From: Eli Zaretskii <eliz@gnu.org>
To: taylanbayirli@gmail.com (Taylan Ulrich Bayırlı/Kammer)
Cc: emacs-devel@gnu.org
Subject: Re: [PATCH] Add shell-quasiquote.
Date: Sat, 17 Oct 2015 22:09:28 +0300 [thread overview]
Message-ID: <83a8rh48if.fsf@gnu.org> (raw)
In-Reply-To: <87twppuzfu.fsf@T420.taylan>
> From: taylanbayirli@gmail.com (Taylan Ulrich Bayırlı/Kammer)
> Cc: emacs-devel@gnu.org
> Date: Sat, 17 Oct 2015 20:23:17 +0200
>
> > I don't think we'd like to have packages limited in that way. AFAIK,
> > we didn't until now, at least not consciously.
>
> Quoting RMS, coincidentally from a couple days ago:
>
> The policy is non-GNU systems are secondary, and lower priority than
> the GNU system, but we are glad to include support for them in GNU
> packages if users contribute the necessary code -- provided that
> code isn't a maintenance problem for us.
>
> The maintenainers of any particular package are the ones who judge
> whether that code is a maintenance problem, since they are the ones
> it would be a problem for.
I don't see how this is relevant for the issue at hand, since the
necessary code (the shell-quote-argument function) was already
contributed to Emacs years ago, and is used in many places in core
Emacs. There's no extra effort needed to support more platforms, just
replace one function with another.
> I generally don't want to take responsibility of my code being used on
> non-GNU/non-POSIX systems, but if I can share the responsibility then
> that's fine.
You are sharing the responsibility with a long line of Emacs
developers, all of whom use this function. I don't see anything you
should worry about, really.
> > And it really isn't a big deal. Emacs already has all the
> > infrastructure for portable handling of shell commands.
> >
> >> How much can I rely on shell-quote-argument?
> >
> > You can rely on it. Emacs uses it in umpteen important places.
> >
> >> Can one fully rely on it being safe against code injection?
> >
> > I don't think I understand what code injection you had in mind.
> > Please elaborate.
>
> (let ((file-list (read where-ever)))
> (shqq (cp -- ,@file-list some-place)))
>
> That code is *guaranteed* to either copy the files in file-list to
> some-place, or error, so long as the argument quoting by shqq works
> well. If it has a bug, then malicious input from where-ever may be able
> to execute arbitrary shell commands.
>
> Is shell-quote-argument safe against such a thing? My shqq-quote-string
> isn't exactly formally proven to be safe either, but its implementation
> is so simple it's fairly obvious that it doesn't contain bugs.
Please take a look at the implementation of shell-quote-argument. It
uses the same interfaces as your implementation, no more, no less. If
your implementation is safe, then so is shell-quote-argument.
