From 35eef18c7420360552f032e049322fa4cce2d258 Mon Sep 17 00:00:00 2001 From: Jani Nikula Date: Sun, 3 Jan 2016 18:15:05 +0200 Subject: [PATCH] Re: cli/insert: do not lose the SMTP envelope --- 75/c37626da13f3182fd5b249d582a03cf793bd28 | 149 ++++++++++++++++++++++ 1 file changed, 149 insertions(+) create mode 100644 75/c37626da13f3182fd5b249d582a03cf793bd28 diff --git a/75/c37626da13f3182fd5b249d582a03cf793bd28 b/75/c37626da13f3182fd5b249d582a03cf793bd28 new file mode 100644 index 000000000..63392e75e --- /dev/null +++ b/75/c37626da13f3182fd5b249d582a03cf793bd28 @@ -0,0 +1,149 @@ +Return-Path: +X-Original-To: notmuch@notmuchmail.org +Delivered-To: notmuch@notmuchmail.org +Received: from localhost (localhost [127.0.0.1]) + by arlo.cworth.org (Postfix) with ESMTP id A5D736DE17E7 + for ; Sun, 3 Jan 2016 08:16:01 -0800 (PST) +X-Virus-Scanned: Debian amavisd-new at cworth.org +X-Spam-Flag: NO +X-Spam-Score: -0.546 +X-Spam-Level: +X-Spam-Status: No, score=-0.546 tagged_above=-999 required=5 tests=[AWL=0.174, + DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, + RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01] autolearn=disabled +Received: from arlo.cworth.org ([127.0.0.1]) + by localhost (arlo.cworth.org [127.0.0.1]) (amavisd-new, port 10024) + with ESMTP id 4xhmmBYNxpUl for ; + Sun, 3 Jan 2016 08:15:59 -0800 (PST) +Received: from mail-wm0-f52.google.com (mail-wm0-f52.google.com + [74.125.82.52]) by arlo.cworth.org (Postfix) with ESMTPS id D9E386DE17DC for + ; Sun, 3 Jan 2016 08:15:58 -0800 (PST) +Received: by mail-wm0-f52.google.com with SMTP id b14so154529439wmb.1 + for ; Sun, 03 Jan 2016 08:15:58 -0800 (PST) +DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; + d=nikula-org.20150623.gappssmtp.com; s=20150623; + h=from:to:cc:subject:in-reply-to:references:user-agent:date + :message-id:mime-version:content-type; + bh=YFLva8nldvXFqknO4RszXXea1JM7qmOKZL1zxiOzbrs=; + b=FcF/UNI8tOUU/h7r7/pUTkEllNYgyuc0yisZ40EHfDMU0hj8Hj3VXAqxJQLSe6Lxby + dCs/QOY4Jr0FLhei8szKSXQyFTvwQvtKQwQ0Ovocy1SrBcNgcLm9tHbPEw+Afq6LD6kj + xj7NBslH4UL+Q6g0kMUOdQRffZvpT9sx3pEOaWsd+yqmmxZqslOihoHv53AIsg0ro28z + lQW2LzYf+Db+e/x1NX9racoy0vRjudbcN6Il6yqU5ShPNEPoPmcR5x0cXMk6D8bs3c+H + WqrsohDWUWPZj9NJCQHujmaF/sdHuusuhTvGqa/2jaQCyNpr4bNr+kBOstj8vj4+TAVH + wlKg== +X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; + d=1e100.net; s=20130820; + h=x-gm-message-state:from:to:cc:subject:in-reply-to:references + :user-agent:date:message-id:mime-version:content-type; + bh=YFLva8nldvXFqknO4RszXXea1JM7qmOKZL1zxiOzbrs=; + b=A8Wboz4QnCQTa8qYTqiKQEgR7BsQIGncuI2C6aeNbZASlSZFj9vYFoWlteuEZ5U/w4 + uuTIZMknM6YHUEhZm0SOOC3fWmg1RsOY6RQSJCD0z0xy0bHFBfZq8myBXfpfd+Bwwjrd + e2xiFmH9VR0HHzgW7o0ObkUAmj4cdWVqXbZuZnYAdVmfRO4pSmHR70LNqnTBhp7vNIKS + LSPYiqpb0bzdeoZYR7jN2Ob3SlAFleoB7b/SvlJwsA+836LGFz46/80ISl2Nu/1xu6oA + a6HfpcgN+zyhLQtHO2+LFj2ki9MP95T03M65Q3cGANmtMuaTH8ZMssnwzqB/dqYj9v7N + NiiQ== +X-Gm-Message-State: ALoCoQmP74ZERLotASaLdSa8JE5Kwz8/FXayiUTnNzAx37rLhRWi7z2uToen+F6eRtp0DyhJGSkiI/LkB3xhcbMMroUhQpWdHw== +X-Received: by 10.194.236.6 with SMTP id uq6mr91200268wjc.126.1451837757395; + Sun, 03 Jan 2016 08:15:57 -0800 (PST) +Received: from localhost (mobile-access-bceec9-49.dhcp.inet.fi. + [188.238.201.49]) + by smtp.gmail.com with ESMTPSA id qs1sm21237783wjc.2.2016.01.03.08.15.55 + (version=TLSv1/SSLv3 cipher=OTHER); + Sun, 03 Jan 2016 08:15:55 -0800 (PST) +From: Jani Nikula +To: J Farkas , + notmuch@notmuchmail.org +Cc: Tomi Ollila +Subject: Re: