bug#66390: `man' allows to inject arbitrary shell code

bug-gnu-emacs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#66390: `man' allows to inject arbitrary shell code

From:	Max Nikulin
Subject:	bug#66390: `man' allows to inject arbitrary shell code
Date:	Sat, 7 Oct 2023 21:29:12 +0700
User-agent:	Mozilla Thunderbird

On 07/10/2023 21:19, Eli Zaretskii wrote:


Sorry, I disagree.  'man' is an interactive command, so it should not
second-guess the user who invokes it.  Commands that call 'man'
non-interactively should make sure they call 'man' with a valid
argument, especially when the argument comes from some file.

Does man.el provide a function that opens references to man pages, butthat is safe in respect to shell specials?

Calling of shell commands belongs to implementation details of man.eland effectively you require that callers must be aware of it.

[Prev in Thread]

Current Thread

[Next in Thread]

bug#66390: `man' allows to inject arbitrary shell code, Maxim Nikulin, 2023/10/07
- bug#66390: `man' allows to inject arbitrary shell code, Eli Zaretskii, 2023/10/07
  - bug#66390: `man' allows to inject arbitrary shell code, Max Nikulin, 2023/10/07
    - bug#66390: `man' allows to inject arbitrary shell code, Eli Zaretskii, 2023/10/07
    - bug#66390: `man' allows to inject arbitrary shell code, Max Nikulin <=
    - bug#66390: `man' allows to inject arbitrary shell code, Eli Zaretskii, 2023/10/07
    - bug#66390: `man' allows to inject arbitrary shell code, Michael Albinus, 2023/10/07
    - bug#66390: `man' allows to inject arbitrary shell code, Eli Zaretskii, 2023/10/07
    - bug#66390: `man' allows to inject arbitrary shell code, Michael Albinus, 2023/10/07
    - bug#66390: `man' allows to inject arbitrary shell code, Eli Zaretskii, 2023/10/07
    - bug#66390: `man' allows to inject arbitrary shell code, Michael Albinus, 2023/10/07
    - bug#66390: `man' allows to inject arbitrary shell code, Eli Zaretskii, 2023/10/07
    - bug#66390: `man' allows to inject arbitrary shell code, Max Nikulin, 2023/10/07
    - bug#66390: `man' allows to inject arbitrary shell code, Eli Zaretskii, 2023/10/08
    - bug#66390: `man' allows to inject arbitrary shell code, Max Nikulin, 2023/10/09

Prev by Date: bug#66386: 28.2; RFE: Provide global key bindings for increasing/decreasing numbers at point
Next by Date: bug#66391: 30.0.50; Error when saving a face with :underline attribute in Customize
Previous by thread: bug#66390: `man' allows to inject arbitrary shell code
Next by thread: bug#66390: `man' allows to inject arbitrary shell code
Index(es):
- Date
- Thread