From: taylanbayirli@gmail.com (Taylan Ulrich Bayırlı/Kammer)
To: Paul Eggert <eggert@cs.ucla.edu>
Cc: emacs-devel@gnu.org
Subject: Re: [PATCH] Add shell-quasiquote.
Date: Sun, 18 Oct 2015 12:03:08 +0200 [thread overview]
Message-ID: <87d1wctrxf.fsf@T420.taylan> (raw)
In-Reply-To: <56230695.4070501@cs.ucla.edu> (Paul Eggert's message of "Sat, 17 Oct 2015 19:40:21 -0700")
Paul Eggert <eggert@cs.ucla.edu> writes:
> Taylan Ulrich Bayırlı/Kammer wrote:
>> Please tell me which shells shell-quote-argument is guaranteed to work
>> safely on
>
> Nobody can tell you that. What we can tell you is that
> shell-quote-argument works on a superset of uses that
> shqq--quote-string works on. The trust-based arguments against using
> shell-quote-argument all apply, with greater force, against using
> shqq--quote-string. For example, shqq--quote-string is more vulnerable
> to code-injection attacks than shell-quote-argument is.
The domain of a function is part of its semantics, even if in Lisp we
have no way to formalize it other than through documentation.
The domain of shqq--quote-string is arguments to POSIX shell commands.
It's safe within that domain, i.e. its whole domain, meaning in short
"it's safe."
The domain of shell-quote-argument is unknown, so it's unknown whether
it's safe. (If we include csh in its domain, it's known to be unsafe.)
Saying shqq--quote-string is more vulnerable is plain wrong. It's
either as safe as, or safer, than shell-quote-argument.
That may sound like "semantics," but it carries over to practice very
simply: if I can't tell my users what shells shqq is safe for (or worse,
imply to them that they can use it with just any shell), there's a good
chance they'll use it for shells its unsafe for, exposing themselves to
vulnerabilities. (Or if they're smarter than that, they will see that
my library is entirely useless for arbitrary input.)
Of course, I could use shell-quote-argument, but still document that
shqq is safe only for POSIX shells, no matter what shell-quote-argument
seems to try to accommodate for. I think that's an unnecessary
complication, but if it's going to satisfy others for whatever reason
then I'm not opposed to it because it's at least harmless. (I'll first
investigate further on possible breakage with shell-quote-argument's
quoting strategy for POSIX though.)
> I am not a fan of non-POSIX shells. They are a hassle to deal with and
> can cause significant problems in Emacs maintenance. In areas where
> they are a significant problem, we don't need to support them. But
> this particular instance is not a significant problem. Emacs already
> has a portable, tested, easy-to-use function to quote shell arguments,
> and there's good reason to use it here.
Arbitrary code injection is a very significant problem, and it has been
demonstrated in this thread that shell-quote-argument is vulnerable
against it.
Let's please all be more rigorous about such things in the future and
not pretend that problems are known not to exist when they're merely not
known to exist, let alone pretending that they don't exist shortly after
they've been demonstrated to exist.
I'll file a bug report about shell-quote-argument shortly, where we can
decide on more precise semantics for it (even if still open-ended) and
clearly document its safety guarantees.
