From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Daniel Colascione Newsgroups: gmane.emacs.devel Subject: Re: Fixing Windows and DOS command line argument quoting Date: Mon, 25 Apr 2011 11:24:08 -0700 Message-ID: <4DB5BC48.6060605@gmail.com> References: <4DB4D7DB.50101@gmail.com> <83y62yal3o.fsf@gnu.org> <4DB53599.8040703@gmail.com> NNTP-Posting-Host: lo.gmane.org Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig2A232EE7F850A61A760FA27B" X-Trace: dough.gmane.org 1303755863 24336 80.91.229.12 (25 Apr 2011 18:24:23 GMT) X-Complaints-To: usenet@dough.gmane.org NNTP-Posting-Date: Mon, 25 Apr 2011 18:24:23 +0000 (UTC) Cc: emacs-devel@gnu.org To: Eli Zaretskii Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Mon Apr 25 20:24:19 2011 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([140.186.70.17]) by lo.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1QEQSH-000748-R5 for ged-emacs-devel@m.gmane.org; Mon, 25 Apr 2011 20:24:17 +0200 Original-Received: from localhost ([::1]:48618 helo=lists2.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QEQSH-0007k7-B6 for ged-emacs-devel@m.gmane.org; Mon, 25 Apr 2011 14:24:17 -0400 Original-Received: from eggs.gnu.org ([140.186.70.92]:54243) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QEQSE-0007jt-V8 for emacs-devel@gnu.org; Mon, 25 Apr 2011 14:24:15 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1QEQSE-0006Zo-49 for emacs-devel@gnu.org; Mon, 25 Apr 2011 14:24:14 -0400 Original-Received: from mail-pw0-f41.google.com ([209.85.160.41]:39122) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QEQSC-0006YZ-7N; Mon, 25 Apr 2011 14:24:12 -0400 Original-Received: by pwi10 with SMTP id 10so2118532pwi.0 for ; Mon, 25 Apr 2011 11:24:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:x-enigmail-version:content-type; bh=pPFPfhCaHJJlqNE1CEbxzQUNP6AyNipki3CPvw7Xapo=; b=OE/8EBgLpj8Iaa2gHCjnYSasfs3x1rgQcm6msMxq19vGLWkagFMDQAntLK+ZWfRvSv WFMG5UnGeS+SSJ6zLBBGNTdFwsiEXe3LX30X3v2nKF1PSW/vUbryWcc524WkErYhLgfe DzLYMi5/hNI7BFCJOnku6QEDP5eUqCRPjL02w= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:content-type; b=kiiH70gyCfvEz6KoB0Er3btyN2YqS39WSD4Z38LnVnySdDJMx0IGMJQ9TW4QLzQKgo AaRjshrlGI4BmFE871KJfX5jL67cr4Mk0TOVWbKK0xK9h0aRJHLqfcdHLnob793lzqTv FYVIlnCMtK8FucVl+4bz5ztKfFnGyiv4/d2yk= Original-Received: by 10.68.16.106 with SMTP id f10mr4582969pbd.458.1303755851234; Mon, 25 Apr 2011 11:24:11 -0700 (PDT) Original-Received: from [192.168.1.2] (c-67-183-23-114.hsd1.wa.comcast.net [67.183.23.114]) by mx.google.com with ESMTPS id u3sm1256009pbn.77.2011.04.25.11.24.09 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 25 Apr 2011 11:24:10 -0700 (PDT) User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.15) Gecko/20110303 Thunderbird/3.1.9 In-Reply-To: <4DB53599.8040703@gmail.com> X-Enigmail-Version: 1.1.1 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 2) X-Received-From: 209.85.160.41 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:138754 Archived-At: This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig2A232EE7F850A61A760FA27B Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 4/25/11 1:49 AM, Daniel Colascione wrote: >> . Please install this only on the trunk. The emacs-23 branch should >> not be destabilized by such experiments at this time. >=20 > Fair enough. I'd just like to note that it'd be a good idea to eventually backport this fix to Emacs 23: it's a security issue. The current shell-quote-argument doesn't, so (shell-command (format "cmd %s" (shell-quote-argument untrusted-input))) can run an arbitrary command. --------------enig2A232EE7F850A61A760FA27B Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (Darwin) iEYEARECAAYFAk21vEgACgkQ17c2LVA10Vt0JgCfdwUh+DTl0Nr45zm4nzAXg1KU n84An1TW8Kuhe6XgGhsTLM+dKl0bYN98 =rrve -----END PGP SIGNATURE----- --------------enig2A232EE7F850A61A760FA27B--