bug-gnu-emacs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#66390: `man' allows to inject arbitrary shell code

From: Eli Zaretskii
Subject: bug#66390: `man' allows to inject arbitrary shell code
Date: Sat, 07 Oct 2023 18:10:36 +0300 
> Date: Sat, 7 Oct 2023 21:29:12 +0700
> Cc: 66390@debbugs.gnu.org
> From: Max Nikulin <manikulin@gmail.com>
> 
> On 07/10/2023 21:19, Eli Zaretskii wrote:
> > 
> > Sorry, I disagree.  'man' is an interactive command, so it should not
> > second-guess the user who invokes it.  Commands that call 'man'
> > non-interactively should make sure they call 'man' with a valid
> > argument, especially when the argument comes from some file.
> 
> Does man.el provide a function that opens references to man pages, but 
> that is safe in respect to shell specials?
> 
> Calling of shell commands belongs to implementation details of man.el 
> and effectively you require that callers must be aware of it.

No, I just expect the callers to call 'man' with valid arguments.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]