cli/insert: do not lose the SMTP envelope +In-Reply-To: <1451735416.13.504ebc4c@201601.l2015aftruuq.dns007.net> +References: <1451647279.42.86b0a8ab@201601.l2015aftruuq.dns007.net> + + <1451735416.13.504ebc4c@201601.l2015aftruuq.dns007.net> +User-Agent: Notmuch/0.21+34~ge1fb729 (http://notmuchmail.org) Emacs/24.4.1 + (x86_64-pc-linux-gnu) +Date: Sun, 03 Jan 2016 18:15:05 +0200 +Message-ID: <877fjqwsfq.fsf@nikula.org> +MIME-Version: 1.0 +Content-Type: text/plain +X-BeenThere: notmuch@notmuchmail.org +X-Mailman-Version: 2.1.20 +Precedence: list +List-Id: "Use and development of the notmuch mail system." + +List-Unsubscribe: , + +List-Archive: +List-Post: +List-Help: +List-Subscribe: , + +X-List-Received-Date: Sun, 03 Jan 2016 16:16:01 -0000 + +On Sat, 02 Jan 2016, J Farkas wrote: +> On 2016-01-02 at 13:28:02, Tomi Ollila wrote: +>> On Fri, Jan 01 2016, J Farkas wrote: +>> > Make sure we store the envelope sender/recipient if provided by +>> > qmail-command(8) in $RPLINE and $DTLINE. +>> > --- +>> +>> Probably good feature, but like +>> http://www.qmail.org/man/man8/qmail-command.html +>> says: +>> +>> qmail-local supplies several useful environment variables to +>> command. WARNING: These environment variables are not +>> quoted. They may contain special characters. They are +>> under the control of a possibly malicious remote user. +>> +>> Should we check that the contents of RPLINE and DTLINE are well-formed +>> before writing these to the mail files ? +> +> Thank you for reviewing and being so careful! +> +> That warning is not applicable for the *LINE variables which are +> supposed to end up in the message without further munging (they even +> have the LF appended already). +> +> The extra carefulness is only relevant for anyone trying to *parse* +> those strings, like $EXT via unsafe languages, when EXT becomes the +> part following the dash after the username (considering +> bgates-(){:;};shutdown@example.org for example) + +We should already assume that the messages can contain basically any +malicious content, and we should treat them like that. Adding malicious +content at this step should not trip us over. + +The question is, could this make it easier for Mallory to inject +malicious content to otherwise good messages? The environment variables +in question could contain a whole message, hiding the actual +message. Not sure how one could control the environment without being +able to do a whole lot of other, potentially more malicious things. + +BR, +Jani. + + +> +> It still should be what the envelope sender was, and what was considered +> valid at the time. +> +> I actually checked if there's any relevance for this warning: most +> maildir delivering program does it already in one form or the other; in +> fact, there is a command in the qmail distribution: +> http://www.qmail.org/man/man1/preline.html which does the exact same +> getenv and copy to the output. +> +> If you'd liek to confirm, there's one repo for what seems to be the +> original qmail source for this file shows even DJB does it the same way: +> +> https://github.com/c-rack/qmail/blob/master/preline.c +> +> I would think it's not worth the extra fork and pipe for this. I don't +> see how anyone could do without these headers saved, to be honest :) +> +> Janos +> +> _______________________________________________ +> notmuch mailing list +> notmuch@notmuchmail.org +> https://notmuchmail.org/mailman/listinfo/notmuch -- 2.26.2