bug#61709: [PATCH] Security hardening: safely invoke `shell-command*' fu

bug-gnu-emacs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#61709: [PATCH] Security hardening: safely invoke `shell-command*' fu

From:	Xi Lu
Subject:	bug#61709: [PATCH] Security hardening: safely invoke `shell-command*' function.
Date:	Wed, 22 Feb 2023 22:35:54 +0800

* lisp/filesets.el:
(filesets-select-command, filesets-which-command,
filesets-spawn-external-viewer, filesets-run-cmd): Add `shell-quote-argument'
---
 lisp/filesets.el | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/lisp/filesets.el b/lisp/filesets.el
index 1b7e6ffa81f..96ac11bb40b 100644
--- a/lisp/filesets.el
+++ b/lisp/filesets.el
@@ -165,14 +165,15 @@ filesets-select-command
   "Select one command from CMD-LIST -- a string with space separated names."
   (let ((this (shell-command-to-string
               (format "which --skip-alias %s 2> %s | head -n 1"
-                      cmd-list null-device))))
+                      (shell-quote-argument cmd-list)
+                       (shell-quote-argument null-device)))))
     (if (equal this "")
        nil
       (file-name-nondirectory (substring this 0 (- (length this) 1))))))
 
 (defun filesets-which-command (cmd)
   "Call \"which CMD\"."
-  (shell-command-to-string (format "which %s" cmd)))
+  (shell-command-to-string (format "which %s" (shell-quote-argument cmd))))
 
 (defun filesets-which-command-p (cmd)
   "Call \"which CMD\" and return non-nil if the command was found."
@@ -1264,9 +1265,11 @@ filesets-spawn-external-viewer
                  (funcall vwr file)
                  nil)
                 (co-flag
-                 (shell-command-to-string (format "%s %s" vwr args)))
+                 (shell-command-to-string (shell-quote-argument
+                                            (format "%s %s" vwr args))))
                 (t
-                 (shell-command (format "%s %s&" vwr args))
+                 (shell-command (shell-quote-argument
+                                  (format "%s %s&" vwr args)))
                  nil))))
          (if co-flag
              (progn
@@ -1578,7 +1581,7 @@ filesets-run-cmd
                                   " "))
                                 (cmd (concat fn " " args)))
                            (filesets-cmd-show-result
-                            cmd (shell-command-to-string cmd))))
+                            cmd (shell-command-to-string (shell-quote-argument 
cmd)))))
                         ((symbolp fn)
                          (apply fn
                                 (mapcan (lambda (this)
-- 
2.39.2

[Prev in Thread]

Current Thread

[Next in Thread]

bug#61709: [PATCH] Security hardening: safely invoke `shell-command*' function., Xi Lu <=
- bug#61709: [PATCH] Security hardening: safely invoke `shell-command*' function., Eli Zaretskii, 2023/02/22
  - bug#61709: [PATCH] Security hardening: safely invoke `shell-command*' function., lux, 2023/02/23
    - bug#61709: [PATCH] Security hardening: safely invoke `shell-command*' function., Eli Zaretskii, 2023/02/23

Prev by Date: bug#61708: 28.2; file-modes-symbolic-to-number inconsistency
Next by Date: bug#61368: [PATCH] Extend go-ts-mode with support for pre-filling return statements
Previous by thread: bug#61708: 28.2; file-modes-symbolic-to-number inconsistency
Next by thread: bug#61709: [PATCH] Security hardening: safely invoke `shell-command*' function.
Index(es):
- Date
- Thread