From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Eli Zaretskii Newsgroups: gmane.emacs.bugs Subject: bug#66390: `man' allows to inject arbitrary shell code Date: Sat, 07 Oct 2023 16:04:17 +0300 Message-ID: <83wmvyzir2.fsf@gnu.org> References: Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="27345"; mail-complaints-to="usenet@ciao.gmane.io" Cc: 66390@debbugs.gnu.org To: Maxim Nikulin Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Sat Oct 07 15:05:20 2023 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1qp6ze-0006sM-Nl for geb-bug-gnu-emacs@m.gmane-mx.org; Sat, 07 Oct 2023 15:05:18 +0200 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qp6zB-0001Hi-1E; Sat, 07 Oct 2023 09:04:49 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qp6z5-0001HC-Q5 for bug-gnu-emacs@gnu.org; Sat, 07 Oct 2023 09:04:45 -0400 Original-Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1qp6z5-0001dR-6n for bug-gnu-emacs@gnu.org; Sat, 07 Oct 2023 09:04:43 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1qp6zO-0007kn-1V for bug-gnu-emacs@gnu.org; Sat, 07 Oct 2023 09:05:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Eli Zaretskii Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sat, 07 Oct 2023 13:05:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 66390 X-GNU-PR-Package: emacs Original-Received: via spool by 66390-submit@debbugs.gnu.org id=B66390.169668387629769 (code B ref 66390); Sat, 07 Oct 2023 13:05:02 +0000 Original-Received: (at 66390) by debbugs.gnu.org; 7 Oct 2023 13:04:36 +0000 Original-Received: from localhost ([127.0.0.1]:53552 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qp6yt-0007k0-W2 for submit@debbugs.gnu.org; Sat, 07 Oct 2023 09:04:36 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:51478) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qp6ys-0007jn-Bz for 66390@debbugs.gnu.org; Sat, 07 Oct 2023 09:04:31 -0400 Original-Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qp6yS-0001VJ-RC; Sat, 07 Oct 2023 09:04:04 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date: mime-version; bh=GyAk9k0GZTCbi+rX3+ssVE0gNUUn8u4dqjlL4xrwINk=; b=Niz19WeTZDSI 9pMvTUhT4VoBXF+gPfJzUbFjnOxRzYxA0KCm1wwq4w+M2SDkpZ/5/sQNBy71/1KcR7nMWxRFd6lez +mZHXR2uaMz/rMCJt02kTYvM+uJMT6PS8ryoG4VngxuZX3nMZxr28V4cAB5Mkihl/TVvqiF3b3lSg cwo6x56CBKQtqEtZyaIGAR90NPppJMxO/jhGUjDOihI6//MhanVH9lwgS4WNE8EbDn+xo6s/XUAF0 pyWQnhdoAQYqwU6crQtbktd2Cl/U40BR9lb+YfSb03Y0bRls1TM4/LcRnpekUivlmxpew88Iq9Ehy kuHK4DKxKpNBkeh8H2w79A==; In-Reply-To: (message from Maxim Nikulin on Sat, 7 Oct 2023 19:47:04 +0700) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.bugs:271999 Archived-At: > From: Maxim Nikulin > Date: Sat, 7 Oct 2023 19:47:04 +0700 > > man.el does not escape properly shell special characters when `man' is > invoked with an argument to open particular manual page. As a result > arbitrary shell code may be executed. > > I do not consider it as a real issue when the `man' command is invoked > by a user directly. However it is a security vulnerability when other > packages calls `man' to open a specific page. > > Consider an Org mode document with the following link and ol-man is loaded > > > > In response to C-c C-o (`org-open-at-point') an error appears instead of > formatted manual page > > --- 8< --- > /usr/bin/sh: 1: Syntax error: "(" unexpected > > process exited abnormally with code 2 > --- >8 --- > > Alternatively just evaluate > > (man "File:\\:UserDirs(3pm)") Why isn't it a problem with the command that invokes 'man', in this case Org? > man.el should prevent substitution of shell specials literally from > `man' arguments into shell commands. I think callers of 'man' should prevent that instead.