next prev parent reply other threads:[~2015-10-17 19:09 UTC|newest]
Thread overview: 211+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-17 16:33 [PATCH] Add shell-quasiquote Taylan Ulrich Bayırlı/Kammer
2015-10-17 16:53 ` Eli Zaretskii
2015-10-17 17:14 ` Taylan Ulrich Bayırlı/Kammer
2015-10-17 17:28 ` Eli Zaretskii
2015-10-17 18:23 ` Taylan Ulrich Bayırlı/Kammer
2015-10-17 19:09 ` Eli Zaretskii [this message]
2015-10-17 20:28 ` Taylan Ulrich Bayırlı/Kammer
2015-10-17 20:44 ` Dmitry Gutov
2015-10-17 21:25 ` Taylan Ulrich Bayırlı/Kammer
2015-10-17 21:32 ` Dmitry Gutov
2015-10-17 22:00 ` Taylan Ulrich Bayırlı/Kammer
2015-10-18 7:55 ` Michael Albinus
2015-10-18 10:07 ` Taylan Ulrich Bayırlı/Kammer
2015-10-18 10:55 ` Michael Albinus
2015-10-18 12:59 ` Random832
2015-10-18 13:36 ` Taylan Ulrich Bayırlı/Kammer
2015-10-18 15:06 ` Michael Albinus
2015-10-18 17:32 ` Eli Zaretskii
2015-10-18 19:17 ` Random832
2015-10-18 19:52 ` Eli Zaretskii
2015-10-19 4:32 ` Stephen J. Turnbull
2015-10-19 5:15 ` Eli Zaretskii
2015-10-19 5:19 ` Daniel Colascione
2015-10-19 5:56 ` Eli Zaretskii
2015-10-19 8:16 ` Taylan Ulrich Bayırlı/Kammer
2015-10-31 17:03 ` Kai Großjohann
2015-10-31 16:50 ` Kai Großjohann
2015-10-31 19:03 ` Michael Albinus
2015-10-17 22:09 ` Random832
2015-10-17 22:45 ` Taylan Ulrich Bayırlı/Kammer
2015-10-17 20:47 ` Paul Eggert
2015-10-17 21:20 ` Random832
2015-10-17 21:35 ` Paul Eggert
2015-10-17 21:27 ` Taylan Ulrich Bayırlı/Kammer
2015-10-17 21:53 ` Paul Eggert
2015-10-17 22:22 ` Taylan Ulrich Bayırlı/Kammer
2015-10-18 2:40 ` Paul Eggert
2015-10-18 10:03 ` Taylan Ulrich Bayırlı/Kammer
2015-10-18 15:54 ` Eli Zaretskii
2015-10-18 16:40 ` Taylan Ulrich Bayırlı/Kammer
2015-10-18 17:48 ` John Wiegley
2015-10-18 2:47 ` Eli Zaretskii
2015-10-18 13:35 ` Taylan Ulrich Bayırlı/Kammer
2015-10-17 19:14 ` Random832
2015-10-17 19:44 ` Eli Zaretskii
2015-10-17 20:43 ` Taylan Ulrich Bayırlı/Kammer
2015-10-17 21:01 ` Random832
2015-10-17 17:23 ` Artur Malabarba
2015-10-17 18:11 ` Taylan Ulrich Bayırlı/Kammer
2015-10-17 18:42 ` Artur Malabarba
2015-10-19 12:35 ` Taylan Ulrich Bayırlı/Kammer
2015-10-19 12:59 ` David Kastrup
2015-10-19 13:09 ` Taylan Ulrich Bayırlı/Kammer
2015-10-19 13:48 ` Random832
2015-10-19 13:53 ` Taylan Ulrich Bayırlı/Kammer
2015-10-19 15:10 ` Paul Eggert
2015-10-19 17:06 ` Taylan Ulrich Bayırlı/Kammer
2015-10-20 1:41 ` Paul Eggert
2015-10-20 7:41 ` Taylan Ulrich Bayırlı/Kammer
2015-10-20 10:16 ` Nicolas Richard
2015-10-20 15:47 ` Dmitry Gutov
2015-10-20 16:41 ` Taylan Ulrich Bayırlı/Kammer
2015-10-20 16:59 ` Dmitry Gutov
2015-10-20 17:32 ` Taylan Ulrich Bayırlı/Kammer
2015-10-20 17:41 ` Dmitry Gutov
2015-10-20 17:58 ` Taylan Ulrich Bayırlı/Kammer
2015-10-20 18:11 ` Dmitry Gutov
2015-10-20 18:19 ` Eli Zaretskii
2015-10-20 23:34 ` Contributors and maintainers (Was: [PATCH] Add shell-quasiquote.) John Wiegley
