bug#66390: `man' allows to inject arbitrary shell code

unofficial mirror of bug-gnu-emacs@gnu.org 
 help / color / mirror / code / Atom feed

From: Maxim Nikulin <m.a.nikulin@gmail.com>
To: 66390@debbugs.gnu.org
Subject: bug#66390: `man' allows to inject arbitrary shell code
Date: Sat, 7 Oct 2023 19:47:04 +0700	[thread overview]
Message-ID: <f17b9b73-8927-446a-9e54-459aad3b7bee@gmail.com> (raw)

man.el does not escape properly shell special characters when `man' is 
invoked with an argument to open particular manual page. As a result 
arbitrary shell code may be executed.

I do not consider it as a real issue when the `man' command is invoked 
by a user directly. However it is a security vulnerability when other 
packages calls `man' to open a specific page.

Consider an Org mode document with the following link and ol-man is loaded

   <man:File:\:UserDirs(3pm)>

In response to C-c C-o (`org-open-at-point') an error appears instead of 
formatted manual page

--- 8< ---
/usr/bin/sh: 1: Syntax error: "(" unexpected

process exited abnormally with code 2
--- >8 ---

Alternatively just evaluate

  (man "File:\\:UserDirs(3pm)")

A side note: I tried to add backslash due to an issue with ol-man that 
is to be fixed. A workaround in this particular case is to remove 
"(3pm)". Though the real problem is that special characters "()" are not 
quoted.

I would not consider the issue as a severe one unless some users who 
wish to open arbitrary Org files from the net

https://debbugs.gnu.org/cgi/bugreport.cgi?bug=58774#34
> Org files are native to Emacs, I wish to open Org files by using EWW.

man.el should prevent substitution of shell specials literally from 
`man' arguments into shell commands.

next             reply	other threads:[~2023-10-07 12:47 UTC|newest]

Thread overview: 47+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-10-07 12:47 Maxim Nikulin [this message]
2023-10-07 13:04 ` bug#66390: `man' allows to inject arbitrary shell code Eli Zaretskii
2023-10-07 14:12   ` Max Nikulin
2023-10-07 14:19     ` Eli Zaretskii
2023-10-07 14:29       ` Max Nikulin
2023-10-07 15:10         ` Eli Zaretskii
2023-10-07 15:37         ` Michael Albinus
2023-10-07 15:58           ` Eli Zaretskii
2023-10-07 16:55             ` Michael Albinus
2023-10-07 17:24               ` Eli Zaretskii
2023-10-07 17:45                 ` Michael Albinus
2023-10-07 18:26                   ` Eli Zaretskii
2023-10-08  3:37                     ` Max Nikulin
2023-10-08  5:28                       ` Eli Zaretskii
2023-10-09 15:12                         ` Max Nikulin
2023-10-09 15:52                           ` Eli Zaretskii
2023-10-09 16:30                         ` lux
2023-10-09 16:48                           ` Eli Zaretskii
2023-10-09 17:07                             ` Ihor Radchenko
2023-10-09 17:20                             ` Andreas Schwab
2023-10-10  2:47                             ` lux
2023-10-10  7:43                             ` Stefan Kangas
2023-10-10 12:11                               ` Eli Zaretskii
2023-10-10 12:25                                 ` Stefan Kangas
2023-10-10 11:09                             ` Max Nikulin
2023-10-10 10:54                           ` Max Nikulin
2023-10-10 14:30                             ` lux
2023-10-10 16:21                               ` Andreas Schwab
2023-10-11  3:08                                 ` lux
2023-10-11 10:46                                   ` Max Nikulin
2023-10-20 21:00                                   ` Stefan Kangas
2023-10-21  7:19                                     ` Eli Zaretskii
2023-10-21  7:35                                       ` Andreas Schwab
2023-10-21  7:45                                         ` Eli Zaretskii
2023-10-21  9:19                                           ` Stefan Kangas
2024-01-10 21:21                                       ` Stefan Kangas
2024-01-11 12:07                                         ` Ihor Radchenko
2024-01-11 14:34                                           ` Max Nikulin
2024-01-11 15:07                                             ` Ihor Radchenko
2024-01-11 15:28                                               ` Eli Zaretskii
2024-01-11 15:37                                                 ` Ihor Radchenko
2023-10-09  2:36                     ` Richard Stallman
2023-10-09 11:04                       ` Eli Zaretskii
2023-10-10 11:56                         ` Richard Stallman
2023-10-11 10:56                           ` Max Nikulin
2023-10-08  3:42                 ` Maxim Nikulin
2023-10-08  5:20                   ` Eli Zaretskii

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://www.gnu.org/software/emacs/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=f17b9b73-8927-446a-9e54-459aad3b7bee@gmail.com \
    --to=m.a.nikulin@gmail.com \
    --cc=66390@debbugs.gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).