bug-gnu-emacs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#66390: `man' allows to inject arbitrary shell code

From: Michael Albinus
Subject: bug#66390: `man' allows to inject arbitrary shell code
Date: Sat, 07 Oct 2023 19:45:18 +0200
User-agent: Gnus/5.13 (Gnus v5.13) 
Eli Zaretskii <eliz@gnu.org> writes:

Hi Eli,

>> On argument syntax for man. It is documented.
>
> For what versions of 'man'?  There are a lot of different versions; I
> myself wrote a clone, for example.

I haven't written such a thing, so you will always beat me. And if you
oppose my proposals, I will happily accept it.

>> > And what kind of shell would we assume when rejecting that?
>>
>> It isn't a problem of the shell. Man-translate-references manipulates
>> the arguments such a way that no shell quoting is neded.
>
> Then there's no problem to begin with, since the OP claims the problem
> is with the shell?

The OP claims that the arguments could be misused, bypassing exotic
strings which would do terrific work in the shell man is using.

>> > Once again, interactive invocations should let the user type whatever
>> > she wants, and if that fails in strange ways, it's on the user, not on
>> > us.
>>
>> Yes, if the user types nonsense it shall fail. The point is where to
>> fail. I believe it shall fail already in Man-translate-references, and
>> not from the man invocation with a shell.
>
> We cannot do that, unless we implement the entire behavior of 'man' in
> Emacs.
>
>> The docstring of man explains already, which kind of arguments are
>> expected.
>
> Yes, and we update that all the time, given how the systems stretch
> these specs.

No, the docstring speaks about -a, -k and -l. That's what we shall do.

> There's only madness down that road.

Well, if you still believe there's nothing to do for us I will be quiet.

Best regards, Michael.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]