; Sun, 3 Jan 2016 08:15:58 -0800 (PST) Received: by mail-wm0-f52.google.com with SMTP id b14so154529439wmb.1 for ; Sun, 03 Jan 2016 08:15:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nikula-org.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:in-reply-to:references:user-agent:date :message-id:mime-version:content-type; bh=YFLva8nldvXFqknO4RszXXea1JM7qmOKZL1zxiOzbrs=; b=FcF/UNI8tOUU/h7r7/pUTkEllNYgyuc0yisZ40EHfDMU0hj8Hj3VXAqxJQLSe6Lxby dCs/QOY4Jr0FLhei8szKSXQyFTvwQvtKQwQ0Ovocy1SrBcNgcLm9tHbPEw+Afq6LD6kj xj7NBslH4UL+Q6g0kMUOdQRffZvpT9sx3pEOaWsd+yqmmxZqslOihoHv53AIsg0ro28z lQW2LzYf+Db+e/x1NX9racoy0vRjudbcN6Il6yqU5ShPNEPoPmcR5x0cXMk6D8bs3c+H WqrsohDWUWPZj9NJCQHujmaF/sdHuusuhTvGqa/2jaQCyNpr4bNr+kBOstj8vj4+TAVH wlKg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:in-reply-to:references :user-agent:date:message-id:mime-version:content-type; bh=YFLva8nldvXFqknO4RszXXea1JM7qmOKZL1zxiOzbrs=; b=A8Wboz4QnCQTa8qYTqiKQEgR7BsQIGncuI2C6aeNbZASlSZFj9vYFoWlteuEZ5U/w4 uuTIZMknM6YHUEhZm0SOOC3fWmg1RsOY6RQSJCD0z0xy0bHFBfZq8myBXfpfd+Bwwjrd e2xiFmH9VR0HHzgW7o0ObkUAmj4cdWVqXbZuZnYAdVmfRO4pSmHR70LNqnTBhp7vNIKS LSPYiqpb0bzdeoZYR7jN2Ob3SlAFleoB7b/SvlJwsA+836LGFz46/80ISl2Nu/1xu6oA a6HfpcgN+zyhLQtHO2+LFj2ki9MP95T03M65Q3cGANmtMuaTH8ZMssnwzqB/dqYj9v7N NiiQ== X-Gm-Message-State: ALoCoQmP74ZERLotASaLdSa8JE5Kwz8/FXayiUTnNzAx37rLhRWi7z2uToen+F6eRtp0DyhJGSkiI/LkB3xhcbMMroUhQpWdHw== X-Received: by 10.194.236.6 with SMTP id uq6mr91200268wjc.126.1451837757395; Sun, 03 Jan 2016 08:15:57 -0800 (PST) Received: from localhost (mobile-access-bceec9-49.dhcp.inet.fi. [188.238.201.49]) by smtp.gmail.com with ESMTPSA id qs1sm21237783wjc.2.2016.01.03.08.15.55 (version=TLSv1/SSLv3 cipher=OTHER); Sun, 03 Jan 2016 08:15:55 -0800 (PST) From: Jani Nikula To: J Farkas , notmuch@notmuchmail.org Cc: Tomi Ollila Subject: Re: cli/insert: do not lose the SMTP envelope In-Reply-To: <1451735416.13.504ebc4c@201601.l2015aftruuq.dns007.net> References: <1451647279.42.86b0a8ab@201601.l2015aftruuq.dns007.net> <1451735416.13.504ebc4c@201601.l2015aftruuq.dns007.net> User-Agent: Notmuch/0.21+34~ge1fb729 (http://notmuchmail.org) Emacs/24.4.1 (x86_64-pc-linux-gnu) Date: Sun, 03 Jan 2016 18:15:05 +0200 Message-ID: <877fjqwsfq.fsf@nikula.org> MIME-Version: 1.0 Content-Type: text/plain X-BeenThere: notmuch@notmuchmail.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Use and development of the notmuch mail system." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Jan 2016 16:16:01 -0000 On Sat, 02 Jan 2016, J Farkas wrote: > On 2016-01-02 at 13:28:02, Tomi Ollila wrote: >> On Fri, Jan 01 2016, J Farkas wrote: >> > Make sure we store the envelope sender/recipient if provided by >> > qmail-command(8) in $RPLINE and $DTLINE. >> > --- >> >> Probably good feature, but like >> http://www.qmail.org/man/man8/qmail-command.html >> says: >> >> qmail-local supplies several useful environment variables to >> command. WARNING: These environment variables are not >> quoted. They may contain special characters. They are >> under the control of a possibly malicious remote user. >> >> Should we check that the contents of RPLINE and DTLINE are well-formed >> before writing these to the mail files ? > > Thank you for reviewing and being so careful! > > That warning is not applicable for the *LINE variables which are > supposed to end up in the message without further munging (they even > have the LF appended already). > > The extra carefulness is only relevant for anyone trying to *parse* > those strings, like $EXT via unsafe languages, when EXT becomes the > part following the dash after the username (considering > bgates-(){:;};shutdown@example.org for example) We should already assume that the messages can contain basically any malicious content, and we should treat them like that. Adding malicious content at this step should not trip us over. The question is, could this make it easier for Mallory to inject malicious content to otherwise good messages? The environment variables in question could contain a whole message, hiding the actual message. Not sure how one could control the environment without being able to do a whole lot of other, potentially more malicious things. BR, Jani. > > It still should be what the envelope sender was, and what was considered > valid at the time. > > I actually checked if there's any relevance for this warning: most > maildir delivering program does it already in one form or the other; in > fact, there is a command in the qmail distribution: > http://www.qmail.org/man/man1/preline.html which does the exact same > getenv and copy to the output. > > If you'd liek to confirm, there's one repo for what seems to be the > original qmail source for this file shows even DJB does it the same way: > > https://github.com/c-rack/qmail/blob/master/preline.c > > I would think it's not worth the extra fork and pipe for this. I don't > see how anyone could do without these headers saved, to be honest :) > > Janos > > _______________________________________________ > notmuch mailing list > notmuch@notmuchmail.org > https://notmuchmail.org/mailman/listinfo/notmuch