Taylan
next prev parent reply other threads:[~2015-10-18 10:03 UTC|newest]
Thread overview: 211+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-17 16:33 [PATCH] Add shell-quasiquote Taylan Ulrich Bayırlı/Kammer
2015-10-17 16:53 ` Eli Zaretskii
2015-10-17 17:14 ` Taylan Ulrich Bayırlı/Kammer
2015-10-17 17:28 ` Eli Zaretskii
2015-10-17 18:23 ` Taylan Ulrich Bayırlı/Kammer
2015-10-17 19:09 ` Eli Zaretskii
2015-10-17 20:28 ` Taylan Ulrich Bayırlı/Kammer
2015-10-17 20:44 ` Dmitry Gutov
2015-10-17 21:25 ` Taylan Ulrich Bayırlı/Kammer
2015-10-17 21:32 ` Dmitry Gutov
2015-10-17 22:00 ` Taylan Ulrich Bayırlı/Kammer
2015-10-18 7:55 ` Michael Albinus
2015-10-18 10:07 ` Taylan Ulrich Bayırlı/Kammer
2015-10-18 10:55 ` Michael Albinus
2015-10-18 12:59 ` Random832
2015-10-18 13:36 ` Taylan Ulrich Bayırlı/Kammer
2015-10-18 15:06 ` Michael Albinus
2015-10-18 17:32 ` Eli Zaretskii
2015-10-18 19:17 ` Random832
2015-10-18 19:52 ` Eli Zaretskii
2015-10-19 4:32 ` Stephen J. Turnbull
2015-10-19 5:15 ` Eli Zaretskii
2015-10-19 5:19 ` Daniel Colascione
2015-10-19 5:56 ` Eli Zaretskii
2015-10-19 8:16 ` Taylan Ulrich Bayırlı/Kammer
2015-10-31 17:03 ` Kai Großjohann
2015-10-31 16:50 ` Kai Großjohann
2015-10-31 19:03 ` Michael Albinus
2015-10-17 22:09 ` Random832
2015-10-17 22:45 ` Taylan Ulrich Bayırlı/Kammer
2015-10-17 20:47 ` Paul Eggert
2015-10-17 21:20 ` Random832
2015-10-17 21:35 ` Paul Eggert
2015-10-17 21:27 ` Taylan Ulrich Bayırlı/Kammer
2015-10-17 21:53 ` Paul Eggert
2015-10-17 22:22 ` Taylan Ulrich Bayırlı/Kammer
2015-10-18 2:40 ` Paul Eggert
2015-10-18 10:03 ` Taylan Ulrich Bayırlı/Kammer [this message]
2015-10-18 15:54 ` Eli Zaretskii
2015-10-18 16:40 ` Taylan Ulrich Bayırlı/Kammer
2015-10-18 17:48 ` John Wiegley
2015-10-18 2:47 ` Eli Zaretskii
2015-10-18 13:35 ` Taylan Ulrich Bayırlı/Kammer
2015-10-17 19:14 ` Random832
2015-10-17 19:44 ` Eli Zaretskii
2015-10-17 20:43 ` Taylan Ulrich Bayırlı/Kammer
2015-10-17 21:01 ` Random832
2015-10-17 17:23 ` Artur Malabarba
2015-10-17 18:11 ` Taylan Ulrich Bayırlı/Kammer
2015-10-17 18:42 ` Artur Malabarba
2015-10-19 12:35 ` Taylan Ulrich Bayırlı/Kammer
2015-10-19 12:59 ` David Kastrup
2015-10-19 13:09 ` Taylan Ulrich Bayırlı/Kammer
2015-10-19 13:48 ` Random832
2015-10-19 13:53 ` Taylan Ulrich Bayırlı/Kammer
2015-10-19 15:10 ` Paul Eggert
2015-10-19 17:06 ` Taylan Ulrich Bayırlı/Kammer
2015-10-20 1:41 ` Paul Eggert
2015-10-20 7:41 ` Taylan Ulrich Bayırlı/Kammer
2015-10-20 10:16 ` Nicolas Richard
2015-10-20 15:47 ` Dmitry Gutov
2015-10-20 16:41 ` Taylan Ulrich Bayırlı/Kammer
2015-10-20 16:59 ` Dmitry Gutov
2015-10-20 17:32 ` Taylan Ulrich Bayırlı/Kammer
2015-10-20 17:41 ` Dmitry Gutov
2015-10-20 17:58 ` Taylan Ulrich Bayırlı/Kammer
2015-10-20 18:11 ` Dmitry Gutov
2015-10-20 18:19 ` Eli Zaretskii
2015-10-20 23:34 ` Contributors and maintainers (Was: [PATCH] Add shell-quasiquote.) John Wiegley
