bug#66390: `man' allows to inject arbitrary shell code

bug-gnu-emacs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#66390: `man' allows to inject arbitrary shell code

From:	lux
Subject:	bug#66390: `man' allows to inject arbitrary shell code
Date:	Tue, 10 Oct 2023 10:47:17 +0800
User-agent:	Evolution 3.50.0-1

On Mon, 2023-10-09 at 19:48 +0300, Eli Zaretskii wrote:
> > From: lux <lx@shellcodes.org>
> > Cc: 66390@debbugs.gnu.org, michael.albinus@gmx.de
> > Date: Tue, 10 Oct 2023 00:30:06 +0800
> > 
> > There is indeed an code injection vulnerability issue here, for example:
> > 
> >   (man ";ls")    <-- The `ls' command will be executed.
> 
> So does this:
> 
>   (shell-command "ls")
> 
> Does it mean we will disallow shell-command? or forcibly quote every
> shell command?  We cannot do that.
> 
> 

The responsibilities of the `shell-command' are clear, execute string COMMAND in
inferior shell, But `man' not is, we cannot describe `man' as being "Get a Un*x
manual page and put it in a buffer. But sometime can by the way execute shell
code."

For filenames, the "(", ")", and ";" characters all work. I think we should be
able to handle them correctly, or described in the docstring.

[Prev in Thread]

Current Thread

[Next in Thread]

bug#66390: `man' allows to inject arbitrary shell code, (continued)

Prev by Date: bug#66416: 29.1; Crashes when visiting HELLO file with pgtk on Wayland
Next by Date: bug#65685: 29.1; Inconsistent behavior of quoted file name "/:~" across platforms
Previous by thread: bug#66390: `man' allows to inject arbitrary shell code
Next by thread: bug#66390: `man' allows to inject arbitrary shell code
Index(es):
- Date
- Thread