From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Eli Zaretskii Newsgroups: gmane.emacs.bugs Subject: bug#61709: [PATCH] Security hardening: safely invoke `shell-command*' function. Date: Wed, 22 Feb 2023 17:29:23 +0200 Message-ID: <83y1opra5o.fsf@gnu.org> References: Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="16880"; mail-complaints-to="usenet@ciao.gmane.io" Cc: 61709@debbugs.gnu.org To: Xi Lu Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Wed Feb 22 16:30:23 2023 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pUr4X-00048c-O8 for geb-bug-gnu-emacs@m.gmane-mx.org; Wed, 22 Feb 2023 16:30:21 +0100 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pUr4M-0003Vw-Ai; Wed, 22 Feb 2023 10:30:11 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pUr4G-0003V9-Kz for bug-gnu-emacs@gnu.org; Wed, 22 Feb 2023 10:30:07 -0500 Original-Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pUr4F-0006N5-6V for bug-gnu-emacs@gnu.org; Wed, 22 Feb 2023 10:30:04 -0500 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1pUr4E-00066v-NI for bug-gnu-emacs@gnu.org; Wed, 22 Feb 2023 10:30:02 -0500 X-Loop: help-debbugs@gnu.org Resent-From: Eli Zaretskii Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Wed, 22 Feb 2023 15:30:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 61709 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: patch Original-Received: via spool by 61709-submit@debbugs.gnu.org id=B61709.167707975923418 (code B ref 61709); Wed, 22 Feb 2023 15:30:02 +0000 Original-Received: (at 61709) by debbugs.gnu.org; 22 Feb 2023 15:29:19 +0000 Original-Received: from localhost ([127.0.0.1]:60103 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pUr3W-00065e-ON for submit@debbugs.gnu.org; Wed, 22 Feb 2023 10:29:19 -0500 Original-Received: from eggs.gnu.org ([209.51.188.92]:56072) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pUr3V-00065S-An for 61709@debbugs.gnu.org; Wed, 22 Feb 2023 10:29:17 -0500 Original-Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pUr3O-0006Ab-Ft; Wed, 22 Feb 2023 10:29:10 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date: mime-version; bh=J3srG3Msa8m3MznblIdS4/whAk3VT0NEwZSTwHSriNE=; b=XvKioFo6XXNz aE6o/mBamy/f7fqUImJ8oaQSwihuBjAephdvcy3lYUKSGOs6zeb9dIFAMzR1Ml1wbvvvhyhe2d3LI 52SZZ40480buYyp19Du3nKZFeQOepOZDxxD5CqEe/PrGOCavqqcxitCWUfFueHohMonKDlFrZZTN1 4W6E9XoTWfoXW0dHF0GG/jwY0lz+WvXhEYmijLAIMmGmJ9gh+m48ZF5GlbXk3c96GvgKPsO6tCxuN bc/Z1PAYknS05iSJHXOVS3hBH7Te5PImOd6odf6mP/RAd1Uq5GxjtUYRSpJdnGOJlN+bS/GUn4iwT EmN83rVLmlWIgAGTWBVASQ==; Original-Received: from [87.69.77.57] (helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pUr3N-0003id-NV; Wed, 22 Feb 2023 10:29:10 -0500 In-Reply-To: (message from Xi Lu on Wed, 22 Feb 2023 22:35:54 +0800) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.bugs:256368 Archived-At: > Cc: Xi Lu > From: Xi Lu > Date: Wed, 22 Feb 2023 22:35:54 +0800 > > (defun filesets-which-command-p (cmd) > "Call \"which CMD\" and return non-nil if the command was found." > @@ -1264,9 +1265,11 @@ filesets-spawn-external-viewer > (funcall vwr file) > nil) > (co-flag > - (shell-command-to-string (format "%s %s" vwr args))) > + (shell-command-to-string (shell-quote-argument > + (format "%s %s" vwr args)))) > (t > - (shell-command (format "%s %s&" vwr args)) > + (shell-command (shell-quote-argument > + (format "%s %s&" vwr args))) > nil)))) These two cannot be right: you are quoting several separate command-line arguments. > (if co-flag > (progn > @@ -1578,7 +1581,7 @@ filesets-run-cmd > " ")) > (cmd (concat fn " " args))) > (filesets-cmd-show-result > - cmd (shell-command-to-string cmd)))) > + cmd (shell-command-to-string (shell-quote-argument cmd))))) > ((symbolp fn) > (apply fn > (mapcan (lambda (this) I think this is also wrong: cmd is not a single word. In general, you cannot quote arbitrary parts of a shell command, you can only quote each command-line argument separately.