[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#61709: [PATCH] Security hardening: safely invoke `shell-command*' fu
|
From: |
Stefan Kangas |
|
Subject: |
bug#61709: [PATCH] Security hardening: safely invoke `shell-command*' function. |
|
Date: |
Mon, 5 Feb 2024 02:29:55 -0500 |
Version: 30.1
Eli Zaretskii <eliz@gnu.org> writes:
>> From: lux <lx@shellcodes.org>
>> Cc: 61709@debbugs.gnu.org
>> Date: Thu, 23 Feb 2023 21:17:12 +0800
>>
>> You're right, thank you. I rewrited this patch.
>>
>> Let me briefly explain this patch:
>>
>> 1. I think `filesets-select-command' not need fixed, because it not
>> used, and I cleaned up relevant old comments in `filesets-external-
>> viewers'.
>>
>> 2. Using `shell-quote-argument' to replace `filesets-quote' and
>> `(format "%S" ...)'. Because in the shell, double quotation marks can
>> still execute unexpected code, such as $(), `command` and $var.
Thank you for paying attention to these issues.
Pushed to master as commit 7756e9c7361, and closing the bug.
> Thanks. I hesitate installing this because I don't myself use
> filesets, and we don't have tests for it. So I'm not sure how to
> ensure that we don't break this package.
>
> Does someone else here use filesets?
Let's hope that if it breaks something, someone will report a bug. :-/