From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: lux Newsgroups: gmane.emacs.bugs Subject: bug#61709: [PATCH] Security hardening: safely invoke `shell-command*' function. Date: Mon, 05 Feb 2024 14:13:28 +0800 Message-ID: References: <83y1opra5o.fsf@gnu.org> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=-bhxOSH5o5VkuTNMrlOoZ" Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="31975"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Evolution 3.50.3-1 Cc: 61709@debbugs.gnu.org To: Eli Zaretskii Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Mon Feb 05 07:14:13 2024 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1rWsFB-000886-30 for geb-bug-gnu-emacs@m.gmane-mx.org; Mon, 05 Feb 2024 07:14:13 +0100 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rWsEq-0008HD-S1; Mon, 05 Feb 2024 01:13:52 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rWsEo-0008H5-3x for bug-gnu-emacs@gnu.org; Mon, 05 Feb 2024 01:13:50 -0500 Original-Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1rWsEn-0005V8-Ps for bug-gnu-emacs@gnu.org; Mon, 05 Feb 2024 01:13:49 -0500 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1rWsEz-00046n-R4 for bug-gnu-emacs@gnu.org; Mon, 05 Feb 2024 01:14:01 -0500 X-Loop: help-debbugs@gnu.org Resent-From: lux Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Mon, 05 Feb 2024 06:14:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 61709 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: patch Original-Received: via spool by 61709-submit@debbugs.gnu.org id=B61709.170711363815774 (code B ref 61709); Mon, 05 Feb 2024 06:14:01 +0000 Original-Received: (at 61709) by debbugs.gnu.org; 5 Feb 2024 06:13:58 +0000 Original-Received: from localhost ([127.0.0.1]:50414 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rWsEw-00046M-2Y for submit@debbugs.gnu.org; Mon, 05 Feb 2024 01:13:58 -0500 Original-Received: from out162-62-57-49.mail.qq.com ([162.62.57.49]:41209) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rWsEr-000465-Vy for 61709@debbugs.gnu.org; Mon, 05 Feb 2024 01:13:57 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512; t=1707113610; bh=izfwIGuX0EvqW2NlcEJPdZg7xWWU79bXUSZt9izpdyU=; h=Subject:From:To:Cc:Date:In-Reply-To:References; b=eVLSzQPq59TkS5HdG0slSHb82afcyBp0zuHnbYQXC/hFYiUXCXJkAubKs13NV+u/m bMDRf6a+DFH/PZE698jum+jdxEHVPmp6NOr7zgcbASydpAPvHSyw89fFCK22zmteIv 0C9XRamkdaoTWOa+5Hi0rmmETGhkCfJ+8S37SbII= Original-Received: from [10.8.166.101] ([171.217.24.55]) by newxmesmtplogicsvrsza7-0.qq.com (NewEsmtp) with SMTP id 35C8F672; Mon, 05 Feb 2024 14:13:28 +0800 X-QQ-mid: xmsmtpt1707113608t5bwvy9pp X-QQ-XMAILINFO: NqKQEH5Qi/uhE3WIsFSBU4fipi1z9I0l/04Q49WoCl87Gp9XLrOdFcUh1vWIs8 MSzeii4Gep+NePcYk/jHnGyE6B8KcZRHZMUL1DcP9G00t3ROzWwqnlSmOMgHJVi7ytz8Qi1SWqMm obrQLjWKOC4g2EYTgYVN79Ny9nybLh/NkPo2kxfkQGjBr+w99/Oni70ACv4StF3sfCEt5HVJG+vd GK+T9cEeOgLmxU/F9Cxb+2TJ+FyTosI1sMF1MqQQnDeal7Th74unvOeg30BCqkWv3MuI5rQ1VxNz nr/vix/l/zpy06Qs3V8AgqFBNbSu52lWOzf84myqfQ3/FmrCUS33NAVQECCU7ItSNHfYBXXS4HaY X7rFrYhv4Dug6cjouoKh1xUGRnr+3o8/s5dMAxR3dH3ubWzVv/SCugivcCdQBY4JEICPiVfclXa2 rWtEm6aPEO9ULtFZ8in0nBG50Lhs01e7hz49jfFJ71OWJyTo6CgChBvUlAkAzsQ9W6z0Lf942ViP Ue6/47p9VGcxMWDfpQAGT5Ed19IaNrco5D9bpvxVTYr5JNwb31PqAvUg08Hifg+vMpC1zc2nPxkY FXHkCpXCOXoIYx8LbmSwwbBarg4eyR8A/1dR11eMmv24/kMFXH+IXnMSEAqRkuwx0CZkiG+yRsGw vlY78Y6PP0DYgERcyd/V8GQ3FZ+CPw4PkBkzvL6s78K+tYPpa/okMpFkzIsScd3ruGbv/gLO6zsH O76GQgqL9nuSKgY0AQqIjOAxV7bmdY2HAjgg89mKTanTxriNHSYp1Q0NE+oFkwu1mBpoYNlkfDT5 2LhtLu/XFAMuN2GpCz4Yyqfst+Zwyd3DNZStLLOL X-QQ-XMRINFO: OWPUhxQsoeAVDbp3OJHYyFg= X-OQ-MSGID: <50b887d28cf1f97e9b4a0a54d87f2012674105fc.camel@shellcodes.org> In-Reply-To: <83y1opra5o.fsf@gnu.org> Autocrypt: addr=lx@shellcodes.org; prefer-encrypt=mutual; keydata=mQENBF9ZlQQBCADp/JGo1JwVC86MQCSKI9Z2zeUOU2nItnuhfNfGLF3xueuL3QojOfPiBDdk14PqxXoZI6r2dS/YY2Nsr1iYch/ldkA1m9D8siwIzuWdkxntmuP56dtJVt6zGnMf+aijN4diRYPCmcENcdIly4aRPqcQZcftJRpLhsu+zDOT8LC+vCP9A5IEfqv1oFAbxt0pE/Lwymn/jzuqRnaEV5TA2+c+fMNhzfhaMp0FxrpO6sZIqU+c7r/d9ZJ98k3g8eq9MkK2s6ZQRnZUbngZ9p2c3zYB0BwHWovzDsGCl8pmUiUHEhGLhu6N2OGnQdUUuSU/Fdoq/zVsDfMz70II00pxSYOJABEBAAG0GWx1NG54IDxseEBzaGVsbGNvZGVzLm9yZz6JAU4EEwEIADgWIQSwvd/kky9UAikm2YRcdI5fNjiBRQUCX1mVBAIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRBcdI5fNjiBRTVbCAC510aF/8rpCzyAlBdxRlBzcz5FLw8ZS2VHn6FwxZbdk9USQPlnbtPSMzWRk7KLdzkUvvdRE8C8Z4JwnWOuNp3oDob5UEfLHQfL1+o/yHQqo2n5Wf9BFjIgvB2UThd2nxk1lW0yAnPsUrWX1Dy63hHtyAbpSMOXEjrn//EIH7If7BRTT5VYUEnhqMogWYWX8mE/ZrfFFY3LVyelHK86iYnIgW18Efg7g8k+Kys66tCSOdz19jhsxjbOKMrCISs5aQH5TNO0mqZq2eOdEi+nc6yLu1FLfUY eTXhIwA8jujSYdqswNU+2OU/JazMBFBK4duhHo5Y X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.bugs:279437 Archived-At: --=-bhxOSH5o5VkuTNMrlOoZ Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Wed, 2023-02-22 at 17:29 +0200, Eli Zaretskii wrote: > > Cc: Xi Lu > > From: Xi Lu > > Date: Wed, 22 Feb 2023 22:35:54 +0800 > >=20 > > =C2=A0(defun filesets-which-command-p (cmd) > > =C2=A0=C2=A0 "Call \"which CMD\" and return non-nil if the command was = found." > > @@ -1264,9 +1265,11 @@ filesets-spawn-external-viewer > > =C2=A0 =C2=A0 (funcall vwr file) > > =C2=A0 =C2=A0 nil) > > =C2=A0 (co-flag > > - =C2=A0 (shell-command-to-string (format "%s %s" vwr args))) > > + =C2=A0 (shell-command-to-string (shell-quote-argument > > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 (format "%s %s" vwr args)))) > > =C2=A0 (t > > - =C2=A0 (shell-command (format "%s %s&" vwr args)) > > + =C2=A0 (shell-command (shell-quote-argument > > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 (format "%s %s&" vwr= args))) > > =C2=A0 =C2=A0 nil)))) >=20 > These two cannot be right: you are quoting several separate > command-line arguments. >=20 > > =C2=A0 =C2=A0 (if co-flag > > =C2=A0 =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 (progn > > @@ -1578,7 +1581,7 @@ filesets-run-cmd > > =C2=A0 =C2=A0=C2=A0 " ")) > > =C2=A0 (cmd (concat fn " " args))) > > =C2=A0 =C2=A0=C2=A0=C2=A0 (filesets-cmd-show-result > > - =C2=A0=C2=A0=C2=A0=C2=A0 cmd (shell-command-to-string cmd)))) > > + =C2=A0=C2=A0=C2=A0=C2=A0 cmd (shell-command-to-string (shell-quote- > > argument cmd))))) > > =C2=A0 ((symbolp fn) > > =C2=A0 =C2=A0 (apply fn > > =C2=A0 =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 (mapcan (lamb= da (this) >=20 > I think this is also wrong: cmd is not a single word. >=20 > In general, you cannot quote arbitrary parts of a shell command, you > can only quote each command-line argument separately. >=20 >=20 >=20 This patch went unaddressed for a long time, so just to be on the safe side= , I only remove the `filesets-select-command' function. --=-bhxOSH5o5VkuTNMrlOoZ Content-Disposition: attachment; filename*0=0001-Removed-the-filesets-select-command-which-was-unused.pat; filename*1=ch Content-Type: text/x-patch; name="0001-Removed-the-filesets-select-command-which-was-unused.patch"; charset="UTF-8" Content-Transfer-Encoding: base64 RnJvbSA4ZjhkYjA4NTFlOWZkMjY1YTZiYjEwNmYzYWRmMDE2ODE5NTE2MmI4IE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBYaSBMdSA8bHhAc2hlbGxjb2Rlcy5vcmc+CkRhdGU6IE1vbiwg NSBGZWIgMjAyNCAxMzo0MToxMyArMDgwMApTdWJqZWN0OiBbUEFUQ0hdIFJlbW92ZWQgdGhlIGBm aWxlc2V0cy1zZWxlY3QtY29tbWFuZCcsIHdoaWNoIHdhcyB1bnVzZWQgYW5kCiB1bnNhZmUuCgoq IGxpc3AvZmlsZXNldHMuZWw6IFJlbW92ZWQgdGhlIGBmaWxlc2V0cy1zZWxlY3QtY29tbWFuZCcu Ci0tLQogbGlzcC9maWxlc2V0cy5lbCB8IDIyICstLS0tLS0tLS0tLS0tLS0tLS0tLS0KIDEgZmls