From: lux <lx@shellcodes.org>
To: Vasilij Schneidermann <mail@vasilij.de>, emacs-devel@gnu.org
Subject: Re: Structurally fixing command injection bugs
Date: Wed, 22 Feb 2023 18:20:12 +0800 [thread overview]
Message-ID: <tencent_38F36F46AD06A566F70E405E2C7C2E588505@qq.com> (raw)
In-Reply-To: <Y/XphtONmV9h5tsm@odonien>
On Wed, 2023-02-22 at 11:08 +0100, Vasilij Schneidermann wrote:
> I've come across a few recent bugfixes arising from the same
> underlying problem
> recently:
>
> - Command injection in etags via system(3): CVE-2022-45939
> - Command injection in htmlfontify.el via `shell-command-to-string`
> - Command injection in ruby-mode.el via `shell-command-to-string`
>
> The issue is well-known: Passing user input containing shell control
> characters to system(3) is dangerous. Quoting the argument strings is
> a
> band-aid solution. The text-book solution is to avoid using the shell
> in
> the first place whenever possible. Emacs even provides a convenient
> function for this, `process-lines`. It does not use the shell,
> accepts
> several argument strings, raises errors (rather than failing
> silently)
> and returns its output as a list of lines, thereby removing the need
> for
> removing the trailing newline.
>
> I see several options for moving forward:
>
> - Keep using `shell-command-to-string` and `shell-quote-argument`
> - Migrate existing use of `shell-command-to-string` to `process-
> lines`
> - Come up with a different replacement working much like
> `process-lines`, but returning a string instead (I have no idea
> what
> an appropriate name would be, maybe `command-to-string`?)
>
> PS: Where should I report analogous misuse of `shell-command-to-
> string`?
> I cannot submit patches currently because I've changed employers and
> need to renew copyright assignment, again (that would be the third
> time
> already).
You can send to bug-gnu-emacs@gnu.org
next prev parent reply other threads:[~2023-02-22 10:20 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-22 10:08 Structurally fixing command injection bugs Vasilij Schneidermann
2023-02-22 10:20 ` lux [this message]
2023-02-22 10:34 ` Vasilij Schneidermann
2023-02-22 12:05 ` lux
2023-02-22 12:57 ` Gregory Heytings
2023-02-22 12:01 ` lux
2023-02-22 18:57 ` Jim Porter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=tencent_38F36F46AD06A566F70E405E2C7C2E588505@qq.com \
--to=lx@shellcodes.org \
--cc=emacs-devel@gnu.org \
--cc=mail@vasilij.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).