From: Daniel Barlow <dan@telent.net>
To: notmuch@notmuchmail.org
Subject: Any tips on invoking notmuch cli securely? (pre-ANN yet another web client)
Date: Wed, 05 Sep 2018 09:26:35 +0100 [thread overview]
Message-ID: <874lf41hac.fsf@telent.net> (raw)
I'm writing yet another notmuch web client: this one with a focus on
mobile, because it's great having email in emacs when I'm home or at my
desk but it turns out I actually do most of my email from my phone.
The structure is
* a very small web server that invokes notmuch with --format=json in
response to
* a "single page" clojurescript web app (re-frame/reagent/react)
* an ssh tunnel joining the two
There are a number of ways this is currently insecure but the particular
one I want to ask about today is running the notmuch cli commands with
user-supplied arguments and whether there are any particular gotchas in
doing so? I am reasonably sure that my code to invoke notmuch(1) is
calling execve(2) without invoking /bin/sh or the equivalent [*], but
are there ways, for example, that passing a weirdly formed thread-id to
["notmuch", "show", thread-id] could cause it to invoke a subshell or
delete the database or something else unexpected? I did look briefly at
using libnotmuch directly, but the JSON output format is oh *so*
convenient and I'd be entirely happy not to have to reinvent it.
[*] in Java, Runtime.exec(String[] cmdarray)
If you speak Clojure, what I'm currently doing is
https://github.com/telent/epsilon/blob/master/src/epsilon/server.clj#L27
and you can see screenshots of the WIP at
https://github.com/telent/epsilon/blob/master/README.md
Feedback welcome
-dan
next reply other threads:[~2018-09-05 8:35 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-05 8:26 Daniel Barlow [this message]
2018-09-06 19:12 ` Any tips on invoking notmuch cli securely? (pre-ANN yet another web client) David Bremner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://notmuchmail.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=874lf41hac.fsf@telent.net \
--to=dan@telent.net \
--cc=notmuch@notmuchmail.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://yhetil.org/notmuch.git/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).