From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: taylanbayirli@gmail.com (Taylan Ulrich =?UTF-8?Q?Bay=C4=B1rl=C4=B1/Kammer?=) Newsgroups: gmane.emacs.bugs Subject: bug#21702: shell-quote-argument semantics and safety Date: Mon, 19 Oct 2015 11:22:16 +0200 Message-ID: <87vba3nrg7.fsf@T420.taylan> References: <871tcstkuk.fsf@T420.taylan> <83pp0chzax.fsf@gnu.org> <874mhoq9ct.fsf@T420.taylan> <83h9lohsao.fsf@gnu.org> <87h9lnpb0o.fsf@T420.taylan> <83twpnguzz.fsf@gnu.org> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Trace: ger.gmane.org 1445246609 1677 80.91.229.3 (19 Oct 2015 09:23:29 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Mon, 19 Oct 2015 09:23:29 +0000 (UTC) Cc: 21702@debbugs.gnu.org To: Eli Zaretskii Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Mon Oct 19 11:23:21 2015 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1Zo6f3-0005Kx-1x for geb-bug-gnu-emacs@m.gmane.org; Mon, 19 Oct 2015 11:23:21 +0200 Original-Received: from localhost ([::1]:37841 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Zo6f1-0005rM-3g for geb-bug-gnu-emacs@m.gmane.org; Mon, 19 Oct 2015 05:23:19 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:38348) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Zo6ep-0005fs-Q7 for bug-gnu-emacs@gnu.org; Mon, 19 Oct 2015 05:23:12 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Zo6ek-0002lb-WA for bug-gnu-emacs@gnu.org; Mon, 19 Oct 2015 05:23:07 -0400 Original-Received: from debbugs.gnu.org ([208.118.235.43]:36803) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Zo6ek-0002lX-Lo for bug-gnu-emacs@gnu.org; Mon, 19 Oct 2015 05:23:02 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.80) (envelope-from ) id 1Zo6ek-00005n-BK for bug-gnu-emacs@gnu.org; Mon, 19 Oct 2015 05:23:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: taylanbayirli@gmail.com (Taylan Ulrich =?UTF-8?Q?Bay=C4=B1rl=C4=B1/Kammer?=) Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Mon, 19 Oct 2015 09:23:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 21702 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: Original-Received: via spool by 21702-submit@debbugs.gnu.org id=B21702.144524654432748 (code B ref 21702); Mon, 19 Oct 2015 09:23:02 +0000 Original-Received: (at 21702) by debbugs.gnu.org; 19 Oct 2015 09:22:24 +0000 Original-Received: from localhost ([127.0.0.1]:55743 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Zo6e7-0008W7-Cc for submit@debbugs.gnu.org; Mon, 19 Oct 2015 05:22:23 -0400 Original-Received: from mail-lb0-f172.google.com ([209.85.217.172]:33068) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Zo6e4-0008Vx-Un for 21702@debbugs.gnu.org; Mon, 19 Oct 2015 05:22:21 -0400 Original-Received: by lbbpp2 with SMTP id pp2so109397097lbb.0 for <21702@debbugs.gnu.org>; Mon, 19 Oct 2015 02:22:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version:content-type; bh=Vi51fmYrhGA9t4fAB005FgZH7FbEvJeV3JI1eYueBeE=; b=0EyLlyfXhxa+HTrL9WDhMi3Chk7wEBlPvrWe91ik7iUXOc7HEaw3MBEWOJOlHcOT4d I5Fu1f4GVcXBPIrTiLxTUN2lVS0V6lnsTYztUa3EhVigKdB4ituZlGzigxDiv4xy3n3Q 7e/DHWaJ92LhE/0mkwWJua0f3M5h+Pwjig3mjKKxl0NesbBmBXdbrTeCvMlWvoXMiyMD TfCxnaJtmLc8Ee4lM/VDZZrh95+vFOmE9EDnXskIEbGdc9NsvqNT0Jqp4QaV7jTtm8+5 08TaXrFNqXe8CPydIS86TMxqa6g/g73doN9ihPPBiUZPvu7LDGbNz/Bb/Qz0EP4iJTAR bVbg== X-Received: by 10.194.104.200 with SMTP id gg8mr34719672wjb.144.1445246539441; Mon, 19 Oct 2015 02:22:19 -0700 (PDT) Original-Received: from T420.taylan ([2a02:908:c32:4740:221:ccff:fe66:68f0]) by smtp.gmail.com with ESMTPSA id cc8sm38963472wjc.46.2015.10.19.02.22.17 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 19 Oct 2015 02:22:17 -0700 (PDT) In-Reply-To: <83twpnguzz.fsf@gnu.org> (Eli Zaretskii's message of "Mon, 19 Oct 2015 10:47:28 +0300") User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 208.118.235.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.bugs:107748 Archived-At: --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Eli Zaretskii writes: >> From: taylanbayirli@gmail.com (Taylan Ulrich Bay=C4=B1rl=C4=B1/Kammer) >> Cc: 21702@debbugs.gnu.org >> Date: Mon, 19 Oct 2015 09:34:15 +0200 >>=20 >> > Item 1 was this: >> > >> >> >> The function should clearly document >> >> >>=20 >> >> >> 1) for which shells will the quoting work absolutely, i.e. lea= d to >> >> >> the given string to appear *verbatim* in an element of the ARG= V of >> >> >> the called command, >> > >> > There's nothing about safety here, only about correctness. That is >> > the aspect that I think is now covered, as the doc