[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#19350: #19350 24.4; Incorrect quoting of %-signs for Windows command
From: |
npostavs |
Subject: |
bug#19350: #19350 24.4; Incorrect quoting of %-signs for Windows command shell |
Date: |
Sun, 14 Aug 2016 23:13:43 -0400 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) |
Demi Obenour <demiobenour@gmail.com> writes:
> We don't know what this is being used for. For all we know, someone has
> written an Emacs plugin that passes a file with an attacker-controlled
> basename (ex.
> downloaded from the Internet) and uses this function to escape the filename
> before passing it to an external command, and in a context where there are
> unbalanced
> double quotes (say) in a known env var. Result: remote execution of arbitrary
> code.
Hmm, maybe we could fix this by making Emacs refuse to apply environment
variables with names ending in carets?
- bug#19350: #19350 24.4; Incorrect quoting of %-signs for Windows command shell, Noam Postavsky, 2016/08/10
- bug#19350: #19350 24.4; Incorrect quoting of %-signs for Windows command shell, Eli Zaretskii, 2016/08/10
- bug#19350: #19350 24.4; Incorrect quoting of %-signs for Windows command shell, Demi Obenour, 2016/08/11
- bug#19350: #19350 24.4; Incorrect quoting of %-signs for Windows command shell, npostavs, 2016/08/11
- Message not available
- Message not available
- bug#19350: #19350 24.4; Incorrect quoting of %-signs for Windows command shell, Demi Obenour, 2016/08/14
- bug#19350: #19350 24.4; Incorrect quoting of %-signs for Windows command shell,
npostavs <=
- bug#19350: #19350 24.4; Incorrect quoting of %-signs for Windows command shell, Eli Zaretskii, 2016/08/15
- bug#19350: #19350 24.4; Incorrect quoting of %-signs for Windows command shell, Demi Obenour, 2016/08/17
- bug#19350: #19350 24.4; Incorrect quoting of %-signs for Windows command shell, Noam Postavsky, 2016/08/17
- bug#19350: #19350 24.4; Incorrect quoting of %-signs for Windows command shell, Demi Obenour, 2016/08/18
- bug#19350: #19350 24.4; Incorrect quoting of %-signs for Windows command shell, Noam Postavsky, 2016/08/18
- bug#19350: #19350 24.4; Incorrect quoting of %-signs for Windows command shell, Eli Zaretskii, 2016/08/18