bug-gnu-emacs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#66390: `man' allows to inject arbitrary shell code

From: Eli Zaretskii
Subject: bug#66390: `man' allows to inject arbitrary shell code
Date: Sat, 07 Oct 2023 21:26:40 +0300 
> From: Michael Albinus <michael.albinus@gmx.de>
> Cc: manikulin@gmail.com,  66390@debbugs.gnu.org
> Date: Sat, 07 Oct 2023 19:45:18 +0200
> 
> Eli Zaretskii <eliz@gnu.org> writes:
> 
> >> > And what kind of shell would we assume when rejecting that?
> >>
> >> It isn't a problem of the shell. Man-translate-references manipulates
> >> the arguments such a way that no shell quoting is neded.
> >
> > Then there's no problem to begin with, since the OP claims the problem
> > is with the shell?
> 
> The OP claims that the arguments could be misused, bypassing exotic
> strings which would do terrific work in the shell man is using.

So the problem _is_ with the shell?  If so, the best way of avoiding
these problems is not invoke 'man' via the shell, but via call-process
and its ilk instead.

> > There's only madness down that road.
> 
> Well, if you still believe there's nothing to do for us I will be quiet.

We can do something, just not the way it was suggested: avoid using
the shell.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]