bug#66390: `man' allows to inject arbitrary shell code

bug-gnu-emacs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#66390: `man' allows to inject arbitrary shell code

From:	Eli Zaretskii
Subject:	bug#66390: `man' allows to inject arbitrary shell code
Date:	Mon, 09 Oct 2023 19:48:21 +0300

> From: lux <lx@shellcodes.org>
> Cc: 66390@debbugs.gnu.org, michael.albinus@gmx.de
> Date: Tue, 10 Oct 2023 00:30:06 +0800
> 
> There is indeed an code injection vulnerability issue here, for example:
> 
>   (man ";ls")    <-- The `ls' command will be executed.

So does this:

  (shell-command "ls")

Does it mean we will disallow shell-command? or forcibly quote every
shell command?  We cannot do that.

> Here's my patch and the test cases.

And I ask again: what happens with command (man "[") in this case?

Please believe me: this is not simple.  There's more here than meets
the eye.  In addition to all kinds of weird characters in man-page
names, you also need to consider SEE ALSO links from one man page to
another, which can cross lines and include dashes and whitespace.
Etc. etc...  I had my share of messing with this code, and one thing I
know is that nothing is ever as simple as quoting here.

[Prev in Thread]

Current Thread

[Next in Thread]

bug#66390: `man' allows to inject arbitrary shell code, (continued)

Prev by Date: bug#66390: `man' allows to inject arbitrary shell code
Next by Date: bug#66390: `man' allows to inject arbitrary shell code
Previous by thread: bug#66390: `man' allows to inject arbitrary shell code
Next by thread: bug#66390: `man' allows to inject arbitrary shell code
Index(es):
- Date
- Thread