bug#66390: `man' allows to inject arbitrary shell code

[Eli Zaretskii]

> From: Stefan Kangas <stefankangas@gmail.com>
> Date: Fri, 20 Oct 2023 14:00:50 -0700
> Cc: Max Nikulin <manikulin@gmail.com>, 66390@debbugs.gnu.org, 
> michael.albinus@gmx.de, 
>       Eli Zaretskii <eliz@gnu.org>
> 
> lux <lx@shellcodes.org> writes:
> 
> > On Tue, 2023-10-10 at 18:21 +0200, Andreas Schwab wrote:
> >> On Okt 10 2023, lux wrote:
> >>
> >> > +        ;; see Bug#66390
> >> > +        (mapconcat 'identity
> >> > +                   (mapcar #'shell-quote-argument
> >> > +                           (split-string ref " "))
> >>
> >> You need to split on arbitrary sequences of whitespace to not introduce
> >> spurious empty arguments.
> >>
> >
> > Thanks, I've modified it to (split-string ref "\\s-+").
> 
> I lost track of this discussion a little bit, but I think we should
> try to have this fixed in Emacs 29.2.

If we have a reliable solution (a hard-to-satisfy condition, see
below), yes.

> Is the below patch acceptable?

I'm not sure it is reliable enough.  man.el is an extremely tricky
package wrt the weird file names it must support (because many man
pages have weird names and include characters that are not normally
found in file names).  In particular, who can guarantee that ';' will
not be part of some man page some day? it's a valid file-name
character on Posix hosts, isn't it?

So I would be happier with installing this on master instead.
Distros which consider this a serious vulnerability can always
cherry-pick the change in their Emacs 29 distributions.