From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Eli Zaretskii Newsgroups: gmane.emacs.bugs Subject: bug#21702: shell-quote-argument semantics and safety Date: Sun, 18 Oct 2015 22:48:15 +0300 Message-ID: <83h9lohsao.fsf@gnu.org> References: <871tcstkuk.fsf@T420.taylan> <83pp0chzax.fsf@gnu.org> <874mhoq9ct.fsf@T420.taylan> Reply-To: Eli Zaretskii NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8BIT X-Trace: ger.gmane.org 1445197761 7122 80.91.229.3 (18 Oct 2015 19:49:21 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Sun, 18 Oct 2015 19:49:21 +0000 (UTC) Cc: 21702@debbugs.gnu.org To: taylanbayirli@gmail.com (Taylan Ulrich =?UTF-8?Q?Bay=C4=B1rl=C4=B1/Kammer?=) Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Sun Oct 18 21:49:11 2015 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1Zntx8-000337-BM for geb-bug-gnu-emacs@m.gmane.org; Sun, 18 Oct 2015 21:49:10 +0200 Original-Received: from localhost ([::1]:35369 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Zntx7-0003MH-Lo for geb-bug-gnu-emacs@m.gmane.org; Sun, 18 Oct 2015 15:49:09 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:52751) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Zntx3-0003MB-CU for bug-gnu-emacs@gnu.org; Sun, 18 Oct 2015 15:49:06 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Zntx0-0001Ku-5y for bug-gnu-emacs@gnu.org; Sun, 18 Oct 2015 15:49:05 -0400 Original-Received: from debbugs.gnu.org ([208.118.235.43]:36478) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Zntx0-0001Kq-2C for bug-gnu-emacs@gnu.org; Sun, 18 Oct 2015 15:49:02 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.80) (envelope-from ) id 1Zntwz-0006Vz-Po for bug-gnu-emacs@gnu.org; Sun, 18 Oct 2015 15:49:01 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Eli Zaretskii Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sun, 18 Oct 2015 19:49:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 21702 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: Original-Received: via spool by 21702-submit@debbugs.gnu.org id=B21702.144519769924992 (code B ref 21702); Sun, 18 Oct 2015 19:49:01 +0000 Original-Received: (at 21702) by debbugs.gnu.org; 18 Oct 2015 19:48:19 +0000 Original-Received: from localhost ([127.0.0.1]:55419 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1ZntwI-0006V1-Lq for submit@debbugs.gnu.org; Sun, 18 Oct 2015 15:48:19 -0400 Original-Received: from mtaout24.012.net.il ([80.179.55.180]:36552) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1ZntwF-0006Ur-QQ for 21702@debbugs.gnu.org; Sun, 18 Oct 2015 15:48:17 -0400 Original-Received: from conversion-daemon.mtaout24.012.net.il by mtaout24.012.net.il (HyperSendmail v2007.08) id <0NWF00600L5K2700@mtaout24.012.net.il> for 21702@debbugs.gnu.org; Sun, 18 Oct 2015 22:41:30 +0300 (IDT) Original-Received: from HOME-C4E4A596F7 ([84.94.185.246]) by mtaout24.012.net.il (HyperSendmail v2007.08) with ESMTPA id <0NWF002C2LD6QG30@mtaout24.012.net.il>; Sun, 18 Oct 2015 22:41:30 +0300 (IDT) In-reply-to: <874mhoq9ct.fsf@T420.taylan> X-012-Sender: halo1@inter.net.il X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 208.118.235.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.bugs:107722 Archived-At: > From: taylanbayirli@gmail.com (Taylan Ulrich Bayırlı/Kammer) > Cc: 21702@debbugs.gnu.org > Date: Sun, 18 Oct 2015 21:12:34 +0200 > > I'd like to point out that (in the most extreme cases) people have > actually been writing web servers and other such programs in Elisp for > which one would normally use a general-purpose language. > > That is, "APIs that could be maliciously abused" is not the right way to > look at it. It's not about the Elisp programmer abusing the API, it's > about a malicious data source exploiting a (potential) flaw in an Elisp > function, which Elisp programmers have relied on and thus made their > programs vulnerable to code injection. > > > That's why I was being so careful with regard to the safety guarantees > of the "shell-quasiquote" package I contributed. I would like people to > be able to use that as part of a general-purpose Elisp language, and so > being safe against code injection is an absolute must. They might after > all use it as part of a network-facing service. > > > Actually that might also apply when using e.g. TRAMP, which also > communicates with remote hosts and is a normal part of Emacs. I've been > told it receives file names from remote hosts and passes them through > shell-quote-argument before giving them to a shell. So maybe my > concerns apply there as well. > > > Given that, "I think 1) is now covered" is not very relieving to hear. Item 1 was this: > >> The function should clearly document > >> > >> 1) for which shells will the quoting work absolutely, i.e. lead to > >> the given string to appear *verbatim* in an element of the ARGV of > >> the called command, There's nothing about safety here, only about correctness. That is the aspect that I think is now covered, as the doc string now says for which shells one can have correct results. > It amounts to "I think this is safe against code injection" which is > rather alarming to hear. Either it's very confidently known to be safe > and so one may use it for network-facing code, or it's not confidently > known to be safe and so one shouldn't use it for network-facing code. > This should be documented clearly especially so that users who aren't > very aware of injection attacks won't nonchalantly use the function for > their network-facing code (when the function isn't known to be safe for > this), but also so that users who are aware of such issues know they can > use the function and don't instead invent their own thing (when it is > known to be safe). > > Does that make sense? Maybe it does, but only if we start documenting these aspects project-wide. It makes little sense to me to do that for a single API, and not an important one at that. But that's me.