bug-gnu-emacs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#66390: `man' allows to inject arbitrary shell code

From: Eli Zaretskii
Subject: bug#66390: `man' allows to inject arbitrary shell code
Date: Sat, 07 Oct 2023 16:04:17 +0300 
> From: Maxim Nikulin <m.a.nikulin@gmail.com>
> Date: Sat, 7 Oct 2023 19:47:04 +0700
> 
> man.el does not escape properly shell special characters when `man' is 
> invoked with an argument to open particular manual page. As a result 
> arbitrary shell code may be executed.
> 
> I do not consider it as a real issue when the `man' command is invoked 
> by a user directly. However it is a security vulnerability when other 
> packages calls `man' to open a specific page.
> 
> Consider an Org mode document with the following link and ol-man is loaded
> 
>    <man:File:\:UserDirs(3pm)>
> 
> In response to C-c C-o (`org-open-at-point') an error appears instead of 
> formatted manual page
> 
> --- 8< ---
> /usr/bin/sh: 1: Syntax error: "(" unexpected
> 
> process exited abnormally with code 2
> --- >8 ---
> 
> Alternatively just evaluate
> 
>   (man "File:\\:UserDirs(3pm)")

Why isn't it a problem with the command that invokes 'man', in this
case Org?

> man.el should prevent substitution of shell specials literally from 
> `man' arguments into shell commands.

I think callers of 'man' should prevent that instead.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]