From: Eli Zaretskii <eliz@gnu.org>
To: Max Nikulin <manikulin@gmail.com>
Cc: 66390@debbugs.gnu.org, michael.albinus@gmx.de
Subject: bug#66390: `man' allows to inject arbitrary shell code
Date: Sun, 08 Oct 2023 08:28:00 +0300 [thread overview]
Message-ID: <831qe5znrz.fsf@gnu.org> (raw)
In-Reply-To: <aaeb5c4f-2ae0-449e-9a8b-aa5155998e49@gmail.com> (message from Max Nikulin on Sun, 8 Oct 2023 10:37:33 +0700)
> Date: Sun, 8 Oct 2023 10:37:33 +0700
> Cc: 66390@debbugs.gnu.org
> From: Max Nikulin <manikulin@gmail.com>
>
> On 08/10/2023 01:26, Eli Zaretskii wrote:
> >
> > So the problem _is_ with the shell? If so, the best way of avoiding
> > these problems is not invoke 'man' via the shell, but via call-process
> > and its ilk instead.
>
> It will be great if it is possible to avoid shell in the middle. However
> - man.el uses pipes with sed and awk to post-process output of man
> executable.
> - if support of remote man files is considered then it is even more hard
> to avoid shell. SSH assumes shell commands.
Even if sometimes the shell cannot be avoided (which has yet to be
established, AFAIU), it's not an argument against avoiding it where
possible, because that solves any security issues, definitely those
you brought up.
> I had in mind using at least `shell-quote-argument'.
That doesn't work with 'man', which has its own ideas about quoting,
besides shell-related quoting.
> The issues of sanitizing outputs in callers
> - If there was a safe function in man.el then callers code would be more
> simple, so it would be less probable to introduce bugs in such code.
> - behavior of the `man' emacs command is *underspecified*, so it is hard
> to provide safe argument for it. Some parenthesis are allowed as in
> "man(1)" others may be interpreted by shell.
> - `shell-quote-argument' in callers would rely on man.el implementation
> details at best or may even lead to undefined behavior since I see have
> no way to bypass some processing of the argument of the `man' emacs command.
Reiterating what you already said doesn't help to have a productive
discussion.
> Execution a part of `man' emacs command argument by shell is a surprise
> to the user any case. Ideally elisp code should prevent it and man.el
> should emit an error.
IMO, this ideal cannot be reached in practice, let alone kept for any
length of time. Systems are adding strangely-named man pages all the
time. We had quite a few bug reports about that during the recent
years.
> Attempts to call of `man' from other packages is an open door for
> security vulnerabilities.
Then perhaps those other packages shouldn't call 'man'.
next prev parent reply other threads:[~2023-10-08 5:28 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-07 12:47 bug#66390: `man' allows to inject arbitrary shell code Maxim Nikulin
2023-10-07 13:04 ` Eli Zaretskii
2023-10-07 14:12 ` Max Nikulin
2023-10-07 14:19 ` Eli Zaretskii
2023-10-07 14:29 ` Max Nikulin
2023-10-07 15:10 ` Eli Zaretskii
2023-10-07 15:37 ` Michael Albinus
2023-10-07 15:58 ` Eli Zaretskii
2023-10-07 16:55 ` Michael Albinus
2023-10-07 17:24 ` Eli Zaretskii
2023-10-07 17:45 ` Michael Albinus
2023-10-07 18:26 ` Eli Zaretskii
2023-10-08 3:37 ` Max Nikulin
2023-10-08 5:28 ` Eli Zaretskii [this message]
2023-10-09 15:12 ` Max Nikulin
2023-10-09 15:52 ` Eli Zaretskii
2023-10-09 16:30 ` lux
2023-10-09 16:48 ` Eli Zaretskii
2023-10-09 17:07 ` Ihor Radchenko
2023-10-09 17:20 ` Andreas Schwab
2023-10-10 2:47 ` lux
2023-10-10 7:43 ` Stefan Kangas
2023-10-10 12:11 ` Eli Zaretskii
2023-10-10 12:25 ` Stefan Kangas
2023-10-10 11:09 ` Max Nikulin
2023-10-10 10:54 ` Max Nikulin
2023-10-10 14:30 ` lux
2023-10-10 16:21 ` Andreas Schwab
2023-10-11 3:08 ` lux
2023-10-11 10:46 ` Max Nikulin
2023-10-20 21:00 ` Stefan Kangas
2023-10-21 7:19 ` Eli Zaretskii
2023-10-21 7:35 ` Andreas Schwab
2023-10-21 7:45 ` Eli Zaretskii
2023-10-21 9:19 ` Stefan Kangas
2024-01-10 21:21 ` Stefan Kangas
2024-01-11 12:07 ` Ihor Radchenko
2024-01-11 14:34 ` Max Nikulin
2024-01-11 15:07 ` Ihor Radchenko
2024-01-11 15:28 ` Eli Zaretskii
2024-01-11 15:37 ` Ihor Radchenko
2023-10-09 2:36 ` Richard Stallman
2023-10-09 11:04 ` Eli Zaretskii
2023-10-10 11:56 ` Richard Stallman
2023-10-11 10:56 ` Max Nikulin
2023-10-08 3:42 ` Maxim Nikulin
2023-10-08 5:20 ` Eli Zaretskii
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=831qe5znrz.fsf@gnu.org \
--to=eliz@gnu.org \
--cc=66390@debbugs.gnu.org \
--cc=manikulin@gmail.com \
--cc=michael.albinus@gmx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).