bug#66390: `man' allows to inject arbitrary shell code

[Eli Zaretskii]

> From: Michael Albinus <michael.albinus@gmx.de>
> Cc: manikulin@gmail.com,  66390@debbugs.gnu.org
> Date: Sat, 07 Oct 2023 18:55:01 +0200
> 
> Eli Zaretskii <eliz@gnu.org> writes:
> 
> Hi Eli,
> 
> >> The function `Man-translate-references' tries to do it. For example, it
> >> translates the argument "cat(1)" into "1 cat", which doesn't pose a
> >> problem. The function should check stronger, and it should reject
> >> arguments like "File:\\:UserDirs(3pm)".
> >
> > Based on what would we reject such arguments?
> 
> On argument syntax for man. It is documented.

For what versions of 'man'?  There are a lot of different versions; I
myself wrote a clone, for example.

> > And what kind of shell would we assume when rejecting that?
> 
> It isn't a problem of the shell. Man-translate-references manipulates
> the arguments such a way that no shell quoting is neded.

Then there's no problem to begin with, since the OP claims the problem
is with the shell?

> > Once again, interactive invocations should let the user type whatever
> > she wants, and if that fails in strange ways, it's on the user, not on
> > us.
> 
> Yes, if the user types nonsense it shall fail. The point is where to
> fail. I believe it shall fail already in Man-translate-references, and
> not from the man invocation with a shell.

We cannot do that, unless we implement the entire behavior of 'man' in
Emacs.

> The docstring of man explains already, which kind of arguments are
> expected.

Yes, and we update that all the time, given how the systems stretch
these specs.

There's only madness down that road.