From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Michael Albinus Newsgroups: gmane.emacs.bugs Subject: bug#66390: `man' allows to inject arbitrary shell code Date: Sat, 07 Oct 2023 19:45:18 +0200 Message-ID: <87a5sugwcx.fsf@gmx.de> References: <83wmvyzir2.fsf@gnu.org> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@gmail.com> <83v8bizf9r.fsf@gnu.org> <1865abb8-16cd-4570-9a8a-87cf9430583d@gmail.com> <875y3iigua.fsf@gmx.de> <83o7hazap7.fsf@gnu.org> <87mswugyoq.fsf@gmx.de> <83jzryz6op.fsf@gnu.org> Mime-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="1572"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Gnus/5.13 (Gnus v5.13) Cc: manikulin@gmail.com, 66390@debbugs.gnu.org To: Eli Zaretskii Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Sat Oct 07 19:46:02 2023 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1qpBNJ-0000A2-NT for geb-bug-gnu-emacs@m.gmane-mx.org; Sat, 07 Oct 2023 19:46:01 +0200 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qpBN5-0000ko-1u; Sat, 07 Oct 2023 13:45:47 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qpBN1-0000kG-8Y for bug-gnu-emacs@gnu.org; Sat, 07 Oct 2023 13:45:44 -0400 Original-Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1qpBN0-0002il-WB for bug-gnu-emacs@gnu.org; Sat, 07 Oct 2023 13:45:43 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1qpBNK-0000Ab-Fb for bug-gnu-emacs@gnu.org; Sat, 07 Oct 2023 13:46:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Michael Albinus Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sat, 07 Oct 2023 17:46:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 66390 X-GNU-PR-Package: emacs Original-Received: via spool by 66390-submit@debbugs.gnu.org id=B66390.1696700748397 (code B ref 66390); Sat, 07 Oct 2023 17:46:02 +0000 Original-Received: (at 66390) by debbugs.gnu.org; 7 Oct 2023 17:45:48 +0000 Original-Received: from localhost ([127.0.0.1]:55862 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qpBN6-00006F-Aa for submit@debbugs.gnu.org; Sat, 07 Oct 2023 13:45:48 -0400 Original-Received: from mout.gmx.net ([212.227.15.19]:54581) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qpBN3-00005b-AJ for 66390@debbugs.gnu.org; Sat, 07 Oct 2023 13:45:46 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.de; s=s31663417; t=1696700719; x=1697305519; i=michael.albinus@gmx.de; bh=skKkp0seRFoizDhkvC516DrzZ5Yj5TyX3PU1fL0Cxs0=; h=X-UI-Sender-Class:From:To:Cc:Subject:In-Reply-To:References:Date; b=HDLWaIGvfCYZEokRXzbUjnehWJp6EPqGBnd3JTv0jq3NRoMLTc+cVRhLkpyMrOIInKtnhm513HB UQjwRtihrDlj0INuDCixF+5+ojhUExUEMTtmTLvPouko/aa22IHQPzSn5I0vFtUUgSdoiG9+9KFQ3 4vzszp9F6K0XXGG/yAKaZI0mm7CKEqFhdu+B7soV/5V0cPpeSs2qgs7BJ4XLXKQKhnSH7xDpeYKRu e/IMgIcvYMytHFvALjm91bWI+UVc7q715Jt7TGlxoc86gwHYncPgAGnWK2m0Mpe061IN20uWBXkW1 XiiQaZlr79qYW/6VSW0Mb6kOvQG7JMTcltCg== X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Original-Received: from gandalf.gmx.de ([185.89.39.30]) by mail.gmx.net (mrgmx005 [212.227.17.190]) with ESMTPSA (Nemesis) id 1MWASe-1r5D8e3RPO-00XdEY; Sat, 07 Oct 2023 19:45:18 +0200 In-Reply-To: <83jzryz6op.fsf@gnu.org> (Eli Zaretskii's message of "Sat, 07 Oct 2023 20:24:54 +0300") X-Provags-ID: V03:K1:wz4lze4LeE3MMAyaW5FauJ2/gCc7LKeAt5Coo0n5MmTumLzY7qp IHsVZEjNGdpWvv2OobFQl74oUL+JEQF3Pieen/JChWy3wEAx3GfCJC7MfBofbQaud+5gHK0 2cV5cAqO3ffRu9kKCFe1K2nvGjluIapaUvXHCOxt5Y6BWRJBE+ojMS28XLdH0SJzQvGsRM3 iwQ0y2jpkr+UTsHcBBXIA== UI-OutboundReport: notjunk:1;M01:P0:vGbXLoYhKZA=;yJ8PWt2J22uMtZhmI5JVX/bParc 5OBKwAOyzEP+UbBmxyEw6Pce7HnD/Aywsu6k9mf4jMQ5bqovvI2vUpz4d/YXkIovycAMoCEQn PaUG/w5F6XwkQaCRwDN6M/5RhUL7wf7DMQ8noCTB5iPy8v45fIgur0SFaXdgK9SevERsQvQ0r rkm/OaGZvTx5/fMiBn+PS1ZRs5pJ3Aox0nCZfVuBzD68sjJIkCXCeiK7ffUpp3vLXd5esVDyW aYFEyqUgqg/ZL8OhykPKXV3U+ivWa+7qVCq7FrU8IOScBuCXDy+LocuvE7k2RKuidD3cIOnU8 FCjsJS9lizZyyv0kxu402bqsvn7+HR7GYHdSuN6WEG743OTv93D/afaqLnGCkvuU0EZKb99Y8 uGKlOFRWZ9IFX8JjyqbfoMRoghCu0z9Xdox5BYi0XrduzZPouqcYjIr7FhzYmocUXDooWfLOT Y03FEJ8/BwgPPvXlHXFWD4jeOfZoaq9ak/YS7fk5MXFJThMMz9hBGYACpfLDwvlJk+dTckv8i V66vMvswT0fOD8EAy801o+rCxzGMUYF222DahHAW2CHCvrXRMZCmW5+7RE/u3H5BCPXwBFBbh U+E4hjuIE3RQwmiYkH5RblR82FONSds6tzGZyWtaBzaAdTa7kKiMMiwDYILfeO3uLTqPOfSIE LUUU8jypKHJF0OR3vPHBiwqT3IcZa6bE8+N/QwnQJOu7uMcaP2TBR8qKt9ukLcBbyzeNIjLY5 lOQQRDHF4LS+gh7dMmM992P1UFUyStnCDad8QB+KUgsEUu7kvkFCUddPHnhbsg4YfQxBnObW X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.bugs:272030 Archived-At: Eli Zaretskii writes: Hi Eli, >> On argument syntax for man. It is documented. > > For what versions of 'man'? There are a lot of different versions; I > myself wrote a clone, for example. I haven't written such a thing, so you will always beat me. And if you oppose my proposals, I will happily accept it. >> > And what kind of shell would we assume when rejecting that? >> >> It isn't a problem of the shell. Man-translate-references manipulates >> the arguments such a way that no shell quoting is neded. > > Then there's no problem to begin with, since the OP claims the problem > is with the shell? The OP claims that the arguments could be misused, bypassing exotic strings which would do terrific work in the shell man is using. >> > Once again, interactive invocations should let the user type whatever >> > she wants, and if that fails in strange ways, it's on the user, not o= n >> > us. >> >> Yes, if the user types nonsense it shall fail. The point is where to >> fail. I believe it shall fail already in Man-translate-references, and >> not from the man invocation with a shell. > > We cannot do that, unless we implement the entire behavior of 'man' in > Emacs. > >> The docstring of man explains already, which kind of arguments are >> expected. > > Yes, and we update that all the time, given how the systems stretch > these specs. No, the docstring speaks about -a, -k and -l. That's what we shall do. > There's only madness down that road. Well, if you still believe there's nothing to do for us I will be quiet. Best regards, Michael.