Displaying 1 result from an estimated 1 matches for "libnotmuch".
2018 Sep 06
0
Any tips on invoking notmuch cli securely? (pre-ANN yet another web client)
...ing /bin/sh or the equivalent [*], but
> are there ways, for example, that passing a weirdly formed thread-id to
> ["notmuch", "show", thread-id] could cause it to invoke a subshell or
> delete the database or something else unexpected? I did look briefly at
> using libnotmuch directly, but the JSON output format is oh *so*
> convenient and I'd be entirely happy not to have to reinvent it.
I'm leery of making any kind of guarantees, because the notmuch CLI has
never been audited from a security minded point of view. It is C, so I
expect there are the usual ki...