From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Maxim Nikulin Newsgroups: gmane.emacs.bugs Subject: bug#66390: `man' allows to inject arbitrary shell code Date: Sat, 7 Oct 2023 19:47:04 +0700 Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="17072"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Mozilla Thunderbird To: 66390@debbugs.gnu.org Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Sat Oct 07 14:48:14 2023 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1qp6j8-0004Ea-5R for geb-bug-gnu-emacs@m.gmane-mx.org; Sat, 07 Oct 2023 14:48:14 +0200 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qp6if-0006i6-7p; Sat, 07 Oct 2023 08:47:45 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qp6id-0006da-RU for bug-gnu-emacs@gnu.org; Sat, 07 Oct 2023 08:47:43 -0400 Original-Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1qp6id-0004fd-Ja for bug-gnu-emacs@gnu.org; Sat, 07 Oct 2023 08:47:43 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1qp6iw-00079f-L0 for bug-gnu-emacs@gnu.org; Sat, 07 Oct 2023 08:48:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Maxim Nikulin Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sat, 07 Oct 2023 12:48:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 66390 X-GNU-PR-Package: emacs X-Debbugs-Original-To: bug-gnu-emacs@gnu.org Original-Received: via spool by submit@debbugs.gnu.org id=B.169668286827422 (code B ref -1); Sat, 07 Oct 2023 12:48:02 +0000 Original-Received: (at submit) by debbugs.gnu.org; 7 Oct 2023 12:47:48 +0000 Original-Received: from localhost ([127.0.0.1]:53543 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qp6iZ-000783-K6 for submit@debbugs.gnu.org; Sat, 07 Oct 2023 08:47:48 -0400 Original-Received: from lists.gnu.org ([2001:470:142::17]:47828) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qp6iY-00077q-0Q for submit@debbugs.gnu.org; Sat, 07 Oct 2023 08:47:38 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qp6i8-0006Dj-My for bug-gnu-emacs@gnu.org; Sat, 07 Oct 2023 08:47:12 -0400 Original-Received: from mail-lj1-x22a.google.com ([2a00:1450:4864:20::22a]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1qp6i6-0004Yg-7Q for bug-gnu-emacs@gnu.org; Sat, 07 Oct 2023 08:47:12 -0400 Original-Received: by mail-lj1-x22a.google.com with SMTP id 38308e7fff4ca-2c3ca6ff5a7so12240221fa.1 for ; Sat, 07 Oct 2023 05:47:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1696682827; x=1697287627; darn=gnu.org; h=content-transfer-encoding:subject:content-language:to:user-agent :mime-version:date:message-id:from:from:to:cc:subject:date :message-id:reply-to; bh=euqG3k7UYagtA5HoS+b0jEmOgdMIBONg52wFJ0zBLUk=; b=NjqvIioOrcTmHXRLl7q4eSNMThGuhEgqnplXF9UsAFv48MQokv0x0ASB01gwPyvPS4 eWrTk8KawJDGBNpS/oylwvCi2g79uQxvcpAjQTRqlbo7fyPZNtiLcSIlLaTIbK8EQV7L RtTHTONZGe6DTRSEM6NT+13++iBYwQMEbahCVHeDyerLfFUw/Ao1bZJ1nDdx0dJ0HLFN /ZqHf5yRj+L1RdGtE/eQtq+3LvddBdZ8dRv3t9l1AGcXwpthK0pNT3K7FB/pTcJaiQNR Nv98uKN7BZutdHDZ8h8t5Ng+8BjyDbAee5CXuT2L9NHmP2MKJg4dKPUQGE7V0KHOuZ3Y VEsw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696682827; x=1697287627; h=content-transfer-encoding:subject:content-language:to:user-agent :mime-version:date:message-id:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=euqG3k7UYagtA5HoS+b0jEmOgdMIBONg52wFJ0zBLUk=; b=RahQFlYhHJhIPRN/gnx2WxGE2XJlBcmcHbORUPx/4YunUoMhtrS86EQx2C1gd1gHEn 8CspMPgVWPq3bFyv4gWE7ICjeH1v9j0GoMNn9N1mC071oPClIMGBk6Uo0i8wbATR4Z6B dKdJ7klw4U3PE+OwtFkhRx4myvQLgfIpNXrIAqDHL6/oQSfBW6WeLUM7pn434PSC3kOn OPOKzzjazsZm1RRRGVoztkC/mox9OJCqCbHtyuvU+I81uAww3J8Mzh2ywYZ5mMINhyDb EZGyy9+LLaFE0Qadqh07anBARZmdg2CM6UnzMIPFjtUTHyp0GVXJEf513lfrGpr+tzXR Ea3A== X-Gm-Message-State: AOJu0YzV1/1Et5Z2vGqrsu353TQN0yc6r9tVOgXQLMUTdVXQ/vd6eojQ bd3aa34GvejokZOkfip4WPVHjjsnmgk= X-Google-Smtp-Source: AGHT+IGTLn52Hk+j0Irx9z7sZWKsUXOeIMUkrK0pfrodO5BDz9sCTjtpxvNQApOatB8as5HAG5t6/A== X-Received: by 2002:a2e:8709:0:b0:2c0:af3:27db with SMTP id m9-20020a2e8709000000b002c00af327dbmr9775017lji.22.1696682826535; Sat, 07 Oct 2023 05:47:06 -0700 (PDT) Original-Received: from [192.168.0.101] (nat-0-0.nsk.sibset.net. [5.44.169.188]) by smtp.googlemail.com with ESMTPSA id c5-20020a2ea1c5000000b002bcbb464a28sm1157206ljm.59.2023.10.07.05.47.05 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 07 Oct 2023 05:47:06 -0700 (PDT) X-Google-Original-From: Maxim Nikulin Content-Language: en-US, ru-RU Received-SPF: pass client-ip=2a00:1450:4864:20::22a; envelope-from=m.a.nikulin@gmail.com; helo=mail-lj1-x22a.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.bugs:271998 Archived-At: man.el does not escape properly shell special characters when `man' is invoked with an argument to open particular manual page. As a result arbitrary shell code may be executed. I do not consider it as a real issue when the `man' command is invoked by a user directly. However it is a security vulnerability when other packages calls `man' to open a specific page. Consider an Org mode document with the following link and ol-man is loaded In response to C-c C-o (`org-open-at-point') an error appears instead of formatted manual page --- 8< --- /usr/bin/sh: 1: Syntax error: "(" unexpected process exited abnormally with code 2 --- >8 --- Alternatively just evaluate (man "File:\\:UserDirs(3pm)") A side note: I tried to add backslash due to an issue with ol-man that is to be fixed. A workaround in this particular case is to remove "(3pm)". Though the real problem is that special characters "()" are not quoted. I would not consider the issue as a severe one unless some users who wish to open arbitrary Org files from the net https://debbugs.gnu.org/cgi/bugreport.cgi?bug=58774#34 > Org files are native to Emacs, I wish to open Org files by using EWW. man.el should prevent substitution of shell specials literally from `man' arguments into shell commands.