[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#61709: [PATCH] Security hardening: safely invoke `shell-command*' fu
|
From: |
lux |
|
Subject: |
bug#61709: [PATCH] Security hardening: safely invoke `shell-command*' function. |
|
Date: |
Mon, 05 Feb 2024 14:13:28 +0800 |
|
User-agent: |
Evolution 3.50.3-1 |
On Wed, 2023-02-22 at 17:29 +0200, Eli Zaretskii wrote:
> > Cc: Xi Lu <lx@shellcodes.org>
> > From: Xi Lu <lx@shellcodes.org>
> > Date: Wed, 22 Feb 2023 22:35:54 +0800
> >
> > (defun filesets-which-command-p (cmd)
> > "Call \"which CMD\" and return non-nil if the command was found."
> > @@ -1264,9 +1265,11 @@ filesets-spawn-external-viewer
> > (funcall vwr file)
> > nil)
> > (co-flag
> > - (shell-command-to-string (format "%s %s" vwr args)))
> > + (shell-command-to-string (shell-quote-argument
> > + (format "%s %s" vwr args))))
> > (t
> > - (shell-command (format "%s %s&" vwr args))
> > + (shell-command (shell-quote-argument
> > + (format "%s %s&" vwr args)))
> > nil))))
>
> These two cannot be right: you are quoting several separate
> command-line arguments.
>
> > (if co-flag
> > (progn
> > @@ -1578,7 +1581,7 @@ filesets-run-cmd
> > " "))
> > (cmd (concat fn " " args)))
> > (filesets-cmd-show-result
> > - cmd (shell-command-to-string cmd))))
> > + cmd (shell-command-to-string (shell-quote-
> > argument cmd)))))
> > ((symbolp fn)
> > (apply fn
> > (mapcan (lambda (this)
>
> I think this is also wrong: cmd is not a single word.
>
> In general, you cannot quote arbitrary parts of a shell command, you
> can only quote each command-line argument separately.
>
>
>
This patch went unaddressed for a long time, so just to be on the safe side, I
only remove the `filesets-select-command' function.
0001-Removed-the-filesets-select-command-which-was-unused.patch
Description: Text Data
- bug#61709: [PATCH] Security hardening: safely invoke `shell-command*' function.,
lux <=