[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#66390: `man' allows to inject arbitrary shell code
From: |
Eli Zaretskii |
Subject: |
bug#66390: `man' allows to inject arbitrary shell code |
Date: |
Sat, 07 Oct 2023 18:10:36 +0300 |
> Date: Sat, 7 Oct 2023 21:29:12 +0700
> Cc: 66390@debbugs.gnu.org
> From: Max Nikulin <manikulin@gmail.com>
>
> On 07/10/2023 21:19, Eli Zaretskii wrote:
> >
> > Sorry, I disagree. 'man' is an interactive command, so it should not
> > second-guess the user who invokes it. Commands that call 'man'
> > non-interactively should make sure they call 'man' with a valid
> > argument, especially when the argument comes from some file.
>
> Does man.el provide a function that opens references to man pages, but
> that is safe in respect to shell specials?
>
> Calling of shell commands belongs to implementation details of man.el
> and effectively you require that callers must be aware of it.
No, I just expect the callers to call 'man' with valid arguments.
- bug#66390: `man' allows to inject arbitrary shell code, Maxim Nikulin, 2023/10/07
- bug#66390: `man' allows to inject arbitrary shell code, Eli Zaretskii, 2023/10/07
- bug#66390: `man' allows to inject arbitrary shell code, Max Nikulin, 2023/10/07
- bug#66390: `man' allows to inject arbitrary shell code, Eli Zaretskii, 2023/10/07
- bug#66390: `man' allows to inject arbitrary shell code, Max Nikulin, 2023/10/07
- bug#66390: `man' allows to inject arbitrary shell code,
Eli Zaretskii <=
- bug#66390: `man' allows to inject arbitrary shell code, Michael Albinus, 2023/10/07
- bug#66390: `man' allows to inject arbitrary shell code, Eli Zaretskii, 2023/10/07
- bug#66390: `man' allows to inject arbitrary shell code, Michael Albinus, 2023/10/07
- bug#66390: `man' allows to inject arbitrary shell code, Eli Zaretskii, 2023/10/07
- bug#66390: `man' allows to inject arbitrary shell code, Michael Albinus, 2023/10/07
- bug#66390: `man' allows to inject arbitrary shell code, Eli Zaretskii, 2023/10/07
- bug#66390: `man' allows to inject arbitrary shell code, Max Nikulin, 2023/10/07
- bug#66390: `man' allows to inject arbitrary shell code, Eli Zaretskii, 2023/10/08
- bug#66390: `man' allows to inject arbitrary shell code, Max Nikulin, 2023/10/09
- bug#66390: `man' allows to inject arbitrary shell code, Eli Zaretskii, 2023/10/09