[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#66390: `man' allows to inject arbitrary shell code
|
From: |
Eli Zaretskii |
|
Subject: |
bug#66390: `man' allows to inject arbitrary shell code |
|
Date: |
Mon, 09 Oct 2023 18:52:52 +0300 |
> Date: Mon, 9 Oct 2023 22:12:34 +0700
> Cc: michael.albinus@gmx.de, 66390@debbugs.gnu.org
> From: Max Nikulin <manikulin@gmail.com>
>
> On 08/10/2023 12:28, Eli Zaretskii wrote:
> >> Date: Sun, 8 Oct 2023 10:37:33 +0700 From: Max Nikulin
> >
> >> I had in mind using at least `shell-quote-argument'.
> > That doesn't work with 'man', which has its own ideas about quoting,
> > besides shell-related quoting.
>
> I see usage of `shell-quote-argument' for completion where shell is not
> involved. During formatting there is parsing of references with some
> regular expressions to get (X) section suffix, but I have not noticed
> quoting. Certainly the code relies on spaces passed literally and
> substituted into shell command directly. If there were page names with
> spaces it would be a problem.
>
> I mean passing through `shell-quote-argument' each word returned by
> `Man-translate-references'
What will this do with a man page called [.1 ?
> (defun Man-translate-cleanup (string)
> "Strip leading, trailing and middle spaces."
> ^^^^^^^^^^^^^
>
> (Man-translate-cleanup " w")
> " w"
But
(Man-translate-cleanup " ww")
=> "ww"
- bug#66390: `man' allows to inject arbitrary shell code, (continued)
- bug#66390: `man' allows to inject arbitrary shell code, Eli Zaretskii, 2023/10/07
- bug#66390: `man' allows to inject arbitrary shell code, Michael Albinus, 2023/10/07
- bug#66390: `man' allows to inject arbitrary shell code, Eli Zaretskii, 2023/10/07
- bug#66390: `man' allows to inject arbitrary shell code, Michael Albinus, 2023/10/07
- bug#66390: `man' allows to inject arbitrary shell code, Eli Zaretskii, 2023/10/07
- bug#66390: `man' allows to inject arbitrary shell code, Michael Albinus, 2023/10/07
- bug#66390: `man' allows to inject arbitrary shell code, Eli Zaretskii, 2023/10/07
- bug#66390: `man' allows to inject arbitrary shell code, Max Nikulin, 2023/10/07
- bug#66390: `man' allows to inject arbitrary shell code, Eli Zaretskii, 2023/10/08
- bug#66390: `man' allows to inject arbitrary shell code, Max Nikulin, 2023/10/09
- bug#66390: `man' allows to inject arbitrary shell code,
Eli Zaretskii <=
- bug#66390: `man' allows to inject arbitrary shell code, lux, 2023/10/09
- bug#66390: `man' allows to inject arbitrary shell code, Eli Zaretskii, 2023/10/09
- bug#66390: `man' allows to inject arbitrary shell code, Ihor Radchenko, 2023/10/09
- bug#66390: `man' allows to inject arbitrary shell code, Andreas Schwab, 2023/10/09
- bug#66390: `man' allows to inject arbitrary shell code, lux, 2023/10/09
- bug#66390: `man' allows to inject arbitrary shell code, Stefan Kangas, 2023/10/10
- bug#66390: `man' allows to inject arbitrary shell code, Eli Zaretskii, 2023/10/10
- bug#66390: `man' allows to inject arbitrary shell code, Stefan Kangas, 2023/10/10
- bug#66390: `man' allows to inject arbitrary shell code, Max Nikulin, 2023/10/10
- bug#66390: `man' allows to inject arbitrary shell code, Max Nikulin, 2023/10/10