2015-10-21 7:29 ` Contributors and maintainers Taylan Ulrich Bayırlı/Kammer
2015-10-21 8:27 ` Werner LEMBERG
2015-10-21 8:45 ` David Kastrup
2015-10-21 12:03 ` Taylan Ulrich Bayırlı/Kammer
2015-10-21 14:22 ` Eli Zaretskii
2015-10-21 14:40 ` David Kastrup
2015-10-21 16:05 ` Taylan Ulrich Bayırlı/Kammer
2015-10-21 18:16 ` Stephen J. Turnbull
2015-10-21 18:37 ` John Wiegley
2015-10-21 14:34 ` Tassilo Horn
2015-10-21 16:53 ` John Wiegley
2015-10-21 17:24 ` Taylan Ulrich Bayırlı/Kammer
2015-10-21 18:49 ` John Wiegley
2015-10-21 14:07 ` Eli Zaretskii
2015-10-21 14:36 ` Taylan Ulrich Bayırlı/Kammer
2015-10-21 15:44 ` David Kastrup
2015-10-21 16:23 ` Eli Zaretskii
2015-10-21 17:22 ` Taylan Ulrich Bayırlı/Kammer
2015-10-21 17:41 ` Eli Zaretskii
2015-10-21 19:58 ` Taylan Ulrich Bayırlı/Kammer
2015-10-21 21:21 ` John Wiegley
2015-10-21 23:12 ` David Kastrup
2015-10-22 14:38 ` Eli Zaretskii
2015-10-21 14:45 ` Jay Belanger
2015-10-21 17:05 ` John Wiegley
2015-10-21 17:46 ` Taylan Ulrich Bayırlı/Kammer
2015-10-21 18:12 ` John Wiegley
2015-10-21 18:19 ` Eli Zaretskii
2015-10-21 18:18 ` Stephen J. Turnbull
2015-10-21 18:54 ` John Wiegley
2015-10-22 5:40 ` Maintainers and contributors (was: Contributors and maintainers) John Wiegley
2015-10-22 7:20 ` Maintainers and contributors David Kastrup
2015-10-22 10:34 ` Maintainers and contributors (was: Contributors and maintainers) Artur Malabarba
2015-10-22 11:08 ` Maintainers and contributors David Kastrup
2015-10-22 11:55 ` Artur Malabarba
2015-10-22 12:04 ` Dmitry Gutov
2015-10-22 12:32 ` David Kastrup
2015-10-22 15:10 ` Eli Zaretskii
2015-10-22 18:27 ` John Wiegley
2015-10-22 19:08 ` Dmitry Gutov
2015-10-22 23:37 ` John Wiegley
2015-10-23 0:37 ` Jay Belanger
2015-10-22 18:58 ` Jay Belanger
2015-10-21 3:25 ` [PATCH] Add shell-quasiquote Random832
2015-10-21 4:30 ` David Kastrup
2015-10-21 14:05 ` Eli Zaretskii
2015-10-21 14:18 ` Random832
2015-10-21 14:40 ` Michael Albinus
2015-10-21 16:19 ` Eli Zaretskii
2015-10-21 16:37 ` David Kastrup
2015-10-21 17:18 ` Eli Zaretskii
2015-10-21 17:06 ` Random832
2015-10-21 17:32 ` Eli Zaretskii
2015-10-21 18:11 ` Stephen J. Turnbull
2015-10-21 18:24 ` David Kastrup
2015-10-26 12:58 ` Steinar Bang
2015-10-21 18:24 ` Wolfgang Jenkner
2015-10-21 18:44 ` Eli Zaretskii
2015-10-21 18:57 ` Wolfgang Jenkner
2015-10-21 19:10 ` Eli Zaretskii
2015-10-21 19:30 ` John Wiegley
2015-10-22 10:54 ` Wolfgang Jenkner
2015-10-22 11:21 ` Jeff Clough
2015-10-22 12:47 ` David Kastrup
2015-10-22 15:11 ` Eli Zaretskii
2015-10-22 15:23 ` David Kastrup
2015-10-22 15:51 ` Andreas Schwab
2015-10-22 13:09 ` Wolfgang Jenkner
2015-10-22 15:03 ` Eli Zaretskii
2015-10-22 15:12 ` David Kastrup
2015-11-06 23:35 ` Kai Großjohann
2015-11-07 7:51 ` Eli Zaretskii
2015-10-22 15:41 ` Paul Eggert
2015-10-22 15:52 ` Eli Zaretskii
2015-10-22 17:25 ` Wolfgang Jenkner
2015-10-21 18:11 ` David Kastrup
