[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#59817: [PATCH] Fix etags local command injection vulnerability
From: |
lux |
Subject: |
bug#59817: [PATCH] Fix etags local command injection vulnerability |
Date: |
Tue, 6 Dec 2022 23:49:05 +0800 |
On Tue, 06 Dec 2022 16:52:40 +0200
Eli Zaretskii <eliz@gnu.org> wrote:
> Windows file names cannot include quote characters, so don't use
> them. And it's TEMP value that you need to tweak, not the file names
> etags scans.
Thank you, fixed.
> I don't understand why you need an extra pair of quotes in the
> expanded string.
>
> $ echo \''hello; world'
> 'hello; world
>
> As you see, the semi-colon was successfully hidden from the shell.
>
> What am I missing?
$ echo Emacs > "'hello'world"
$ cat '\''hello\''world' <---- use \'', error
cat: '\hello\world': No such file or directory
$ cat ''\''hello'\''world' <---- use '\''
Emacs
You can also refer to:
1.
https://stackoverflow.com/questions/48970174/escape-single-quote-in-command-argument-to-sh-c
2. And I found a similar function in PHP:
$ cat test.php
<?php
echo escapeshellarg("'hello'world");
$ php test.php
''\''hello'\''world'
0001-Fix-etags-local-command-injection-vulnerability.patch
Description: Text Data
- bug#59817: [PATCH] Fix etags local command injection vulnerability, (continued)
- bug#59817: [PATCH] Fix etags local command injection vulnerability, Eli Zaretskii, 2022/12/04
- bug#59817: [PATCH] Fix etags local command injection vulnerability, Stefan Kangas, 2022/12/04
- Message not available
- bug#59817: [PATCH] Fix etags local command injection vulnerability, Eli Zaretskii, 2022/12/05
- bug#59817: [PATCH] Fix etags local command injection vulnerability, lux, 2022/12/06
- bug#59817: [PATCH] Fix etags local command injection vulnerability, Eli Zaretskii, 2022/12/06
- bug#59817: [PATCH] Fix etags local command injection vulnerability, lux, 2022/12/06
- bug#59817: [PATCH] Fix etags local command injection vulnerability, Eli Zaretskii, 2022/12/06
- bug#59817: [PATCH] Fix etags local command injection vulnerability, Francesco Potortì, 2022/12/06
- bug#59817: [PATCH] Fix etags local command injection vulnerability, Francesco Potortì, 2022/12/06
- bug#59817: [PATCH] Fix etags local command injection vulnerability,
lux <=
- bug#59817: [PATCH] Fix etags local command injection vulnerability, Eli Zaretskii, 2022/12/06
- bug#59817: [PATCH] Fix etags local command injection vulnerability, Andreas Schwab, 2022/12/06
- bug#59817: [PATCH] Fix etags local command injection vulnerability, Eli Zaretskii, 2022/12/06
bug#59817: [PATCH] Fix etags local command injection vulnerability, lux, 2022/12/04