From: Eli Zaretskii <eliz@gnu.org>
To: taylanbayirli@gmail.com (Taylan Ulrich Bayırlı/Kammer)
Cc: 21702@debbugs.gnu.org
Subject: bug#21702: shell-quote-argument semantics and safety
Date: Sun, 18 Oct 2015 22:48:15 +0300 [thread overview]
Message-ID: <83h9lohsao.fsf@gnu.org> (raw)
In-Reply-To: <874mhoq9ct.fsf@T420.taylan>
> From: taylanbayirli@gmail.com (Taylan Ulrich Bayırlı/Kammer)
> Cc: 21702@debbugs.gnu.org
> Date: Sun, 18 Oct 2015 21:12:34 +0200
>
> I'd like to point out that (in the most extreme cases) people have
> actually been writing web servers and other such programs in Elisp for
> which one would normally use a general-purpose language.
>
> That is, "APIs that could be maliciously abused" is not the right way to
> look at it. It's not about the Elisp programmer abusing the API, it's
> about a malicious data source exploiting a (potential) flaw in an Elisp
> function, which Elisp programmers have relied on and thus made their
> programs vulnerable to code injection.
>
>
> That's why I was being so careful with regard to the safety guarantees
> of the "shell-quasiquote" package I contributed. I would like people to
> be able to use that as part of a general-purpose Elisp language, and so
> being safe against code injection is an absolute must. They might after
> all use it as part of a network-facing service.
>
>
> Actually that might also apply when using e.g. TRAMP, which also
> communicates with remote hosts and is a normal part of Emacs. I've been
> told it receives file names from remote hosts and passes them through
> shell-quote-argument before giving them to a shell. So maybe my
> concerns apply there as well.
>
>
> Given that, "I think 1) is now covered" is not very relieving to hear.
Item 1 was this:
> >> The function should clearly document
> >>
> >> 1) for which shells will the quoting work absolutely, i.e. lead to
> >> the given string to appear *verbatim* in an element of the ARGV of
> >> the called command,
There's nothing about safety here, only about correctness. That is
the aspect that I think is now covered, as the doc string now says for
which shells one can have correct results.
> It amounts to "I think this is safe against code injection" which is
> rather alarming to hear. Either it's very confidently known to be safe
> and so one may use it for network-facing code, or it's not confidently
> known to be safe and so one shouldn't use it for network-facing code.
> This should be documented clearly especially so that users who aren't
> very aware of injection attacks won't nonchalantly use the function for
> their network-facing code (when the function isn't known to be safe for
> this), but also so that users who are aware of such issues know they can
> use the function and don't instead invent their own thing (when it is
> known to be safe).
>
> Does that make sense?
Maybe it does, but only if we start documenting these aspects
project-wide. It makes little sense to me to do that for a single
API, and not an important one at that. But that's me.
next prev parent reply other threads:[~2015-10-18 19:48 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-18 12:36 bug#21702: shell-quote-argument semantics and safety Taylan Ulrich Bayırlı/Kammer
[not found] ` <handler.21702.B.144517177511995.ack@debbugs.gnu.org>
2015-10-18 15:26 ` Taylan Ulrich Bayırlı/Kammer
2015-10-18 17:16 ` Eli Zaretskii
2015-10-18 19:12 ` Taylan Ulrich Bayırlı/Kammer
2015-10-18 19:48 ` Eli Zaretskii [this message]
2015-10-19 7:34 ` Taylan Ulrich Bayırlı/Kammer
2015-10-19 7:47 ` Eli Zaretskii
2015-10-19 9:22 ` Taylan Ulrich Bayırlı/Kammer
2015-10-19 9:32 ` Eli Zaretskii
2015-10-19 9:50 ` Taylan Ulrich Bayırlı/Kammer
2015-10-19 10:19 ` Eli Zaretskii
2015-10-19 10:25 ` Taylan Ulrich Bayırlı/Kammer
2015-10-22 3:49 ` Paul Eggert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=83h9lohsao.fsf@gnu.org \
--to=eliz@gnu.org \
--cc=21702@debbugs.gnu.org \
--cc=taylanbayirli@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).