2015-10-21 18:49 ` Random832
2015-10-21 19:03 ` Eli Zaretskii
2015-10-21 19:10 ` Random832
2015-10-21 19:21 ` Eli Zaretskii
2015-10-21 19:50 ` Random832
2015-10-22 2:38 ` Eli Zaretskii
2015-10-22 7:03 ` David Kastrup
2015-10-22 13:41 ` Random832
2015-10-22 13:53 ` David Kastrup
2015-10-22 14:41 ` Random832
2015-10-22 14:50 ` David Kastrup
2015-10-22 16:18 ` Stephen J. Turnbull
2015-10-22 15:20 ` Eli Zaretskii
2015-11-01 18:39 ` Kai Großjohann
2015-11-01 20:39 ` Eli Zaretskii
2015-11-01 22:34 ` Michael Albinus
2015-10-20 19:00 ` Taylan Ulrich Bayırlı/Kammer
2015-10-20 19:48 ` Werner LEMBERG
2015-10-20 20:47 ` Taylan Ulrich Bayırlı/Kammer
2015-10-20 21:08 ` Werner LEMBERG
2015-10-21 14:09 ` Eli Zaretskii
2015-10-21 18:22 ` John Wiegley
2015-10-20 16:21 ` Paul Eggert
2015-10-20 17:11 ` Taylan Ulrich Bayırlı/Kammer
2015-10-20 17:22 ` Paul Eggert
2015-10-20 17:36 ` Taylan Ulrich Bayırlı/Kammer
2015-10-20 18:12 ` Paul Eggert
2015-10-20 18:21 ` Eli Zaretskii
2015-10-20 18:55 ` Taylan Ulrich Bayırlı/Kammer
2015-10-22 3:35 ` Paul Eggert
2015-10-19 13:22 ` Eli Zaretskii
2015-10-19 13:36 ` Taylan Ulrich Bayırlı/Kammer
2015-10-19 13:56 ` Eli Zaretskii
2015-10-19 13:41 ` Artur Malabarba
2015-10-19 13:43 ` Taylan Ulrich Bayırlı/Kammer
2015-10-19 13:55 ` Dmitry Gutov
2015-10-19 14:09 ` Taylan Ulrich Bayırlı/Kammer
2015-10-19 15:13 ` Dmitry Gutov
2015-10-19 17:08 ` Taylan Ulrich Bayırlı/Kammer
2015-10-19 17:11 ` Dmitry Gutov
2015-10-19 17:46 ` Eli Zaretskii
2015-10-20 4:35 ` Stephen J. Turnbull
2015-10-20 7:26 ` Taylan Ulrich Bayırlı/Kammer
2015-10-20 7:55 ` David Kastrup
2015-10-20 8:17 ` John Wiegley
2015-10-20 8:38 ` Taylan Ulrich Bayırlı/Kammer
2015-10-20 12:48 ` Taylan Ulrich Bayırlı/Kammer
2015-10-20 11:45 ` Becoming an Emacs contributor (was: [PATCH] Add shell-quasiquote.) Óscar Fuentes
2015-10-20 12:56 ` Becoming an Emacs contributor Taylan Ulrich Bayırlı/Kammer
2015-10-20 16:26 ` Eli Zaretskii
2015-10-20 17:32 ` Taylan Ulrich Bayırlı/Kammer
2015-10-20 17:41 ` Eli Zaretskii
2015-10-20 17:53 ` Taylan Ulrich Bayırlı/Kammer
2015-10-20 17:53 ` David Kastrup
2015-10-20 18:44 ` Taylan Ulrich Bayırlı/Kammer
2015-10-20 19:12 ` David Kastrup
2015-10-24 17:26 ` Nix
2015-10-20 16:47 ` Becoming an Emacs contributor (was: [PATCH] Add shell-quasiquote.) Kaushal Modi
2015-10-20 8:34 ` [PATCH] Add shell-quasiquote Taylan Ulrich Bayırlı/Kammer
2015-10-20 8:49 ` David Kastrup
2015-10-20 8:54 ` Taylan Ulrich Bayırlı/Kammer
2015-10-20 15:40 ` Eli Zaretskii
2015-10-20 16:31 ` Taylan Ulrich Bayırlı/Kammer
2015-10-20 16:51 ` Eli Zaretskii
2015-10-20 17:28 ` Taylan Ulrich Bayırlı/Kammer
2015-10-20 18:02 ` Eli Zaretskii
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=83a8rh48if.fsf@gnu.org \
--to=eliz@gnu.org \
--cc=emacs-devel@gnu.org \
--cc=taylanbayirli@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.