string now says for >> > which shells one can have correct results. >>=20 >> Usually it's indeed correctness that protects against injection attacks. >> A quoting mechanism that's correct is automatically safe. > > And that is the current situation, AFAIU. > >> Another way to make it safe would be to error when the given string >> contains characters outside of a limited character set. > > What limited set would you suggest that will not make the function > useless in real-life scenarios? > > In any case, I think quoting is better than rejecting, as it supports > more use cases. > >> Either way, the safeness should be documented clearly, either implicitly >> through a clear documentation of the correctness, or explicitly. > > Like I said, this convention should be adopted project-wide. Doing so > only in a few doc strings, let alone one, will only confuse, because > the user will not know whether the lack of such documentation means > the API is safe or unsafe. Yes, it should be done for every function for which the concerns I've explained apply. So let's start from this one. >> I would propose something along the lines of: >>=20 >> It is guaranteed that ARGUMENT will be parsed as a single token by >> shells X, Y, and Z, as long as it is separated from other text via a >> delimiter in the syntax of the respective shell. > > I don't think we want to mention specific shells explicitly, because > maintaining such a list would be a burden. The standard shell of each > OS is well defined and known to the users of the respective systems. > Moreover, Emacs by default uses that shell automatically. For instance: POSIX sh, MS-DOS, and Windows NT, is not a long list. (I don't really know what shells MS-DOS and Windows NT use; a more precise naming would be good.) The payoff of the small burden is having clear safety guarantees. >> >> Does that make sense? >> > >> > Maybe it does, but only if we start documenting these aspects >> > project-wide. It makes little sense to me to do that for a single >> > API, and not an important one at that. But that's me. >>=20 >> This is an API which if its implementation is imperfect will result in >> programs prone to code injection attacks when these programs face >> untrusted input sources. Why do you say it's not an important one? > > Because there are many much more important ones that can do much more > harm more easily. In particular, a shell command doesn't need to be > quoted to be harmful or malicious. There being other important cases, does not make this a less important case. It is exactly as important as I've already said. I don't understand what "a shell command doesn't need to be quoted to be harmful" is supposed to mean; quoting is what *makes* the arguments harmless, by ensuring they cleanly end up in the ARGV of a called command instead of causing arbitrary behavior of the shell. Here's a patch doing an improvement to the documentation like the one I proposed. Of course, if you have verified that shells other than POSIX sh are fully safe, feel free to improve the docstring accordingly. Taylan --=-=-= Content-Type: text/x-diff Content-Disposition: inline; filename=0001-lisp-subr.el-shell-quote-argument-Improve-documentat.patch >From bb746be5638a17c99e1647ecc178e3b9d97e4ba3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Taylan=20Ulrich=20Bay=C4=B1rl=C4=B1/Kammer?= Date: Sun, 18 Oct 2015 14:23:35 +0200 Subject: [PATCH] * lisp/subr.el (shell-quote-argument): Improve documentation. --- lisp/subr.el | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/lisp/subr.el b/lisp/subr.el index c903ee3..e55647b 100644 --- a/lisp/subr.el +++ b/lisp/subr.el @@ -2713,8 +2713,14 @@ Note: :data and :device are currently not supported on Windows." (defun shell-quote-argument (argument) "Quote ARGUMENT for passing as argument to an inferior shell. -This function is designed to work with the syntax of your system's -standard shell, and might produce incorrect results with unusual shells." +This is safe for shells conforming to POSIX sh. No safety +guarantees are made for other shells, but the standard MS-DOS and +Windows NT shells are supported as well. + +Being safe in this context means that as long as the result is +surrounded by delimiters in the syntax of the respective shell, +it's guaranteed that it will be parsed as one token and that the +value of the token will be exactly ARGUMENT." (cond ((eq system-type 'ms-dos) ;; Quote using double quotes, but escape any existing quotes in -- 2.5.0 --=-=-=--