bug#66390: `man' allows to inject arbitrary shell code

bug-gnu-emacs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#66390: `man' allows to inject arbitrary shell code

From:	Eli Zaretskii
Subject:	bug#66390: `man' allows to inject arbitrary shell code
Date:	Sat, 07 Oct 2023 18:58:12 +0300

> From: Michael Albinus <michael.albinus@gmx.de>
> Cc: Eli Zaretskii <eliz@gnu.org>,  66390@debbugs.gnu.org
> Date: Sat, 07 Oct 2023 17:37:33 +0200
> 
> The function `Man-translate-references' tries to do it. For example, it
> translates the argument "cat(1)" into "1 cat", which doesn't pose a
> problem. The function should check stronger, and it should reject
> arguments like "File:\\:UserDirs(3pm)".

Based on what would we reject such arguments?

And what kind of shell would we assume when rejecting that?

Once again, interactive invocations should let the user type whatever
she wants, and if that fails in strange ways, it's on the user, not on
us.

[Prev in Thread]

Current Thread

[Next in Thread]

bug#66390: `man' allows to inject arbitrary shell code, Maxim Nikulin, 2023/10/07
- bug#66390: `man' allows to inject arbitrary shell code, Eli Zaretskii, 2023/10/07
  - bug#66390: `man' allows to inject arbitrary shell code, Max Nikulin, 2023/10/07
    - bug#66390: `man' allows to inject arbitrary shell code, Eli Zaretskii, 2023/10/07
    - bug#66390: `man' allows to inject arbitrary shell code, Max Nikulin, 2023/10/07
    - bug#66390: `man' allows to inject arbitrary shell code, Eli Zaretskii, 2023/10/07
    - bug#66390: `man' allows to inject arbitrary shell code, Michael Albinus, 2023/10/07
    - bug#66390: `man' allows to inject arbitrary shell code, Eli Zaretskii <=
    - bug#66390: `man' allows to inject arbitrary shell code, Michael Albinus, 2023/10/07
    - bug#66390: `man' allows to inject arbitrary shell code, Eli Zaretskii, 2023/10/07
    - bug#66390: `man' allows to inject arbitrary shell code, Michael Albinus, 2023/10/07
    - bug#66390: `man' allows to inject arbitrary shell code, Eli Zaretskii, 2023/10/07
    - bug#66390: `man' allows to inject arbitrary shell code, Max Nikulin, 2023/10/07
    - bug#66390: `man' allows to inject arbitrary shell code, Eli Zaretskii, 2023/10/08
    - bug#66390: `man' allows to inject arbitrary shell code, Max Nikulin, 2023/10/09
    - bug#66390: `man' allows to inject arbitrary shell code, Eli Zaretskii, 2023/10/09
    - bug#66390: `man' allows to inject arbitrary shell code, lux, 2023/10/09
    - bug#66390: `man' allows to inject arbitrary shell code, Eli Zaretskii, 2023/10/09

Prev by Date: bug#66313: Acknowledgement (29.1.50; process-mark sometimes does not yield the expected value)
Next by Date: bug#66218: 29.1.50; `beginning-of-defun' jumps to wrong position in `emacs-lisp-mode'
Previous by thread: bug#66390: `man' allows to inject arbitrary shell code
Next by thread: bug#66390: `man' allows to inject arbitrary shell code
Index(es):
- Date
- Thread