bug#66390: `man' allows to inject arbitrary shell code

bug-gnu-emacs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#66390: `man' allows to inject arbitrary shell code

From:	lux
Subject:	bug#66390: `man' allows to inject arbitrary shell code
Date:	Wed, 11 Oct 2023 11:08:34 +0800
User-agent:	Evolution 3.50.0-1

On Tue, 2023-10-10 at 18:21 +0200, Andreas Schwab wrote:
> On Okt 10 2023, lux wrote:
> 
> > +        ;; see Bug#66390
> > +   (mapconcat 'identity
> > +                   (mapcar #'shell-quote-argument
> > +                           (split-string ref " "))
> 
> You need to split on arbitrary sequences of whitespace to not introduce
> spurious empty arguments.
> 

Thanks, I've modified it to (split-string ref "\\s-+").

0001-Fix-man.el-code-injection-vulnerability.patch
Description: Text Data

[Prev in Thread]

Current Thread

[Next in Thread]

bug#66390: `man' allows to inject arbitrary shell code, (continued)

Prev by Date: bug#64855: 30.0.50; ERC 5.6: Make scrolltobottom less erratic
Next by Date: bug#59820: [PATCH] * nadvice/nadvice.el: support non-symbol (closure/lambda) advices (old Emacs)
Previous by thread: bug#66390: `man' allows to inject arbitrary shell code
Next by thread: bug#66390: `man' allows to inject arbitrary shell code
Index(es):
- Date
- Thread