From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: lux Newsgroups: gmane.emacs.bugs Subject: bug#66390: `man' allows to inject arbitrary shell code Date: Tue, 10 Oct 2023 10:47:17 +0800 Message-ID: References: <83wmvyzir2.fsf@gnu.org> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@gmail.com> <83v8bizf9r.fsf@gnu.org> <1865abb8-16cd-4570-9a8a-87cf9430583d@gmail.com> <875y3iigua.fsf@gmx.de> <83o7hazap7.fsf@gnu.org> <87mswugyoq.fsf@gmx.de> <83jzryz6op.fsf@gnu.org> <87a5sugwcx.fsf@gmx.de> <83h6n2z3tr.fsf@gnu.org> <831qe5znrz.fsf@gnu.org> <834jizwxm2.fsf@gnu.org> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="9789"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Evolution 3.50.0-1 Cc: manikulin@gmail.com, 66390@debbugs.gnu.org, michael.albinus@gmx.de To: Eli Zaretskii Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Tue Oct 10 04:48:10 2023 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1qq2n4-0002IN-1L for geb-bug-gnu-emacs@m.gmane-mx.org; Tue, 10 Oct 2023 04:48:10 +0200 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qq2md-0002v7-Tf; Mon, 09 Oct 2023 22:47:43 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qq2mc-0002uu-5d for bug-gnu-emacs@gnu.org; Mon, 09 Oct 2023 22:47:42 -0400 Original-Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1qq2mb-0006Kb-Tx for bug-gnu-emacs@gnu.org; Mon, 09 Oct 2023 22:47:41 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1qq2mw-0000ac-GP for bug-gnu-emacs@gnu.org; Mon, 09 Oct 2023 22:48:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: lux Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Tue, 10 Oct 2023 02:48:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 66390 X-GNU-PR-Package: emacs Original-Received: via spool by 66390-submit@debbugs.gnu.org id=B66390.16969060782241 (code B ref 66390); Tue, 10 Oct 2023 02:48:02 +0000 Original-Received: (at 66390) by debbugs.gnu.org; 10 Oct 2023 02:47:58 +0000 Original-Received: from localhost ([127.0.0.1]:33713 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qq2mr-0000a4-F4 for submit@debbugs.gnu.org; Mon, 09 Oct 2023 22:47:57 -0400 Original-Received: from out162-62-57-87.mail.qq.com ([162.62.57.87]:59113) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qq2ml-0000Zi-AC for 66390@debbugs.gnu.org; Mon, 09 Oct 2023 22:47:55 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512; t=1696906040; bh=Dt9Cv93v8UilCaG4eTYPZiSCwuIQjAg0yPQIM2/3tSA=; h=Subject:From:To:Cc:Date:In-Reply-To:References; b=JtyKD7WsnyMu/N2UssZNvdtMcoagS3uwZzXNGk3JPCCdg8TI3EQYfxHrsgD2UoTb+ mo4mJiPEDb5kvZs9z08BI9jHXbEmFi8QryywshmbQFoBFf5pHWjTMFcaVoXT198d3D tkrFcWdbSg5wXk+GKF+Dxk/f7pMJXaH0hQqsHzkY= Original-Received: from [10.8.192.150] ([140.210.194.131]) by newxmesmtplogicsvrszb1-0.qq.com (NewEsmtp) with SMTP id BD1A64CD; Tue, 10 Oct 2023 10:47:17 +0800 X-QQ-mid: xmsmtpt1696906037tiyxbgqmk X-QQ-XMAILINFO: