From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: taylanbayirli@gmail.com (Taylan Ulrich =?utf-8?Q?Bay=C4=B1rl=C4=B1?=
	=?utf-8?Q?=2FKammer?=)
Newsgroups: gmane.emacs.devel
Subject: Re: [PATCH] Add shell-quasiquote.
Date: Sun, 18 Oct 2015 12:07:00 +0200
Message-ID: <878u70trqz.fsf@T420.taylan>
References: <87si59wj42.fsf@T420.taylan> <83eggt4esi.fsf@gnu.org>
	<87fv19wh7b.fsf@T420.taylan> <83bnbx4d7e.fsf@gnu.org>
	<87twppuzfu.fsf@T420.taylan> <83a8rh48if.fsf@gnu.org>
	<87io65utmt.fsf@T420.taylan> <5622B337.4050700@yandex.ru>
	<876125uqzw.fsf@T420.taylan> <5622BE84.8030209@yandex.ru>
	<87twpptato.fsf@T420.taylan> <87pp0cehly.fsf@gmx.de>
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Trace: ger.gmane.org 1445162829 30971 80.91.229.3 (18 Oct 2015 10:07:09 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Sun, 18 Oct 2015 10:07:09 +0000 (UTC)
Cc: Eli Zaretskii <eliz@gnu.org>, emacs-devel@gnu.org,
	Dmitry Gutov <dgutov@yandex.ru>
To: Michael Albinus <michael.albinus@gmx.de>
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Sun Oct 18 12:07:08 2015
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by plane.gmane.org with esmtp (Exim 4.69)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1Znkrs-0007Hs-0b
	for ged-emacs-devel@m.gmane.org; Sun, 18 Oct 2015 12:07:08 +0200
Original-Received: from localhost ([::1]:33085 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1Znkrr-0006p3-Bh
	for ged-emacs-devel@m.gmane.org; Sun, 18 Oct 2015 06:07:07 -0400
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:52665)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <taylanbayirli@gmail.com>) id 1Znkro-0006on-3d
	for emacs-devel@gnu.org; Sun, 18 Oct 2015 06:07:05 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <taylanbayirli@gmail.com>) id 1Znkrn-0003eX-8y
	for emacs-devel@gnu.org; Sun, 18 Oct 2015 06:07:04 -0400
Original-Received: from mail-wi0-x229.google.com ([2a00:1450:400c:c05::229]:33356)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <taylanbayirli@gmail.com>)
	id 1Znkrn-0003dm-2t; Sun, 18 Oct 2015 06:07:03 -0400
Original-Received: by wijp11 with SMTP id p11so62053622wij.0;
	Sun, 18 Oct 2015 03:07:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=from:to:cc:subject:references:date:in-reply-to:message-id
	:user-agent:mime-version:content-type:content-transfer-encoding;
	bh=XH1ob4RNYgTupAf0WBLRl4zpoejlGY19ehLXve3tTys=;
	b=QjnywnU/VQYStfVy72VQHuO7V1Shuf967XyqbwFYjCI35f9rebAEPUAtT3GpLfPssG
	IdHa3xI3LRd+5BKdOsBBI4iZ6JqswcC24ZpQTi5NsP/hgitZSu3YXGseC6EWGJ9LsUMm
	kpOLuuz8ctvpibkmPPM2YHNDwK1rccNGrMj8Hz0oNxF+dFML6rGGkjAZqCG89rAtWePo
	sMLMox0dEu2IHYCH7O5oaWoyG/qWOUH6tMPZu1W8v8aBoh14ViotSFofO8rTP/Tb2TnR
	SFZF2pgOvfWVuWRUzanXe6rByACuDUXmpiayiBDO8mBptE7nx5ybsCbX+zb8v5MeGiGA
	wx3g==
X-Received: by 10.180.72.16 with SMTP id z16mr14628889wiu.19.1445162822510;
	Sun, 18 Oct 2015 03:07:02 -0700 (PDT)
Original-Received: from T420.taylan ([2a02:908:c32:4740:221:ccff:fe66:68f0])
	by smtp.gmail.com with ESMTPSA id
	r15sm10376516wib.18.2015.10.18.03.07.01
	(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Sun, 18 Oct 2015 03:07:01 -0700 (PDT)
In-Reply-To: <87pp0cehly.fsf@gmx.de> (Michael Albinus's message of "Sun, 18
	Oct 2015 09:55:05 +0200")
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)
X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address
	(bad octet value).
X-Received-From: 2a00:1450:400c:c05::229
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.emacs.devel:191926
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/191926>

Michael Albinus <michael.albinus@gmx.de> writes:

> taylanbayirli@gmail.com (Taylan Ulrich "Bay=C4=B1rl=C4=B1/Kammer") writes:
>
>> Dmitry Gutov <dgutov@yandex.ru> writes:
>>
>>> On 10/18/2015 12:25 AM, Taylan Ulrich Bay=C4=B1rl=C4=B1/Kammer wrote:
>>>
>>>> Not knowing that there are bugs is not proof that there are no bugs.
>>>
>>> If you can't point out a bug, you have no justification to not use the
>>> standard function.
>>
>> No, I will *not* let users of my code potentially suffer from arbitrary
>> code injection attacks, thank you very much.
>
> If this is important for you, I recommend stop using Tramp. It makes
> heavy use of (a slightly modified version of) `shell-quote-argument'.

TRAMP doesn't read shell commands from arbitrary input sources...

I hope! :-)

Can a remote host arrange for TRAMP to use shell-quote-argument on
arbitrary strings and pass these to a shell that could potentially be
csh, or any shell we don't know shell-quote-argument to be safe for?  If
so, that might be a *very* serious issue and you should not be telling
*me* to stop using TRAMP but rather to the whole Emacs user-base.  I
mean it.

Taylan