I'm writing yet another notmuch web client: this one with a focus on mobile, because it's great having email in emacs when I'm home or at my desk but it turns out I actually do most of my email from my phone. The structure is * a very small web server that invokes notmuch with --format=json in response to * a "single page" clojurescript web app (re-frame/reagent/react) * an ssh tunnel joining the two There are a number of ways this is currently insecure but the particular one I want to ask about today is running the notmuch cli commands with user-supplied arguments and whether there are any particular gotchas in doing so? I am reasonably sure that my code to invoke notmuch(1) is calling execve(2) without invoking /bin/sh or the equivalent [*], but are there ways, for example, that passing a weirdly formed thread-id to ["notmuch", "show", thread-id] could cause it to invoke a subshell or delete the database or something else unexpected? I did look briefly at using libnotmuch directly, but the JSON output format is oh *so* convenient and I'd be entirely happy not to have to reinvent it. [*] in Java, Runtime.exec(String[] cmdarray) If you speak Clojure, what I'm currently doing is https://github.com/telent/epsilon/blob/master/src/epsilon/server.clj#L27 and you can see screenshots of the WIP at https://github.com/telent/epsilon/blob/master/README.md Feedback welcome -dan _______________________________________________ notmuch mailing list notmuch@notmuchmail.org https://notmuchmail.org/mailman/listinfo/notmuch