|
| From: | Max Nikulin |
| Subject: | bug#66390: `man' allows to inject arbitrary shell code |
| Date: | Tue, 10 Oct 2023 18:09:43 +0700 |
| User-agent: | Mozilla Thunderbird |
On 09/10/2023 23:48, Eli Zaretskii wrote:
And I ask again: what happens with command (man "[") in this case?
"sh" "-c" "man [ 2>/dev/null | sed -e '/^[\1-\32][\1-\32]*$/d' #...so the code in man.el relies on "[" not interpreted as a special character when it is alone. It is not escaped!
Perhaps you are confused by the following commit 4ef9cc5a5de 2023-07-26 17:30:21 +0300 Eli Zaretskii: Fix "M-x man RET [ RET"It affects completion, but not M-x man RET [ RET. (And I am surprised that "@" is treated specially for some reason.)
Please believe me: this is not simple. There's more here than meets the eye. In addition to all kinds of weird characters in man-page names, you also need to consider SEE ALSO links from one man page to another, which can cross lines and include dashes and whitespace. Etc. etc... I had my share of messing with this code, and one thing I know is that nothing is ever as simple as quoting here.
References split across lines should be handled by the code that creates/opens references, not by `man'. `man' should receive cleaned up references. (Cross-references is a case when properly implemented roff parser has advantages over dealing with text formatted for tty.)
If you believe that other packages must not call `man' then this function should not have an argument since it is a part of public interface.
| [Prev in Thread] | Current Thread | [Next in Thread] |