From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail
From: lux <lx@shellcodes.org>
Newsgroups: gmane.emacs.devel
Subject: Re: Structurally fixing command injection bugs
Date: Wed, 22 Feb 2023 20:01:14 +0800
Message-ID: <tencent_8B8C494D610DD6DD963C693876B00D27E606@qq.com>
References: <Y/XphtONmV9h5tsm@odonien>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214";
	logging-data="666"; mail-complaints-to="usenet@ciao.gmane.io"
User-Agent: Evolution 3.46.4 (3.46.4-1.fc37)
To: Vasilij Schneidermann <mail@vasilij.de>, emacs-devel@gnu.org
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Wed Feb 22 13:05:25 2023
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane-mx.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>)
	id 1pUnsC-000AWg-AA
	for ged-emacs-devel@m.gmane-mx.org; Wed, 22 Feb 2023 13:05:24 +0100
Original-Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <emacs-devel-bounces@gnu.org>)
	id 1pUnrW-0007yI-1I; Wed, 22 Feb 2023 07:04:42 -0500
Original-Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lx@shellcodes.org>) id 1pUnrU-0007wg-Sk
 for emacs-devel@gnu.org; Wed, 22 Feb 2023 07:04:40 -0500
Original-Received: from out203-205-251-66.mail.qq.com ([203.205.251.66])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lx@shellcodes.org>) id 1pUnrN-000794-OS
 for emacs-devel@gnu.org; Wed, 22 Feb 2023 07:04:40 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512;
 t=1677067466; bh=NcrSne3fsAdo9IG/5FfzwTH3+fEmGlLB3rn+7SZ8TJY=;
 h=Subject:From:To:Date:In-Reply-To:References;
 b=H5IOgiKTBJfsFS3phfb1B2GEOGDvOv3EU4DX0BFOV8/TrYNNrTj9bmbA+UJ/o20oz
 PHgoQzmpju6L6w0t4Fj07YHkAi9z1WrPRiKSpg2ZvuS1iYJ0lgR5DzW7G0MF+aJrSQ
 jtbTW6AL1HujICbPFjlLDGoOhVJObwQJlWeWC+QY=
Original-Received: from [IPv6:240e:399:e6f:ee32:f815:4044:ba50:97f9]
 ([240e:399:e6f:ee32:f815:4044:ba50:97f9])
 by newxmesmtplogicsvrszc5-0.qq.com (NewEsmtp) with SMTP
 id 4F0D0A0; Wed, 22 Feb 2023 20:01:15 +0800
X-QQ-mid: xmsmtpt1677067275t9i2jxqkz
X-QQ-XMAILINFO: NnA3IMNPwBd+Vgem0644AleuXymaxR4HHgPLG9z8RqYZ9tL2AriEUXigq3iZyu
 ryq8ElkQTqrS7X4BQ/hmlApJVZ66SjpdQQeMZ6MH0yAS48/yuR0p2D/K1k7QL51Bj+d3Mq4p7MDn
 m6Wbt2qBzTPqpnrQIMt2OgwUGzePFx91EaH6Zo0FVXsUWVbDu3YX26mLt/Av6hvGtLLbrmpxoe5y
 F6bUZifpY7IlP3nuPB4aoFUkg+Mp5L6OORm22aDIQ1c6/k7NPQBlsR/ci/LLqmkeqOwH8ct45VP9
 R3zz3X5zebQtNId7/9ENGZTxQgYrQ2Fa61jU2+zq8idmoOjhzCWDTmmsnjNFoOIKJlRI6UKHB/2y
 pLi9SqtjPACC+cQzWahtsNt1G4CCt3EiZ+Fu4vchQ3C+mTDVTUr0c78wwFOW6AMJnjyWXd8SKHEX
 0OjuplBEZ7C5JYZhYaXIBkukKPLTTWtHtuRVDveediJqFn7RRe1J8fdO3uAJyED7w/bt0j8Jn4h1
 zgZ3/tDH0E4qcoKoEqeaBPE1UCEWXRwwcXq78AXfsFGCAvRz+2s4eANOrxQvxDmbktpZr4Yvsrv2
 jQi/p2MRw4T5E1DnmaEVv+EoYeSRoVKendWw3CQDDtf4aLnGTl/E4Uj4CaIHj7QLchZEn7b+WFBY
 a6uYign41bDpPlziFmY35KHPb2YWkUDSirfkw0THW/uz8u9SF98ambNjB40/2o1yTC4z578jnZhK
 p/nsAqg1tdpJXapE9LelJJ3agmDME4HSEIM5Gdf+MlaEJPopLvGwzQIlrhbp6BQBSF9qgYFYwNhO
 cEGnKcgafP0kO8xcrJkSeNrh/PJLIP4G8+fCWfSM 
X-OQ-MSGID: <8bf7bdacc11c305908c393e2c05a3a812f9435db.camel@shellcodes.org>
In-Reply-To: <Y/XphtONmV9h5tsm@odonien>
Received-SPF: none client-ip=203.205.251.66; envelope-from=lx@shellcodes.org;
 helo=out203-205-251-66.mail.qq.com
X-Spam_score_int: 44
X-Spam_score: 4.4
X-Spam_bar: ++++
X-Spam_report: (4.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
 HELO_DYNAMIC_IPADDR=1.951, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_SBL_CSS=3.335,
 RDNS_DYNAMIC=0.982, SPF_HELO_NONE=0.001,
 SPF_NONE=0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
 <mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
 <mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org
Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org
Xref: news.gmane.io gmane.emacs.devel:303675
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/303675>

On Wed, 2023-02-22 at 11:08 +0100, Vasilij Schneidermann wrote:
> I've come across a few recent bugfixes arising from the same
> underlying problem
> recently:
>=20
> - Command injection in etags via system(3): CVE-2022-45939
> - Command injection in htmlfontify.el via `shell-command-to-string`
> - Command injection in ruby-mode.el via `shell-command-to-string`
>=20
> The issue is well-known: Passing user input containing shell control
> characters to system(3) is dangerous. Quoting the argument strings is
> a
> band-aid solution. The text-book solution is to avoid using the shell
> in
> the first place whenever possible. Emacs even provides a convenient
> function for this, `process-lines`. It does not use the shell,
> accepts
> several argument strings, raises errors (rather than failing
> silently)
> and returns its output as a list of lines, thereby removing the need
> for
> removing the trailing newline.
>=20
> I see several options for moving forward:
>=20
> - Keep using `shell-command-to-string` and `shell-quote-argument`
> - Migrate existing use of `shell-command-to-string` to `process-
> lines`=20
> - Come up with a different replacement working much like
> =C2=A0 `process-lines`, but returning a string instead (I have no idea
> what
> =C2=A0 an appropriate name would be, maybe `command-to-string`?)

I've been working on these things lately. You are welcome to submit
patches to make Emacs more secure.