MAehWEgsdgwGAt4o+kI+v/v4GHFFTsn9SMfjxeje80k+KypF0sBfKIrQ5SaxXs 3hZDQVI/MI1fB/Nmq3XIBIVihXpdf9EvmhdwHo5HJPiRDKzf+GZM2YkPsjKTKeoO0Kp+RKl1jxY7 q8bPKhwKYfPZY8im+ANeN3g6sQbf9iAEAsIqmBWtg1Px/x2VBFVXUWtCXP31YeR/a2MrJrd5r/FF ldFywHW0lBW7PQHqYabRERz4fgOeFF9lMzer7s4h69gXeQCYgZHv4PyI+ww6u71VOHQ0IKh5cHaT BE3/v5soHLIMTJNKoSVQ1h9laqhOo77uyrJU2DbSuerGw7bbBIe90oeYqu7Y+RaRHTAlogarR2Il X+RzBoFh0MFyrVmnixNaPjHNcuuk0lkBn8IOOHIShKW2U/hrAi1hPnGfI/aBlU1DC67/l8uFLPi0 bWcNqbLRsAqjzkvwf+L4297MgGbU6OLlyJzCcHbSwFIX2oH0E0tIgk+O8fCUOni56hZ6aOovCc8m rBxUFMuqoBXYMKSiIl7cY9oDfq4EJKYCaPzsa6bUULi/8BKeYMl05GGvASKESN7+UsvnPpZgH5a2 08RdErNu6VMh+H1FLx42nfkifh6ZABh2eIJ9srQZ1JclQJ7vLkzP0q2NCEITw0fBsst2VK4ZbSgB so5OQLg6ZAgtmuB3m81oXNJ7xTdE6hft6cCwJwpyVfkq+FVv+WRUXrdR9p7dS3tFuoVxwDuVbIye tji44sZzsLcX6TRAGkbHf5zpW1mrAcjIdvsyF4nFYyLgVLxXKn1mOkBjkq5gy4wj4c3nTGOWKDLR UQPTBSxYaJ3MwMXA/0XUyZ32BZ6ynhffOA1umvoK X-QQ-XMRINFO: M/715EihBoGSf6IYSX1iLFg= X-OQ-MSGID: In-Reply-To: <834jizwxm2.fsf@gnu.org> Autocrypt: addr=lx@shellcodes.org; prefer-encrypt=mutual; keydata=mQENBF9ZlQQBCADp/JGo1JwVC86MQCSKI9Z2zeUOU2nItnuhfNfGLF3xueuL3QojOfPiBDdk14PqxXoZI6r2dS/YY2Nsr1iYch/ldkA1m9D8siwIzuWdkxntmuP56dtJVt6zGnMf+aijN4diRYPCmcENcdIly4aRPqcQZcftJRpLhsu+zDOT8LC+vCP9A5IEfqv1oFAbxt0pE/Lwymn/jzuqRnaEV5TA2+c+fMNhzfhaMp0FxrpO6sZIqU+c7r/d9ZJ98k3g8eq9MkK2s6ZQRnZUbngZ9p2c3zYB0BwHWovzDsGCl8pmUiUHEhGLhu6N2OGnQdUUuSU/Fdoq/zVsDfMz70II00pxSYOJABEBAAG0GWx1NG54IDxseEBzaGVsbGNvZGVzLm9yZz6JAU4EEwEIADgWIQSwvd/kky9UAikm2YRcdI5fNjiBRQUCX1mVBAIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRBcdI5fNjiBRTVbCAC510aF/8rpCzyAlBdxRlBzcz5FLw8ZS2VHn6FwxZbdk9USQPlnbtPSMzWRk7KLdzkUvvdRE8C8Z4JwnWOuNp3oDob5UEfLHQfL1+o/yHQqo2n5Wf9BFjIgvB2UThd2nxk1lW0yAnPsUrWX1Dy63hHtyAbpSMOXEjrn//EIH7If7BRTT5VYUEnhqMogWYWX8mE/ZrfFFY3LVyelHK86iYnIgW18Efg7g8k+Kys66tCSOdz19jhsxjbOKMrCISs5aQH5TNO0mqZq2eOdEi+nc6yLu1FLfUY eTXhIwA8jujSYdqswNU+2OU/JazMBFBK4duhHo5Y X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.bugs:272178 Archived-At: On Mon, 2023-10-09 at 19:48 +0300, Eli Zaretskii wrote: > > From: lux > > Cc: 66390@debbugs.gnu.org, michael.albinus@gmx.de > > Date: Tue, 10 Oct 2023 00:30:06 +0800 > >=20 > > There is indeed an code injection vulnerability issue here, for example= : > >=20 > > =C2=A0 (man ";ls")=C2=A0=C2=A0=C2=A0 <-- The `ls' command will be execu= ted. >=20 > So does this: >=20 > =C2=A0 (shell-command "ls") >=20 > Does it mean we will disallow shell-command? or forcibly quote every > shell command?=C2=A0 We cannot do that. >=20 >=20 The responsibilities of the `shell-command' are clear, execute string COMMA= ND in inferior shell, But `man' not is, we cannot describe `man' as being "Get a = Un*x manual page and put it in a buffer. But sometime can by the way execute she= ll code." For filenames, the "(", ")", and ";" characters all work. I think we should= be able to handle them correctly, or described in the docstring.