[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#66390: `man' allows to inject arbitrary shell code
From: |
Michael Albinus |
Subject: |
bug#66390: `man' allows to inject arbitrary shell code |
Date: |
Sat, 07 Oct 2023 19:45:18 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) |
Eli Zaretskii <eliz@gnu.org> writes:
Hi Eli,
>> On argument syntax for man. It is documented.
>
> For what versions of 'man'? There are a lot of different versions; I
> myself wrote a clone, for example.
I haven't written such a thing, so you will always beat me. And if you
oppose my proposals, I will happily accept it.
>> > And what kind of shell would we assume when rejecting that?
>>
>> It isn't a problem of the shell. Man-translate-references manipulates
>> the arguments such a way that no shell quoting is neded.
>
> Then there's no problem to begin with, since the OP claims the problem
> is with the shell?
The OP claims that the arguments could be misused, bypassing exotic
strings which would do terrific work in the shell man is using.
>> > Once again, interactive invocations should let the user type whatever
>> > she wants, and if that fails in strange ways, it's on the user, not on
>> > us.
>>
>> Yes, if the user types nonsense it shall fail. The point is where to
>> fail. I believe it shall fail already in Man-translate-references, and
>> not from the man invocation with a shell.
>
> We cannot do that, unless we implement the entire behavior of 'man' in
> Emacs.
>
>> The docstring of man explains already, which kind of arguments are
>> expected.
>
> Yes, and we update that all the time, given how the systems stretch
> these specs.
No, the docstring speaks about -a, -k and -l. That's what we shall do.
> There's only madness down that road.
Well, if you still believe there's nothing to do for us I will be quiet.
Best regards, Michael.
- bug#66390: `man' allows to inject arbitrary shell code, Maxim Nikulin, 2023/10/07
- bug#66390: `man' allows to inject arbitrary shell code, Eli Zaretskii, 2023/10/07
- bug#66390: `man' allows to inject arbitrary shell code, Max Nikulin, 2023/10/07
- bug#66390: `man' allows to inject arbitrary shell code, Eli Zaretskii, 2023/10/07
- bug#66390: `man' allows to inject arbitrary shell code, Max Nikulin, 2023/10/07
- bug#66390: `man' allows to inject arbitrary shell code, Eli Zaretskii, 2023/10/07
- bug#66390: `man' allows to inject arbitrary shell code, Michael Albinus, 2023/10/07
- bug#66390: `man' allows to inject arbitrary shell code, Eli Zaretskii, 2023/10/07
- bug#66390: `man' allows to inject arbitrary shell code, Michael Albinus, 2023/10/07
- bug#66390: `man' allows to inject arbitrary shell code, Eli Zaretskii, 2023/10/07
- bug#66390: `man' allows to inject arbitrary shell code,
Michael Albinus <=
- bug#66390: `man' allows to inject arbitrary shell code, Eli Zaretskii, 2023/10/07
- bug#66390: `man' allows to inject arbitrary shell code, Max Nikulin, 2023/10/07
- bug#66390: `man' allows to inject arbitrary shell code, Eli Zaretskii, 2023/10/08
- bug#66390: `man' allows to inject arbitrary shell code, Max Nikulin, 2023/10/09
- bug#66390: `man' allows to inject arbitrary shell code, Eli Zaretskii, 2023/10/09
- bug#66390: `man' allows to inject arbitrary shell code, lux, 2023/10/09
- bug#66390: `man' allows to inject arbitrary shell code, Eli Zaretskii, 2023/10/09
- bug#66390: `man' allows to inject arbitrary shell code, Ihor Radchenko, 2023/10/09
- bug#66390: `man' allows to inject arbitrary shell code, Andreas Schwab, 2023/10/09
- bug#66390: `man' allows to inject arbitrary shell code, lux, 2023/10/09