From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Vasilij Schneidermann Newsgroups: gmane.emacs.devel Subject: Structurally fixing command injection bugs Date: Wed, 22 Feb 2023 11:08:06 +0100 Message-ID: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="dTC62gDe1w5XGjK+" Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="40520"; mail-complaints-to="usenet@ciao.gmane.io" To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Wed Feb 22 11:09:03 2023 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pUm3a-000AP2-Ty for ged-emacs-devel@m.gmane-mx.org; Wed, 22 Feb 2023 11:09:02 +0100 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pUm31-0001am-EQ; Wed, 22 Feb 2023 05:08:27 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pUm2z-0001aV-Ih for emacs-devel@gnu.org; Wed, 22 Feb 2023 05:08:25 -0500 Original-Received: from mout-p-202.mailbox.org ([2001:67c:2050:0:465::202]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_CHACHA20_POLY1305:256) (Exim 4.90_1) (envelope-from ) id 1pUm2x-00027F-3i for emacs-devel@gnu.org; Wed, 22 Feb 2023 05:08:25 -0500 Original-Received: from smtp1.mailbox.org (smtp1.mailbox.org [10.196.197.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-202.mailbox.org (Postfix) with ESMTPS id 4PMBgC3ZdBz9sTW for ; Wed, 22 Feb 2023 11:08:07 +0100 (CET) Content-Disposition: inline Received-SPF: pass client-ip=2001:67c:2050:0:465::202; envelope-from=mail@vasilij.de; helo=mout-p-202.mailbox.org X-Spam_score_int: -25 X-Spam_score: -2.6 X-Spam_bar: -- X-Spam_report: (-2.6 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.devel:303671 Archived-At: --dTC62gDe1w5XGjK+ Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable I've come across a few recent bugfixes arising from the same underlying pro= blem recently: - Command injection in etags via system(3): CVE-2022-45939 - Command injection in htmlfontify.el via `shell-command-to-string` - Command injection in ruby-mode.el via `shell-command-to-string` The issue is well-known: Passing user input containing shell control characters to system(3) is dangerous. Quoting the argument strings is a band-aid solution. The text-book solution is to avoid using the shell in the first place whenever possible. Emacs even provides a convenient function for this, `process-lines`. It does not use the shell, accepts several argument strings, raises errors (rather than failing silently) and returns its output as a list of lines, thereby removing the need for removing the trailing newline. I see several options for moving forward: - Keep using `shell-command-to-string` and `shell-quote-argument` - Migrate existing use of `shell-command-to-string` to `process-lines`=20 - Come up with a different replacement working much like `process-lines`, but returning a string instead (I have no idea what an appropriate name would be, maybe `command-to-string`?) PS: Where should I report analogous misuse of `shell-command-to-string`? I cannot submit patches currently because I've changed employers and need to renew copyright assignment, again (that would be the third time already). --dTC62gDe1w5XGjK+ Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAABCAAdFiEE0dAcySl3bqM8O17WFmfJg6zCifoFAmP16X8ACgkQFmfJg6zC ifrXigf/T2W7+UL3yDMwZPe5XkanibSoPdyON99NV+0CnfAxhWQGfEs9gvkj5oXN FrtVKQeLjSU8BTJwnua1fRYw5my6GpwixjN8m9xdKu42O+J+UFp3mGq5KtcyEvA2 9rH4rkcuSlITa8yj0F00u7lUmPJRh0bG5EeNi/6d5+VaySKEvEi6+pKC3FCkfRMh 0sv9JAtDQMselu3eplSi49IMPqBid31ujZsG7e5P/HVPECucwPplJSMykw1iQaea A8DSPlVuvftw19qTtqTkJ5N4TPiTuNLCbBMUvDfV4xU6tPpbu9Ry3B4yzOA62LZN PN0+CO/NRhrdVC+vBphIeM2XYYOuFQ== =LIt4 -----END PGP SIGNATURE----- --dTC62gDe1w5XGjK+--