[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#61709: [PATCH] Security hardening: safely invoke `shell-command*' fu
From: |
Eli Zaretskii |
Subject: |
bug#61709: [PATCH] Security hardening: safely invoke `shell-command*' function. |
Date: |
Thu, 23 Feb 2023 17:58:58 +0200 |
> From: lux <lx@shellcodes.org>
> Cc: 61709@debbugs.gnu.org
> Date: Thu, 23 Feb 2023 21:17:12 +0800
>
> You're right, thank you. I rewrited this patch.
>
> Let me briefly explain this patch:
>
> 1. I think `filesets-select-command' not need fixed, because it not
> used, and I cleaned up relevant old comments in `filesets-external-
> viewers'.
>
> 2. Using `shell-quote-argument' to replace `filesets-quote' and
> `(format "%S" ...)'. Because in the shell, double quotation marks can
> still execute unexpected code, such as $(), `command` and $var.
Thanks. I hesitate installing this because I don't myself use
filesets, and we don't have tests for it. So I'm not sure how to
ensure that we don't break this package.
Does someone else here use filesets?