2015-10-21 7:29 ` Contributors and maintainers Taylan Ulrich Bayırlı/Kammer
2015-10-21 8:27 ` Werner LEMBERG
2015-10-21 8:45 ` David Kastrup
2015-10-21 12:03 ` Taylan Ulrich Bayırlı/Kammer
2015-10-21 14:22 ` Eli Zaretskii
2015-10-21 14:40 ` David Kastrup
2015-10-21 16:05 ` Taylan Ulrich Bayırlı/Kammer
2015-10-21 18:16 ` Stephen J. Turnbull
2015-10-21 18:37 ` John Wiegley
2015-10-21 14:34 ` Tassilo Horn
2015-10-21 16:53 ` John Wiegley
2015-10-21 17:24 ` Taylan Ulrich Bayırlı/Kammer
2015-10-21 18:49 ` John Wiegley
2015-10-21 14:07 ` Eli Zaretskii
2015-10-21 14:36 ` Taylan Ulrich Bayırlı/Kammer
2015-10-21 15:44 ` David Kastrup
2015-10-21 16:23 ` Eli Zaretskii
2015-10-21 17:22 ` Taylan Ulrich Bayırlı/Kammer
2015-10-21 17:41 ` Eli Zaretskii
2015-10-21 19:58 ` Taylan Ulrich Bayırlı/Kammer
2015-10-21 21:21 ` John Wiegley
2015-10-21 23:12 ` David Kastrup
2015-10-22 14:38 ` Eli Zaretskii
2015-10-21 14:45 ` Jay Belanger
2015-10-21 17:05 ` John Wiegley
2015-10-21 17:46 ` Taylan Ulrich Bayırlı/Kammer
2015-10-21 18:12 ` John Wiegley
2015-10-21 18:19 ` Eli Zaretskii
2015-10-21 18:18 ` Stephen J. Turnbull
2015-10-21 18:54 ` John Wiegley
2015-10-22 5:40 ` Maintainers and contributors (was: Contributors and maintainers) John Wiegley
2015-10-22 7:20 ` Maintainers and contributors David Kastrup
2015-10-22 10:34 ` Maintainers and contributors (was: Contributors and maintainers) Artur Malabarba
2015-10-22 11:08 ` Maintainers and contributors David Kastrup
2015-10-22 11:55 ` Artur Malabarba
2015-10-22 12:04 ` Dmitry Gutov
2015-10-22 12:32 ` David Kastrup
2015-10-22 15:10 ` Eli Zaretskii
2015-10-22 18:27 ` John Wiegley
2015-10-22 19:08 ` Dmitry Gutov
2015-10-22 23:37 ` John Wiegley
2015-10-23 0:37 ` Jay Belanger
2015-10-22 18:58 ` Jay Belanger
2015-10-21 3:25 ` [PATCH] Add shell-quasiquote Random832
2015-10-21 4:30 ` David Kastrup
2015-10-21 14:05 ` Eli Zaretskii
2015-10-21 14:18 ` Random832
2015-10-21 14:40 ` Michael Albinus
2015-10-21 16:19 ` Eli Zaretskii
2015-10-21 16:37 ` David Kastrup
2015-10-21 17:18 ` Eli Zaretskii
2015-10-21 17:06 ` Random832
2015-10-21 17:32 ` Eli Zaretskii
2015-10-21 18:11 ` Stephen J. Turnbull
2015-10-21 18:24 ` David Kastrup
2015-10-26 12:58 ` Steinar Bang
2015-10-21 18:24 ` Wolfgang Jenkner
2015-10-21 18:44 ` Eli Zaretskii
2015-10-21 18:57 ` Wolfgang Jenkner
2015-10-21 19:10 ` Eli Zaretskii
2015-10-21 19:30 ` John Wiegley
2015-10-22 10:54 ` Wolfgang Jenkner
2015-10-22 11:21 ` Jeff Clough
2015-10-22 12:47 ` David Kastrup
2015-10-22 15:11 ` Eli Zaretskii
2015-10-22 15:23 ` David Kastrup
2015-10-22 15:51 ` Andreas Schwab
2015-10-22 13:09 ` Wolfgang Jenkner
2015-10-22 15:03 ` Eli Zaretskii
2015-10-22 15:12 ` David Kastrup
2015-11-06 23:35 ` Kai Großjohann
2015-11-07 7:51 ` Eli Zaretskii
2015-10-22 15:41 ` Paul Eggert
2015-10-22 15:52 ` Eli Zaretskii
2015-10-22 17:25 ` Wolfgang Jenkner
