bug-gnu-emacs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#66390: `man' allows to inject arbitrary shell code

From: Michael Albinus
Subject: bug#66390: `man' allows to inject arbitrary shell code
Date: Sat, 07 Oct 2023 17:37:33 +0200
User-agent: Gnus/5.13 (Gnus v5.13) 
Max Nikulin <manikulin@gmail.com> writes:

Hi,

>> Sorry, I disagree.  'man' is an interactive command, so it should
>> not
>> second-guess the user who invokes it.  Commands that call 'man'
>> non-interactively should make sure they call 'man' with a valid
>> argument, especially when the argument comes from some file.
>
> Does man.el provide a function that opens references to man pages, but
> that is safe in respect to shell specials?
>
> Calling of shell commands belongs to implementation details of man.el
> and effectively you require that callers must be aware of it.

I tend to agree with both :-) The caller of a shell command (`man ARGS') is
responsible for proper quoting of the arguments.

The function `Man-translate-references' tries to do it. For example, it
translates the argument "cat(1)" into "1 cat", which doesn't pose a
problem. The function should check stronger, and it should reject
arguments like "File:\\:UserDirs(3pm)". ol-man.el should be busy to
offer only valid arguments to `man' according to the man page man(1).

Oh man ...

Best regards, Michael.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]