unofficial mirror of emacs-devel@gnu.org 
 help / color / mirror / code / Atom feed
From: Vasilij Schneidermann <mail@vasilij.de>
To: emacs-devel@gnu.org
Subject: Structurally fixing command injection bugs
Date: Wed, 22 Feb 2023 11:08:06 +0100	[thread overview]
Message-ID: <Y/XphtONmV9h5tsm@odonien> (raw)

[-- Attachment #1: Type: text/plain, Size: 1436 bytes --]

I've come across a few recent bugfixes arising from the same underlying problem
recently:

- Command injection in etags via system(3): CVE-2022-45939
- Command injection in htmlfontify.el via `shell-command-to-string`
- Command injection in ruby-mode.el via `shell-command-to-string`

The issue is well-known: Passing user input containing shell control
characters to system(3) is dangerous. Quoting the argument strings is a
band-aid solution. The text-book solution is to avoid using the shell in
the first place whenever possible. Emacs even provides a convenient
function for this, `process-lines`. It does not use the shell, accepts
several argument strings, raises errors (rather than failing silently)
and returns its output as a list of lines, thereby removing the need for
removing the trailing newline.

I see several options for moving forward:

- Keep using `shell-command-to-string` and `shell-quote-argument`
- Migrate existing use of `shell-command-to-string` to `process-lines` 
- Come up with a different replacement working much like
  `process-lines`, but returning a string instead (I have no idea what
  an appropriate name would be, maybe `command-to-string`?)

PS: Where should I report analogous misuse of `shell-command-to-string`?
I cannot submit patches currently because I've changed employers and
need to renew copyright assignment, again (that would be the third time
already).

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

             reply	other threads:[~2023-02-22 10:08 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-02-22 10:08 Vasilij Schneidermann [this message]
2023-02-22 10:20 ` Structurally fixing command injection bugs lux
2023-02-22 10:34   ` Vasilij Schneidermann
2023-02-22 12:05     ` lux
2023-02-22 12:57     ` Gregory Heytings
2023-02-22 12:01 ` lux
2023-02-22 18:57 ` Jim Porter

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://www.gnu.org/software/emacs/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Y/XphtONmV9h5tsm@odonien \
    --to=mail@vasilij.de \
    --cc=emacs-devel@gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).