search

mkiol / GNotifier

Thunderbird add-on that replaces built-in notifications with the OS native notifications
https://addons.mozilla.org/thunderbird/addon/gnotifier/
GNU General Public License v3.0
164 stars 25 forks source link

custom command arguments not escaped #193

Closed wommel closed 6 years ago

wommel commented 6 years ago

the variables for to the custom should be shell-escaped or the cusom command should be called diffrently than via shell string.

currently it is possible to execute random shell code (at least on linux). for example setting:

custom command: /usr/bin/notify-send '%title' '%text' %title: %a $text: %s

now recieving an email titled "' $(echo asdf)" will cause notify-send to be called with 'asdf' as second parameter

mkiol commented 6 years ago

Thank you for the report.

I will fix it in the next release.

mkiol commented 6 years ago

The Issue has been fixed in the latest dev xpi.