From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Eli Zaretskii Newsgroups: gmane.emacs.bugs Subject: bug#66390: `man' allows to inject arbitrary shell code Date: Sat, 21 Oct 2023 10:19:58 +0300 Message-ID: <83h6mksaqp.fsf@gnu.org> References: <83wmvyzir2.fsf@gnu.org> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@gmail.com> <83v8bizf9r.fsf@gnu.org> <1865abb8-16cd-4570-9a8a-87cf9430583d@gmail.com> <875y3iigua.fsf@gmx.de> <83o7hazap7.fsf@gnu.org> <87mswugyoq.fsf@gmx.de> <83jzryz6op.fsf@gnu.org> <87a5sugwcx.fsf@gmx.de> <83h6n2z3tr.fsf@gnu.org> <831qe5znrz.fsf@gnu.org> <262ed9fe-b92b-489d-b1f0-5202bfdb088b@gmail.com> <87il7e78j5.fsf@igel.home> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="1276"; mail-complaints-to="usenet@ciao.gmane.io" Cc: lx@shellcodes.org, manikulin@gmail.com, 66390@debbugs.gnu.org, schwab@linux-m68k.org, michael.albinus@gmx.de To: Stefan Kangas Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Sat Oct 21 09:20:53 2023 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1qu6I0-000AeD-TN for geb-bug-gnu-emacs@m.gmane-mx.org; Sat, 21 Oct 2023 09:20:53 +0200 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qu6Hl-0000AF-8h; Sat, 21 Oct 2023 03:20:37 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qu6Hj-00009r-Gh for bug-gnu-emacs@gnu.org; Sat, 21 Oct 2023 03:20:35 -0400 Original-Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1qu6Hj-0002S4-8H for bug-gnu-emacs@gnu.org; Sat, 21 Oct 2023 03:20:35 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1qu6IA-0006Fs-FY for bug-gnu-emacs@gnu.org; Sat, 21 Oct 2023 03:21:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Eli Zaretskii Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sat, 21 Oct 2023 07:21:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 66390 X-GNU-PR-Package: emacs Original-Received: via spool by 66390-submit@debbugs.gnu.org id=B66390.169787285024019 (code B ref 66390); Sat, 21 Oct 2023 07:21:02 +0000 Original-Received: (at 66390) by debbugs.gnu.org; 21 Oct 2023 07:20:50 +0000 Original-Received: from localhost ([127.0.0.1]:42104 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qu6Hu-0006FG-1J for submit@debbugs.gnu.org; Sat, 21 Oct 2023 03:20:50 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:58872) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qu6Ho-0006Ev-18 for 66390@debbugs.gnu.org; Sat, 21 Oct 2023 03:20:44 -0400 Original-Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qu6HD-0002D4-Gq; Sat, 21 Oct 2023 03:20:03 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-version:References:Subject:In-Reply-To:To:From: Date; bh=myV6a3H5Mu87j5Jlnrib63pkVoeAkLxWFlYQVO6Y8+s=; b=X7Oxt50aKrOhsObzSDku Zairy+eN2d3PowF9IUB5S4k0+ypyoCvzDmtdmYZT91x6IUNze/E2Y8cG2UolG3OrVLkIH/9zgRGqh iYT6/+gk5ivz7Wj++QZn58YQnbtcEvjY0mJMbFGKfPSTcyyAt5kTjQikmlrD6Zj3S7KKKVwBX1kOp yPcCyreioIEPNNz06ttlfdhehVBswLdOmdki0Y1abn+8QqqFXxp363dj5NeAsL9GhEFvZUaU4bZTj 257azlE6GoMpqMIGn/XcDAj8GeTKGvL8E+HcfacVGecDm9LoGTyl/k8NwjIQQK4EtsSly29eRkw5D 9qLybFbkBAmZFw==; In-Reply-To: (message from Stefan Kangas on Fri, 20 Oct 2023 14:00:50 -0700) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.bugs:272833 Archived-At: > From: Stefan Kangas > Date: Fri, 20 Oct 2023 14:00:50 -0700 > Cc: Max Nikulin , 66390@debbugs.gnu.org, michael.albinus@gmx.de, > Eli Zaretskii > > lux writes: > > > On Tue, 2023-10-10 at 18:21 +0200, Andreas Schwab wrote: > >> On Okt 10 2023, lux wrote: > >> > >> > +        ;; see Bug#66390 > >> > + (mapconcat 'identity > >> > +                   (mapcar #'shell-quote-argument > >> > +                           (split-string ref " ")) > >> > >> You need to split on arbitrary sequences of whitespace to not introduce > >> spurious empty arguments. > >> > > > > Thanks, I've modified it to (split-string ref "\\s-+"). > > I lost track of this discussion a little bit, but I think we should > try to have this fixed in Emacs 29.2. If we have a reliable solution (a hard-to-satisfy condition, see below), yes. > Is the below patch acceptable? I'm not sure it is reliable enough. man.el is an extremely tricky package wrt the weird file names it must support (because many man pages have weird names and include characters that are not normally found in file names). In particular, who can guarantee that ';' will not be part of some man page some day? it's a valid file-name character on Posix hosts, isn't it? So I would be happier with installing this on master instead. Distros which consider this a serious vulnerability can always cherry-pick the change in their Emacs 29 distributions.