From: David Bremner <david@tethera.net>
To: Daniel Barlow <dan@telent.net>, notmuch@notmuchmail.org
Cc: xapian-discuss@lists.xapian.org
Subject: Re: Any tips on invoking notmuch cli securely? (pre-ANN yet another web client)
Date: Thu, 06 Sep 2018 16:12:54 -0300 [thread overview]
Message-ID: <877ejy4eyx.fsf@tethera.net> (raw)
In-Reply-To: <874lf41hac.fsf@telent.net>
Daniel Barlow <dan@telent.net> writes:
> There are a number of ways this is currently insecure but the particular
> one I want to ask about today is running the notmuch cli commands with
> user-supplied arguments and whether there are any particular gotchas in
> doing so? I am reasonably sure that my code to invoke notmuch(1) is
> calling execve(2) without invoking /bin/sh or the equivalent [*], but
> are there ways, for example, that passing a weirdly formed thread-id to
> ["notmuch", "show", thread-id] could cause it to invoke a subshell or
> delete the database or something else unexpected? I did look briefly at
> using libnotmuch directly, but the JSON output format is oh *so*
> convenient and I'd be entirely happy not to have to reinvent it.
I'm leery of making any kind of guarantees, because the notmuch CLI has
never been audited from a security minded point of view. It is C, so I
expect there are the usual kinds of bounds checking failures and buffer
overruns.
On the other hand, I'm reasonably sure nothing in the notmuch
query parser calls the shell. We do use the Xapian query parser pretty
much as a black box, so we'd inherit any (hypothetical)
vulnerabilities. On the other hand, Olly (in copy) has actually designed
the parser to be used in web facing software from the beginning, so
that's probably not a big issue.
d
prev parent reply other threads:[~2018-09-06 19:12 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-05 8:26 Any tips on invoking notmuch cli securely? (pre-ANN yet another web client) Daniel Barlow
2018-09-06 19:12 ` David Bremner [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://notmuchmail.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=877ejy4eyx.fsf@tethera.net \
--to=david@tethera.net \
--cc=dan@telent.net \
--cc=notmuch@notmuchmail.org \
--cc=xapian-discuss@lists.xapian.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://yhetil.org/notmuch.git/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).