ZSBjaGFuZ2VkLCAxIGluc2VydGlvbigrKSwgMjEgZGVsZXRpb25zKC0pCgpkaWZmIC0tZ2l0IGEv bGlzcC9maWxlc2V0cy5lbCBiL2xpc3AvZmlsZXNldHMuZWwKaW5kZXggNGUyZGU4ZmVkMWIuLjIz YThkYmM0ZTg1IDEwMDY0NAotLS0gYS9saXNwL2ZpbGVzZXRzLmVsCisrKyBiL2xpc3AvZmlsZXNl dHMuZWwKQEAgLTE2MSwxNSArMTYxLDYgQEAgJ2ZpbGVzZXRzLXNvbWUKIChkZWZpbmUtb2Jzb2xl dGUtZnVuY3Rpb24tYWxpYXMgJ2ZpbGVzZXRzLW1lbWJlciAjJ2NsLW1lbWJlciAiMjguMSIpCiAo ZGVmaW5lLW9ic29sZXRlLWZ1bmN0aW9uLWFsaWFzICdmaWxlc2V0cy1zdWJsaXN0ICMnc2VxLXN1 YnNlcSAiMjguMSIpCiAKLShkZWZ1biBmaWxlc2V0cy1zZWxlY3QtY29tbWFuZCAoY21kLWxpc3Qp Ci0gICJTZWxlY3Qgb25lIGNvbW1hbmQgZnJvbSBDTUQtTElTVCAtLSBhIHN0cmluZyB3aXRoIHNw YWNlIHNlcGFyYXRlZCBuYW1lcy4iCi0gIChsZXQgKCh0aGlzIChzaGVsbC1jb21tYW5kLXRvLXN0 cmluZwotCSAgICAgICAoZm9ybWF0ICJ3aGljaCAtLXNraXAtYWxpYXMgJXMgMj4gJXMgfCBoZWFk IC1uIDEiCi0JCSAgICAgICBjbWQtbGlzdCBudWxsLWRldmljZSkpKSkKLSAgICAoaWYgKGVxdWFs IHRoaXMgIiIpCi0JbmlsCi0gICAgICAoZmlsZS1uYW1lLW5vbmRpcmVjdG9yeSAoc3Vic3RyaW5n IHRoaXMgMCAoLSAobGVuZ3RoIHRoaXMpIDEpKSkpKSkKLQogKGRlZnVuIGZpbGVzZXRzLXdoaWNo LWNvbW1hbmQgKGNtZCkKICAgIkNhbGwgXCJ3aGljaCBDTURcIi4iCiAgIChzaGVsbC1jb21tYW5k LXRvLXN0cmluZyAoZm9ybWF0ICJ3aGljaCAlcyIgY21kKSkpCkBAIC01NDYsMTggKzUzNyw3IEBA IGZpbGVzZXRzLWNvbW1hbmRzCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAoZnVuY3Rpb24gOnRhZyAiRnVuY3Rpb24iKSkpKSkpCiAKIChkZWZjdXN0b20gZmlsZXNldHMt ZXh0ZXJuYWwtdmlld2VycwotICAobGV0Ci0gICAgICA7OyAoKHBzLWNtZCAgKG9yIChhbmQgKGJv dW5kcCAnbXktcHMtdmlld2VyKSBteS1wcy12aWV3ZXIpCi0gICAgICA7OyAgICAJICAgIChmaWxl c2V0cy1zZWxlY3QtY29tbWFuZCAiZ2d2IGd2IikpKQotICAgICAgOzsgIChwZGYtY21kIChvciAo YW5kIChib3VuZHAgJ215LXBzLXZpZXdlcikgbXktcGRmLXZpZXdlcikKLSAgICAgIDs7ICAgIAkg ICAgKGZpbGVzZXRzLXNlbGVjdC1jb21tYW5kICJ4cGRmIGFjcm9yZWFkIikpKQotICAgICAgOzsg IChkdmktY21kIChvciAoYW5kIChib3VuZHAgJ215LXBzLXZpZXdlcikgbXktZHZpLXZpZXdlcikK LSAgICAgIDs7ICAgIAkgICAgKGZpbGVzZXRzLXNlbGVjdC1jb21tYW5kICJ4ZHZpIHRrZHZpIikp KQotICAgICAgOzsgIChkb2MtY21kIChvciAoYW5kIChib3VuZHAgJ215LXBzLXZpZXdlcikgbXkt ZG9jLXZpZXdlcikKLSAgICAgIDs7ICAgIAkgICAgKGZpbGVzZXRzLXNlbGVjdC1jb21tYW5kICJh bnRpd29yZCIpKSkKLSAgICAgIDs7ICAocGljLWNtZCAob3IgKGFuZCAoYm91bmRwICdteS1wcy12 aWV3ZXIpIG15LXBpYy12aWV3ZXIpCi0gICAgICA7OyAgICAJICAgIChmaWxlc2V0cy1zZWxlY3Qt Y29tbWFuZCAiZ3F2aWV3IGVlIGRpc3BsYXkiKSkpKQotICAgICAgKChwcy1jbWQgICJnZ3YiKQor ICAobGV0ICgocHMtY21kICAiZ2d2IikKICAgICAgICAocGRmLWNtZCAieHBkZiIpCiAgICAgICAg KGR2aS1jbWQgInhkdmkiKQogICAgICAgIChkb2MtY21kICJhbnRpd29yZCIpCi0tIAoyLjQzLjAK Cg== --=-bhxOSH5o5VkuTNMrlOoZ--