On 02/22/23 at 06:20pm, lux wrote:
> > PS: Where should I report analogous misuse of `shell-command-to-
> > string`?  I cannot submit patches currently because I've changed
> > employers and need to renew copyright assignment, again (that would
> > be the third time already).
> 
> You can send to bug-gnu-emacs@gnu.org

Yes, usually I'd just use M-x report-emacs-bug, but in this case it's
different because I plan to develop proof of concept code (PoC) and
submit it to the responsible maintainer for verifying the vulnerability
and the fix. Publicly disclosing PoC code is usually frowned upon, no
matter how trivial/exploitable the issue is.