From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: lux Newsgroups: gmane.emacs.devel Subject: Re: Structurally fixing command injection bugs Date: Wed, 22 Feb 2023 18:20:12 +0800 Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="22548"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Evolution 3.46.4 (3.46.4-1.fc37) To: Vasilij Schneidermann , emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Wed Feb 22 11:21:26 2023 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pUmFZ-0005f8-OY for ged-emacs-devel@m.gmane-mx.org; Wed, 22 Feb 2023 11:21:25 +0100 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pUmEo-0004Wh-0O; Wed, 22 Feb 2023 05:20:38 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pUmEk-0004WB-Ds for emacs-devel@gnu.org; Wed, 22 Feb 2023 05:20:35 -0500 Original-Received: from out203-205-251-60.mail.qq.com ([203.205.251.60]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pUmEh-0007eX-DR for emacs-devel@gnu.org; Wed, 22 Feb 2023 05:20:34 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512; t=1677061214; bh=BUAz+aMwqtlLlZxSeUozQSxpg56zeHYIIsuBBqI+u1g=; h=Subject:From:To:Date:In-Reply-To:References; b=h2qpdgW6lfmYgS0YX3f3Q68LxLxfTbKx2c+lKc+faaFPq7zhnpWVAWNEEDyttny2D nQDUFs/6UUgsLSEnU4iby+f1wvqqky0IOslxwZPqYPptk2KjK+AqflQTtXf2m86saH ZRONMQru3wmEhJRadRRrQGPIERGuaZwbIiQIWlvc= Original-Received: from [10.8.192.150] ([140.210.194.131]) by newxmesmtplogicsvrsza10-0.qq.com (NewEsmtp) with SMTP id 50CAE6AA; Wed, 22 Feb 2023 18:20:12 +0800 X-QQ-mid: xmsmtpt1677061212tzr6ijbhy X-QQ-XMAILINFO: N3l5ASPewLWq8qAMU+n5Bik10EYQVr5l9iEX9WaRDNL1RXJPbCYDJ/gVMUtFwb bs2DorY5izc0h+ieWYYyQ4fdrx1KDnM2lYZ7QkKEahb2gIv37eZcF+h9q0nMxbMge/8f5A1TqGIC ghu9zZyfAjGZ9dKkdHB8yOV/y7fGN6vHSBOxW/LmRAs9Z83/psr39e6+M4DzXqhIZmm3iDEvtHnf +VXrkQPP8iv10TY2a7I0Yug8b3tIETiDpzJ5SGrxAnNTw9i99yfJKaA8TeyZsGr7Q442Xw55EIiG 5+Z8juaGLJIFWw5eLE+fuYVxVYWYkWnf810c3RfywwQ3AB/V8/YUlXWnsivdDpiFqa5cvFrbxiK8 LeeHJouLdvw/nWwzI2ZQ9FYtQmShfuf7FQ5kq1gvVQLBQvWL0gmMGnIDmLuBtEWLPHeHZ6PTLqAb 6PgsFwlKpSIkWb92Vqr3yjI/M+LU2rtzDbJFtsY9oUJTmbPrFAwZ2Nc4fwVItor3niMYOUotjqb5 Lohg7bUR3zxvNhFFE7AUzI2caRRHYDuAgYaeDIa/5Gp25T3E+7rz//73poJX59KQl2jJzCOrgQml GNIN0gZV4HMIrmkI8oWYC7qIKkkCXhnFa8mHLmsJi74oUeK37XgCbfY22Ln6i11JlvCDyvY8Qw0o a7jq5IAGkfeOBsMI6SD57EWmbb+VSVuHwPb0qkg32Yfs8shZfUAAQyxSI29AZCYWRa/kBQjDvW6i uAUdyRqHTUDUgLLR5Z2vomTOHc/4w1YSRiQmTF3A0uDEGmiXScHCWv/kgQdtN40/LuwWBog53AKt BbHihGIC0kfIUNLLtZciuTKScY6iP9U7q3Hb9CGq X-OQ-MSGID: <98371b14df13424530686e757bec78458aa35e47.camel@shellcodes.org> In-Reply-To: Received-SPF: none client-ip=203.205.251.60; envelope-from=lx@shellcodes.org; helo=out203-205-251-60.mail.qq.com X-Spam_score_int: 10 X-Spam_score: 1.0 X-Spam_bar: + X-Spam_report: (1.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HELO_DYNAMIC_IPADDR=1.951, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RDNS_DYNAMIC=0.982, SPF_HELO_NONE=0.001, SPF_NONE=0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.devel:303672 Archived-At: On Wed, 2023-02-22 at 11:08 +0100, Vasilij Schneidermann wrote: > I've come across a few recent bugfixes arising from the same > underlying problem > recently: >=20 > - Command injection in etags via system(3): CVE-2022-45939 > - Command injection in htmlfontify.el via `shell-command-to-string` > - Command injection in ruby-mode.el via `shell-command-to-string` >=20 > The issue is well-known: Passing user input containing shell control > characters to system(3) is dangerous. Quoting the argument strings is > a > band-aid solution. The text-book solution is to avoid using the shell > in > the first place whenever possible. Emacs even provides a convenient > function for this, `process-lines`. It does not use the shell, > accepts > several argument strings, raises errors (rather than failing > silently) > and returns its output as a list of lines, thereby removing the need > for > removing the trailing newline. >=20 > I see several options for moving forward: >=20 > - Keep using `shell-command-to-string` and `shell-quote-argument` > - Migrate existing use of `shell-command-to-string` to `process- > lines`=20 > - Come up with a different replacement working much like > =C2=A0 `process-lines`, but returning a string instead (I have no idea > what > =C2=A0 an appropriate name would be, maybe `command-to-string`?) >=20 > PS: Where should I report analogous misuse of `shell-command-to- > string`? > I cannot submit patches currently because I've changed employers and > need to renew copyright assignment, again (that would be the third > time > already). You can send to bug-gnu-emacs@gnu.org