[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#66390: `man' allows to inject arbitrary shell code
From: |
Eli Zaretskii |
Subject: |
bug#66390: `man' allows to inject arbitrary shell code |
Date: |
Sat, 07 Oct 2023 16:04:17 +0300 |
> From: Maxim Nikulin <m.a.nikulin@gmail.com>
> Date: Sat, 7 Oct 2023 19:47:04 +0700
>
> man.el does not escape properly shell special characters when `man' is
> invoked with an argument to open particular manual page. As a result
> arbitrary shell code may be executed.
>
> I do not consider it as a real issue when the `man' command is invoked
> by a user directly. However it is a security vulnerability when other
> packages calls `man' to open a specific page.
>
> Consider an Org mode document with the following link and ol-man is loaded
>
> <man:File:\:UserDirs(3pm)>
>
> In response to C-c C-o (`org-open-at-point') an error appears instead of
> formatted manual page
>
> --- 8< ---
> /usr/bin/sh: 1: Syntax error: "(" unexpected
>
> process exited abnormally with code 2
> --- >8 ---
>
> Alternatively just evaluate
>
> (man "File:\\:UserDirs(3pm)")
Why isn't it a problem with the command that invokes 'man', in this
case Org?
> man.el should prevent substitution of shell specials literally from
> `man' arguments into shell commands.
I think callers of 'man' should prevent that instead.
- bug#66390: `man' allows to inject arbitrary shell code, Maxim Nikulin, 2023/10/07
- bug#66390: `man' allows to inject arbitrary shell code,
Eli Zaretskii <=
- bug#66390: `man' allows to inject arbitrary shell code, Max Nikulin, 2023/10/07
- bug#66390: `man' allows to inject arbitrary shell code, Eli Zaretskii, 2023/10/07
- bug#66390: `man' allows to inject arbitrary shell code, Max Nikulin, 2023/10/07
- bug#66390: `man' allows to inject arbitrary shell code, Eli Zaretskii, 2023/10/07
- bug#66390: `man' allows to inject arbitrary shell code, Michael Albinus, 2023/10/07
- bug#66390: `man' allows to inject arbitrary shell code, Eli Zaretskii, 2023/10/07
- bug#66390: `man' allows to inject arbitrary shell code, Michael Albinus, 2023/10/07
- bug#66390: `man' allows to inject arbitrary shell code, Eli Zaretskii, 2023/10/07
- bug#66390: `man' allows to inject arbitrary shell code, Michael Albinus, 2023/10/07
- bug#66390: `man' allows to inject arbitrary shell code, Eli Zaretskii, 2023/10/07