From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Max Nikulin Newsgroups: gmane.emacs.bugs Subject: bug#66390: `man' allows to inject arbitrary shell code Date: Sat, 7 Oct 2023 21:29:12 +0700 Message-ID: <1865abb8-16cd-4570-9a8a-87cf9430583d@gmail.com> References: <83wmvyzir2.fsf@gnu.org> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@gmail.com> <83v8bizf9r.fsf@gnu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="33534"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Mozilla Thunderbird Cc: 66390@debbugs.gnu.org To: Eli Zaretskii Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Sat Oct 07 16:29:49 2023 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1qp8JR-0008Wk-CA for geb-bug-gnu-emacs@m.gmane-mx.org; Sat, 07 Oct 2023 16:29:49 +0200 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qp8JO-0003l1-BO; Sat, 07 Oct 2023 10:29:46 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qp8JM-0003kS-Ce for bug-gnu-emacs@gnu.org; Sat, 07 Oct 2023 10:29:44 -0400 Original-Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1qp8JL-0002Mr-9g for bug-gnu-emacs@gnu.org; Sat, 07 Oct 2023 10:29:43 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1qp8Je-00053F-MZ for bug-gnu-emacs@gnu.org; Sat, 07 Oct 2023 10:30:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Max Nikulin Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sat, 07 Oct 2023 14:30:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 66390 X-GNU-PR-Package: emacs Original-Received: via spool by 66390-submit@debbugs.gnu.org id=B66390.169668898019356 (code B ref 66390); Sat, 07 Oct 2023 14:30:02 +0000 Original-Received: (at 66390) by debbugs.gnu.org; 7 Oct 2023 14:29:40 +0000 Original-Received: from localhost ([127.0.0.1]:55610 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qp8JI-000528-IH for submit@debbugs.gnu.org; Sat, 07 Oct 2023 10:29:40 -0400 Original-Received: from mail-lj1-x22c.google.com ([2a00:1450:4864:20::22c]:48289) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qp8JG-00051s-Uh for 66390@debbugs.gnu.org; Sat, 07 Oct 2023 10:29:39 -0400 Original-Received: by mail-lj1-x22c.google.com with SMTP id 38308e7fff4ca-2c28e35752cso38848321fa.0 for <66390@debbugs.gnu.org>; Sat, 07 Oct 2023 07:29:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1696688953; x=1697293753; darn=debbugs.gnu.org; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :sender:from:to:cc:subject:date:message-id:reply-to; bh=bWOmA/DfzlgPqsfO6iZbfb9gccLU1+S78DR+uge49no=; b=G3ptf0g2QJc8WCdnxFBUcHS4dwKiMRnpFe/3SLhWllVCmGOxaZuCf6qvlQMC4hWNuk ryzL+ZsbADbQcHYD+Y93oNxQ7xVfQb8HFSDoem65s0p1dLkGSgVdNbHHtX8AZScJYSn9 JVkcbqPYpvxXDVAghFbIZ8B5AWGAc83HLch1egnMOTe3vsFJfCzewimz3a5jPla7hJhi Bzsx9tve4/HEZFRPnHUiVoM0gxa4mmAb8ekN8pBfGgSsnjS7PUFMYEolsorAgpANPpp5 2AJNMZeTsY19dKU6EMLumKUFzo/ymtCu3YJAW7JzxG804KdbpAiNx4IVw0xG+s8VYb+x CTPA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696688953; x=1697293753; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :sender:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=bWOmA/DfzlgPqsfO6iZbfb9gccLU1+S78DR+uge49no=; b=NQdhseivwtb67UKnlrzvYdGjXKfdWxv7NaUXmL4UYBV1XNrRLbrpuY+uH1qV5P2Oud EgRZt6NNsKMncbMEBlJSUuBDaaSRDEU1QSqeS8D4ZaEGU2AQ2GgAUeGylzrXoF/F4G7f n1WMYXtXU6N8fxkoQq5Pb2xKfDtbgs6vW+mD1QVpwXW4OQNMimJU4svvSAorqcdJstGG Jb5vWN1zoBM+B29unMi+Kg8dZJDELu2HsBE3elzzp9KeF/DMFgQj9dKun1jIHOY3/EX8 Xjto9DJZp2sJ1B4J/3faBfgmzYe7Edr/MHGGwtHL6FYzsArTV/mcZ6XeoHcogEUIjRvq SSoA== X-Gm-Message-State: AOJu0Ywt36mFWFwxrSCjNgHtVl6n+DK3zA7gcq+83my+lV4/MhHFh6MM f/0zpZJOhs+KIMyuSH/ZNrs= X-Google-Smtp-Source: AGHT+IGcRXTH5FBgubyk7xe5XrkrCV6K3yaMtdc94E5G/uROQZgqka1KE+auicMB/9Wlv3RsLTQVFA== X-Received: by 2002:a2e:87d7:0:b0:2bc:c750:d9be with SMTP id v23-20020a2e87d7000000b002bcc750d9bemr9716682ljj.29.1696688953305; Sat, 07 Oct 2023 07:29:13 -0700 (PDT) Original-Received: from [192.168.0.101] (nat-0-0.nsk.sibset.net. [5.44.169.188]) by smtp.googlemail.com with ESMTPSA id u15-20020a2e9b0f000000b002b9f1214394sm1208989lji.13.2023.10.07.07.29.12 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 07 Oct 2023 07:29:13 -0700 (PDT) Content-Language: en-US, ru-RU In-Reply-To: <83v8bizf9r.fsf@gnu.org> X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.bugs:272008 Archived-At: On 07/10/2023 21:19, Eli Zaretskii wrote: > > Sorry, I disagree. 'man' is an interactive command, so it should not > second-guess the user who invokes it. Commands that call 'man' > non-interactively should make sure they call 'man' with a valid > argument, especially when the argument comes from some file. Does man.el provide a function that opens references to man pages, but that is safe in respect to shell specials? Calling of shell commands belongs to implementation details of man.el and effectively you require that callers must be aware of it.