From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail
From: Eli Zaretskii <eliz@gnu.org>
Newsgroups: gmane.emacs.bugs
Subject: bug#66390: `man' allows to inject arbitrary shell code
Date: Sun, 08 Oct 2023 08:20:09 +0300
Message-ID: <8334ylzo52.fsf@gnu.org>
References: <f17b9b73-8927-446a-9e54-459aad3b7bee@gmail.com>
 <83wmvyzir2.fsf@gnu.org> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@gmail.com>
 <83v8bizf9r.fsf@gnu.org> <1865abb8-16cd-4570-9a8a-87cf9430583d@gmail.com>
 <875y3iigua.fsf@gmx.de> <83o7hazap7.fsf@gnu.org> <87mswugyoq.fsf@gmx.de>
 <83jzryz6op.fsf@gnu.org> <245d34b5-8a93-42bd-9ad8-91f6a72bb6f3@gmail.com>
Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214";
	logging-data="13572"; mail-complaints-to="usenet@ciao.gmane.io"
Cc: 66390@debbugs.gnu.org, michael.albinus@gmx.de
To: Maxim Nikulin <manikulin+gzh@gmail.com>
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Sun Oct 08 07:21:03 2023
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>)
	id 1qpMDu-0003HR-6Y
	for geb-bug-gnu-emacs@m.gmane-mx.org; Sun, 08 Oct 2023 07:21:02 +0200
Original-Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <bug-gnu-emacs-bounces@gnu.org>)
	id 1qpMDd-0002kO-KB; Sun, 08 Oct 2023 01:20:45 -0400
Original-Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1qpMDb-0002kB-0u
 for bug-gnu-emacs@gnu.org; Sun, 08 Oct 2023 01:20:43 -0400
Original-Received: from debbugs.gnu.org ([2001:470:142:5::43])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1qpMDa-0004Do-Ny
 for bug-gnu-emacs@gnu.org; Sun, 08 Oct 2023 01:20:42 -0400
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1qpMDu-00050a-BT
 for bug-gnu-emacs@gnu.org; Sun, 08 Oct 2023 01:21:02 -0400
X-Loop: help-debbugs@gnu.org
Resent-From: Eli Zaretskii <eliz@gnu.org>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@gnu.org
Resent-Date: Sun, 08 Oct 2023 05:21:02 +0000
Resent-Message-ID: <handler.66390.B66390.169674245019224@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 66390
X-GNU-PR-Package: emacs
Original-Received: via spool by 66390-submit@debbugs.gnu.org id=B66390.169674245019224
 (code B ref 66390); Sun, 08 Oct 2023 05:21:02 +0000
Original-Received: (at 66390) by debbugs.gnu.org; 8 Oct 2023 05:20:50 +0000
Original-Received: from localhost ([127.0.0.1]:56154 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1qpMDi-0004zz-11
 for submit@debbugs.gnu.org; Sun, 08 Oct 2023 01:20:50 -0400
Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:47732)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eliz@gnu.org>) id 1qpMDf-0004zl-Sw
 for 66390@debbugs.gnu.org; Sun, 08 Oct 2023 01:20:48 -0400
Original-Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@gnu.org>)
 id 1qpMDF-000485-GX; Sun, 08 Oct 2023 01:20:22 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date:
 mime-version; bh=LScC/TTtdMKJm8cIEcdjU/Mp1KhudsVIPyZ+1DzdzTk=; b=Ah0M4dyZG6tr
 KoABr/XtnvUU8hWKTk8WpEpahF0LF4uYPWFSWK1IYiwC7/pDl4bHfjKpPgO3iqBsX5JQTH/39nByU
 Dcf8p/JTs2yQDPe5i8izVWqJ6fQ5dd5HCxKwV/1voMrv0bZNtQOB0/0GVhmlYgJA28Z+njq+FQVru
 vhvyExlz5wgHSci4wADcMaj1s9nRwjmTDQ2q9kgiALembBgcTDYfpmgkaLmgkrgC9UNiI/qs+B4UC
 O78TBt1xSLHcFnWiyYfjbpZFiUZD1W2+yURbV0vtHghGNnKo6BgaVGANTRyj9xdOC6uGD3uFxIwcY
 gKQTeudZoYPY5TGgMxrIjQ==;
In-Reply-To: <245d34b5-8a93-42bd-9ad8-91f6a72bb6f3@gmail.com> (message from
 Maxim Nikulin on Sun, 8 Oct 2023 10:42:03 +0700)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
 the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnu-emacs>,
 <mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-gnu-emacs>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
 <mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org
Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org
Xref: news.gmane.io gmane.emacs.bugs:272059
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/272059>

> Date: Sun, 8 Oct 2023 10:42:03 +0700
> Cc: 66390@debbugs.gnu.org
> From: Maxim Nikulin <manikulin+gzh@gmail.com>
> 
> On 08/10/2023 00:24, Eli Zaretskii wrote:
> >> From: Michael Albinus Date: Sat, 07 Oct 2023 18:55:01 +0200
> > 
> >> The docstring of man explains already, which kind of arguments are
> >> expected.
> > 
> > Yes, and we update that all the time, given how the systems stretch
> > these specs.
> 
> I see some discrepancy with the declaration of stable API in "Re: 
> Completion of links to man pages"

IMO, you see something that doesn't exist.  The quoted message was
talking about Lisp API for completing names of 'man' pages, not about
the spec of 'man' arguments.