From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: taylanbayirli@gmail.com (Taylan Ulrich =?utf-8?Q?Bay=C4=B1rl=C4=B1?= =?utf-8?Q?=2FKammer?=) Newsgroups: gmane.emacs.devel Subject: Re: [PATCH] Add shell-quasiquote. Date: Sat, 17 Oct 2015 22:28:42 +0200 Message-ID: <87io65utmt.fsf@T420.taylan> References: <87si59wj42.fsf@T420.taylan> <83eggt4esi.fsf@gnu.org> <87fv19wh7b.fsf@T420.taylan> <83bnbx4d7e.fsf@gnu.org> <87twppuzfu.fsf@T420.taylan> <83a8rh48if.fsf@gnu.org> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Trace: ger.gmane.org 1445113736 13872 80.91.229.3 (17 Oct 2015 20:28:56 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Sat, 17 Oct 2015 20:28:56 +0000 (UTC) Cc: emacs-devel@gnu.org To: Eli Zaretskii Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Sat Oct 17 22:28:51 2015 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1ZnY5y-0005cR-3Z for ged-emacs-devel@m.gmane.org; Sat, 17 Oct 2015 22:28:50 +0200 Original-Received: from localhost ([::1]:59665 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZnY5x-00043l-5l for ged-emacs-devel@m.gmane.org; Sat, 17 Oct 2015 16:28:49 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:59679) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZnY5t-00043d-Ra for emacs-devel@gnu.org; Sat, 17 Oct 2015 16:28:47 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ZnY5s-0002dZ-L5 for emacs-devel@gnu.org; Sat, 17 Oct 2015 16:28:45 -0400 Original-Received: from mail-wi0-x22b.google.com ([2a00:1450:400c:c05::22b]:36232) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZnY5s-0002dT-Bj; Sat, 17 Oct 2015 16:28:44 -0400 Original-Received: by wicfx6 with SMTP id fx6so3353393wic.1; Sat, 17 Oct 2015 13:28:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version:content-type:content-transfer-encoding; bh=rYDgOTT4YjhI/JMHTlvL2o3sEO/jlwxNzSq2maUwa8o=; b=Hmo1UZdYwdOXIkqdUnJYM0mFrnrphxlcjLlhLmULa169fjRZpfuPOZZYUHzF39afQ8 EfcA2T4dxZMJ3mVOG9U78uUHDpRBuEWz8fzQiYkiRPlaaS0xKpVVMuf+IYWk3YqYJI9k RWX0WDLJ8BVw78gIf6EU1TVlg5MwbLsdRcEPsG/MIjtvznp1eVIV2WM+xdIW9QDxoEiB qVjgLcOONkwDQXnmAj3rxCoCVkjNSG0x/oLIOtPjkJ83Gzp+h1OyrAOdfG7H9rUMBZTt 9vs28eQ3VpLde2EPMecoH67sfbUDJNfNhPnXajcLpvfmUjFnILdT1+60XBblzK3dOzhm o7Xw== X-Received: by 10.180.12.206 with SMTP id a14mr12586676wic.25.1445113723890; Sat, 17 Oct 2015 13:28:43 -0700 (PDT) Original-Received: from T420.taylan ([2a02:908:c32:4740:221:ccff:fe66:68f0]) by smtp.gmail.com with ESMTPSA id p18sm8340352wik.19.2015.10.17.13.28.42 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 17 Oct 2015 13:28:43 -0700 (PDT) In-Reply-To: <83a8rh48if.fsf@gnu.org> (Eli Zaretskii's message of "Sat, 17 Oct 2015 22:09:28 +0300") User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-Received-From: 2a00:1450:400c:c05::22b X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:191878 Archived-At: Eli Zaretskii writes: >> From: taylanbayirli@gmail.com (Taylan Ulrich Bay=C4=B1rl=C4=B1/Kammer) >> Cc: emacs-devel@gnu.org >> Date: Sat, 17 Oct 2015 20:23:17 +0200 >>=20 >> > I don't think we'd like to have packages limited in that way. AFAIK, >> > we didn't until now, at least not consciously. >>=20 >> Quoting RMS, coincidentally from a couple days ago: >>=20 >> The policy is non-GNU systems are secondary, and lower priority than >> the GNU system, but we are glad to include support for them in GNU >> packages if users contribute the necessary code -- provided that >> code isn't a maintenance problem for us. >>=20 >> The maintenainers of any particular package are the ones who judge >> whether that code is a maintenance problem, since they are the ones >> it would be a problem for. > > I don't see how this is relevant for the issue at hand, since the > necessary code (the shell-quote-argument function) was already > contributed to Emacs years ago, and is used in many places in core > Emacs. There's no extra effort needed to support more platforms, just > replace one function with another. You seem to be implying that using shell-quote-argument will uphold the invariant that the code is safe against injection. I'm asking for explicit confirmation of that. Once I have confirmation of that, sure, I will use it and thus make my code portable. As it stands, I don't know whether doing that change would really make my code portable with the same safety guarantees, or weaken the safety guarantees. >> I generally don't want to take responsibility of my code being used on >> non-GNU/non-POSIX systems, but if I can share the responsibility then >> that's fine. > > You are sharing the responsibility with a long line of Emacs > developers, all of whom use this function. I don't see anything you > should worry about, really. I can't have responsibility over every single Elisp function in Emacs, as no developer can. In particular I *can't* take responsibility over shell-quote-argument because I don't know any shell syntax other than POSIX. And I surely do worry whether users of my library will be subject to arbitrary code injection. >> > And it really isn't a big deal. Emacs already has all the >> > infrastructure for portable handling of shell commands. >> > >> >> How much can I rely on shell-quote-argument? >> > >> > You can rely on it. Emacs uses it in umpteen important places. >> > >> >> Can one fully rely on it being safe against code injection? >> > >> > I don't think I understand what code injection you had in mind. >> > Please elaborate. >>=20 >> (let ((file-list (read where-ever))) >> (shqq (cp -- ,@file-list some-place))) >>=20 >> That code is *guaranteed* to either copy the files in file-list to >> some-place, or error, so long as the argument quoting by shqq works >> well. If it has a bug, then malicious input from where-ever may be able >> to execute arbitrary shell commands. >>=20 >> Is shell-quote-argument safe against such a thing? My shqq-quote-string >> isn't exactly formally proven to be safe either, but its implementation >> is so simple it's fairly obvious that it doesn't contain bugs. > > Please take a look at the implementation of shell-quote-argument. It > uses the same interfaces as your implementation, no more, no less. If > your implementation is safe, then so is shell-quote-argument. I have taken a look. It doesn't use the same strategy even for POSIX shells, and I can't be as sure of its safety as I am of the safety of my implementation. When it comes to non-POSIX shells, I have no clue. If someone explicitly confirms to me that the function is very obviously safe against injection on all shells it supports, then I will use it. So far, seeing things like ;; This should be safe enough even for really weird shells. and the implementation complexity for the ms-dos and windows-nt variants (though as I said I have no clue about those) doesn't exactly inspire confidence. Taylan