0

I'm setting up a website that allows users fill a form which sends an email to a server. The subject of the email is generated as a server script that I would like to run on the server command line in order to automate a process. The commands are currently being run manually by me copying the formatted subject and running it in Terminal. Can anyone point me in the right direction? I've read several posts on Procmail but they're still confusing as to how they apply to my current need.

Here’s what I’d like to setup. The subject of the transaction email would look something like “cloudron clone --app store --backup latest —location site”. The server simply takes the subject as is and runs it as a script. The server is setup to execute the scripts of this sort. I hope that’s clearer.

Adaberemchi Aja-Onu
  • 1
  • 2

1 Answers1

0

If the Subject header contains a command you want to run, you are exposing yourself to an arbitrary code execution vulnerability if someone can learn or guess what your email looks like. But something like this:

:0
* ^From www@your\.server\.example\.net
* ^X-Secret-Header: pA$$w0rd!\?
| formail -czxSubject: | sh

The more conditions and the more specific conditions you can put in to guard this, the smaller the risk that this can be exploited. I would still be extremely hesitant to put this on a production server. If you can put in a condition to only allow a handful of very specific commands (no rm, no cat, no ls, no cp, no sh or su or sudo obviously) then mmmaybe.

Here is a variation which allows for just one particular command:

:0
* ^Subject: adduser \/[a-z0-9_]+
| sqlite3 -d users -u db -e "insert into table users (name) with value ($MATCH)"

(My SQL syntax is probably off the wall; sorry.)

Here's with your example from the updated question:

:0
* ^Subject: \/cloudron clone --app store --backup latest —location [a-z0-9]+
| $MATCH </dev/null

... or perhaps better from a security point of view to allow only the parameter to be specified:

:0
* ^Subject: cloudron clone \/[a-z0-9]+
| cloudron clone --app store --backup latest --location "$MATCH" </dev/null

These examples demonstrate how to capture something into MATCH with the special regex operator \/ and we rather whimsically pipe the incoming message to a command which will simply ignore its standard input (we basically run it for the side effects). This will incidentally cause Procmail to regard the message as delivered; add a c flag to avoid that (:0c).

Many Procmail examples allow for arbitrary whitespace after the Subject: colon etc but since these messages will presumably be machine-generated, that's an unnecessary complication here.

This will not cope correctly with MIME RFC2047-encoded headers; if you require that, you will need to add a decoding step (Perl one-liner?)

tripleee
  • 1,324
  • 3
  • 14
  • 24
  • One of the Procmail `man` pages (`procmailex`?) has an "ftp by email server" example you can look at. It's not fundacentally much different from this, except maybe to show you how to send a reply. – tripleee May 01 '17 at 07:47
  • Thanks @tripleee for the response. I simply need to automate a script on the server each time a transaction runs on a website. I've successfully generated unique scripts per transaction however I'd like to have the server consume the scripts and run it once the notification arrives at the server mail system. I'm quite new to this. Please forgive me sounding like a newbie. – Adaberemchi Aja-Onu May 01 '17 at 09:42
  • You seem to be repeating the information in the question. Perhaps you could [edit] the question to include an actual example? – tripleee May 01 '17 at 09:45
  • Ok. I've edited the question with more detail. – Adaberemchi Aja-Onu May 01 '17 at 09:59
  • See updated answer. – tripleee May 01 '17 at 12:11