From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Eli Zaretskii Newsgroups: gmane.emacs.bugs Subject: bug#21702: shell-quote-argument semantics and safety Date: Sun, 18 Oct 2015 20:16:54 +0300 Message-ID: <83pp0chzax.fsf@gnu.org> References: <871tcstkuk.fsf@T420.taylan> Reply-To: Eli Zaretskii NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8BIT X-Trace: ger.gmane.org 1445188647 18331 80.91.229.3 (18 Oct 2015 17:17:27 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Sun, 18 Oct 2015 17:17:27 +0000 (UTC) Cc: 21702@debbugs.gnu.org To: taylanbayirli@gmail.com (Taylan Ulrich =?UTF-8?Q?Bay=C4=B1rl=C4=B1/Kammer?=) Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Sun Oct 18 19:17:18 2015 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1Znra7-0000HF-Iq for geb-bug-gnu-emacs@m.gmane.org; Sun, 18 Oct 2015 19:17:15 +0200 Original-Received: from localhost ([::1]:34834 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Znra6-0001GF-Uw for geb-bug-gnu-emacs@m.gmane.org; Sun, 18 Oct 2015 13:17:14 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:47734) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZnrZy-0001Bh-TR for bug-gnu-emacs@gnu.org; Sun, 18 Oct 2015 13:17:07 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ZnrZu-0005AQ-IV for bug-gnu-emacs@gnu.org; Sun, 18 Oct 2015 13:17:06 -0400 Original-Received: from debbugs.gnu.org ([208.118.235.43]:36359) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZnrZu-00059j-Ek for bug-gnu-emacs@gnu.org; Sun, 18 Oct 2015 13:17:02 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.80) (envelope-from ) id 1ZnrZt-0001IG-VB for bug-gnu-emacs@gnu.org; Sun, 18 Oct 2015 13:17:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Eli Zaretskii Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sun, 18 Oct 2015 17:17:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 21702 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: Original-Received: via spool by 21702-submit@debbugs.gnu.org id=B21702.14451886204960 (code B ref 21702); Sun, 18 Oct 2015 17:17:01 +0000 Original-Received: (at 21702) by debbugs.gnu.org; 18 Oct 2015 17:17:00 +0000 Original-Received: from localhost ([127.0.0.1]:55300 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1ZnrZr-0001Hw-B4 for submit@debbugs.gnu.org; Sun, 18 Oct 2015 13:16:59 -0400 Original-Received: from mtaout22.012.net.il ([80.179.55.172]:43313) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1ZnrZo-0001Hm-3a for 21702@debbugs.gnu.org; Sun, 18 Oct 2015 13:16:57 -0400 Original-Received: from conversion-daemon.a-mtaout22.012.net.il by a-mtaout22.012.net.il (HyperSendmail v2007.08) id <0NWF00300EAZF200@a-mtaout22.012.net.il> for 21702@debbugs.gnu.org; Sun, 18 Oct 2015 20:16:53 +0300 (IDT) Original-Received: from HOME-C4E4A596F7 ([84.94.185.246]) by a-mtaout22.012.net.il (HyperSendmail v2007.08) with ESMTPA id <0NWF003XPEO5FQ00@a-mtaout22.012.net.il>; Sun, 18 Oct 2015 20:16:53 +0300 (IDT) In-reply-to: <871tcstkuk.fsf@T420.taylan> X-012-Sender: halo1@inter.net.il X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 208.118.235.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.bugs:107714 Archived-At: > From: taylanbayirli@gmail.com (Taylan Ulrich > Bayırlı/Kammer) > Date: Sun, 18 Oct 2015 14:36:03 +0200 > > The documentation of shell-quote-argument only says > > Quote ARGUMENT for passing as argument to an inferior shell. > > It's unclear for which shells this is supposed to work. I fixed the doc string to clarify that this function works correctly with the system's standard shell. > In a recent thread in emacs-devel, it has been demonstrated that if > the result is passed to csh, it can allow an attacker to execute an > arbitrary shell command As I understand it, csh is not the standard shell on Posix systems, so the fixed doc string now says not to expect it to work with csh. > The function should clearly document > > 1) for which shells will the quoting work absolutely, i.e. lead to > the given string to appear *verbatim* in an element of the ARGV of > the called command, > > 2) optionally, for which shells will the quoting at least prevent > code injection, > > 3) optionally, for which shells and character sets for ARGUMENT will > the quoting work absolutely, > > 4) optionally, for which shells and character sets for ARGUMENT will > the quoting at least prevent code injection, > > 5) optionally, for which shells will the quoting work at all even if > it provides no clear semantics, such that one can at least use it > with data coming from trusted sources (e.g. other parts of Emacs's > source code, or the user sitting in front of Emacs), where it's the > user's/programmer's responsibility to stick to values for ARGUMENT > that are intuitively known to be unproblematic even if the character > set isn't well-defined. > > Currently #5 seems to be implied for all shells, for lack of further > documentation. Possibly, the function was never meant to be used with > untrusted data, but there's no warning against doing so either. I thin 1) is now covered, and the rest are optional. In particular, our way to provide better safety is not by documenting APIs that could be maliciously abused, but by marking the related variables as unsafe unless they have special predefined values. So I don't think we should extend this particular doc string with safety information. > (defun shell-quote-argument (argument) > - "Quote ARGUMENT for passing as argument to an inferior shell." > + "Quote ARGUMENT for passing as argument to an inferior shell. > + > +This is safe for shells conforming to POSIX sh. No guarantees > +regarding code injection are made for other shells, but csh, > +MS-DOS and Windows NT are supported for simple cases as well." Thanks, but I think this is no longer needed, after the change I made.