2015-10-21 18:11 ` David Kastrup
2015-10-21 18:49 ` Random832
2015-10-21 19:03 ` Eli Zaretskii
2015-10-21 19:10 ` Random832
2015-10-21 19:21 ` Eli Zaretskii
2015-10-21 19:50 ` Random832
2015-10-22 2:38 ` Eli Zaretskii
2015-10-22 7:03 ` David Kastrup
2015-10-22 13:41 ` Random832
2015-10-22 13:53 ` David Kastrup
2015-10-22 14:41 ` Random832
2015-10-22 14:50 ` David Kastrup
2015-10-22 16:18 ` Stephen J. Turnbull
2015-10-22 15:20 ` Eli Zaretskii
2015-11-01 18:39 ` Kai Großjohann
2015-11-01 20:39 ` Eli Zaretskii
2015-11-01 22:34 ` Michael Albinus
2015-10-20 19:00 ` Taylan Ulrich Bayırlı/Kammer
2015-10-20 19:48 ` Werner LEMBERG
2015-10-20 20:47 ` Taylan Ulrich Bayırlı/Kammer
2015-10-20 21:08 ` Werner LEMBERG
2015-10-21 14:09 ` Eli Zaretskii
2015-10-21 18:22 ` John Wiegley
2015-10-20 16:21 ` Paul Eggert
2015-10-20 17:11 ` Taylan Ulrich Bayırlı/Kammer
2015-10-20 17:22 ` Paul Eggert
2015-10-20 17:36 ` Taylan Ulrich Bayırlı/Kammer
2015-10-20 18:12 ` Paul Eggert
2015-10-20 18:21 ` Eli Zaretskii
2015-10-20 18:55 ` Taylan Ulrich Bayırlı/Kammer
2015-10-22 3:35 ` Paul Eggert
2015-10-19 13:22 ` Eli Zaretskii
2015-10-19 13:36 ` Taylan Ulrich Bayırlı/Kammer
2015-10-19 13:56 ` Eli Zaretskii
2015-10-19 13:41 ` Artur Malabarba
2015-10-19 13:43 ` Taylan Ulrich Bayırlı/Kammer
2015-10-19 13:55 ` Dmitry Gutov
2015-10-19 14:09 ` Taylan Ulrich Bayırlı/Kammer
2015-10-19 15:13 ` Dmitry Gutov
2015-10-19 17:08 ` Taylan Ulrich Bayırlı/Kammer
2015-10-19 17:11 ` Dmitry Gutov
2015-10-19 17:46 ` Eli Zaretskii
2015-10-20 4:35 ` Stephen J. Turnbull
2015-10-20 7:26 ` Taylan Ulrich Bayırlı/Kammer
2015-10-20 7:55 ` David Kastrup
2015-10-20 8:17 ` John Wiegley
2015-10-20 8:38 ` Taylan Ulrich Bayırlı/Kammer
2015-10-20 12:48 ` Taylan Ulrich Bayırlı/Kammer
2015-10-20 11:45 ` Becoming an Emacs contributor (was: [PATCH] Add shell-quasiquote.) Óscar Fuentes
2015-10-20 12:56 ` Becoming an Emacs contributor Taylan Ulrich Bayırlı/Kammer
2015-10-20 16:26 ` Eli Zaretskii
2015-10-20 17:32 ` Taylan Ulrich Bayırlı/Kammer
2015-10-20 17:41 ` Eli Zaretskii
2015-10-20 17:53 ` Taylan Ulrich Bayırlı/Kammer
2015-10-20 17:53 ` David Kastrup
2015-10-20 18:44 ` Taylan Ulrich Bayırlı/Kammer
2015-10-20 19:12 ` David Kastrup
2015-10-24 17:26 ` Nix
2015-10-20 16:47 ` Becoming an Emacs contributor (was: [PATCH] Add shell-quasiquote.) Kaushal Modi
2015-10-20 8:34 ` [PATCH] Add shell-quasiquote Taylan Ulrich Bayırlı/Kammer
2015-10-20 8:49 ` David Kastrup
2015-10-20 8:54 ` Taylan Ulrich Bayırlı/Kammer
2015-10-20 15:40 ` Eli Zaretskii
2015-10-20 16:31 ` Taylan Ulrich Bayırlı/Kammer
2015-10-20 16:51 ` Eli Zaretskii
2015-10-20 17:28 ` Taylan Ulrich Bayırlı/Kammer
2015-10-20 18:02 ` Eli Zaretskii
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87d1wctrxf.fsf@T420.taylan \
--to=taylanbayirli@gmail.com \
--cc=eggert@cs.ucla.edu \
--cc=emacs-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.