From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: taylanbayirli@gmail.com (Taylan Ulrich =?utf-8?Q?Bay=C4=B1rl=C4=B1?=
	=?utf-8?Q?=2FKammer?=)
Newsgroups: gmane.emacs.devel
Subject: Re: [PATCH] Add shell-quasiquote.
Date: Sun, 18 Oct 2015 12:03:08 +0200
Message-ID: <87d1wctrxf.fsf@T420.taylan>
References: <87si59wj42.fsf@T420.taylan> <83eggt4esi.fsf@gnu.org>
	<87fv19wh7b.fsf@T420.taylan> <83bnbx4d7e.fsf@gnu.org>
	<87twppuzfu.fsf@T420.taylan> <83a8rh48if.fsf@gnu.org>
	<87io65utmt.fsf@T420.taylan> <5622B3C6.4030208@cs.ucla.edu>
	<871tctuqw5.fsf@T420.taylan> <5622C340.1050001@cs.ucla.edu>
	<87lhb1t9sm.fsf@T420.taylan> <56230695.4070501@cs.ucla.edu>
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Trace: ger.gmane.org 1445162599 27812 80.91.229.3 (18 Oct 2015 10:03:19 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Sun, 18 Oct 2015 10:03:19 +0000 (UTC)
Cc: emacs-devel@gnu.org
To: Paul Eggert <eggert@cs.ucla.edu>
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Sun Oct 18 12:03:18 2015
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by plane.gmane.org with esmtp (Exim 4.69)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1Znko9-0003e0-NQ
	for ged-emacs-devel@m.gmane.org; Sun, 18 Oct 2015 12:03:17 +0200
Original-Received: from localhost ([::1]:33075 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1Znko9-0006By-3a
	for ged-emacs-devel@m.gmane.org; Sun, 18 Oct 2015 06:03:17 -0400
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:51988)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <taylanbayirli@gmail.com>) id 1Znko5-0006Bq-29
	for emacs-devel@gnu.org; Sun, 18 Oct 2015 06:03:14 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <taylanbayirli@gmail.com>) id 1Znko3-00027S-VI
	for emacs-devel@gnu.org; Sun, 18 Oct 2015 06:03:12 -0400
Original-Received: from mail-wi0-x22b.google.com ([2a00:1450:400c:c05::22b]:37992)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <taylanbayirli@gmail.com>) id 1Znko3-00026r-Lk
	for emacs-devel@gnu.org; Sun, 18 Oct 2015 06:03:11 -0400
Original-Received: by wicll6 with SMTP id ll6so61984773wic.1
	for <emacs-devel@gnu.org>; Sun, 18 Oct 2015 03:03:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=from:to:cc:subject:references:date:in-reply-to:message-id
	:user-agent:mime-version:content-type:content-transfer-encoding;
	bh=u0xFBm8/V9yEm+7Lz4B/vogm6mggsylLZs+Dp9Jh3dE=;
	b=U6MNR0dwzdXY1sH2hmUW4nKRWyVcjSCy3BQD/F19pCOtKzXMjU0Bp2rqbBypwtLFh3
	yjTZDu/OXJ7NjLIRtYGkRKWdPtnvqhC2JrfXx1b+hAxk+lNuzEKEDJDM9ck/Wkiv4cWT
	0JhYkdhZxCNGOwbNLOp2mZBARd/P94UGeJ+Z6DEhIAd9qsTzcE8rGzAENTJZhZo/kNKt
	aDSyDgI3yGiqeEzm93eNq0JoYQ1erk/9wdY74sqta45NSgqL1n6i5wCk9PqUfv/cuEVx
	Z/Ck+k0ABOLouADGSP9vJP50NFHBHsxs0hHyIK2BIgEpHIoP3TGCxnyoaOwCMWCkuWU2
	7YlA==
X-Received: by 10.180.182.83 with SMTP id ec19mr14863617wic.35.1445162590766; 
	Sun, 18 Oct 2015 03:03:10 -0700 (PDT)
Original-Received: from T420.taylan ([2a02:908:c32:4740:221:ccff:fe66:68f0])
	by smtp.gmail.com with ESMTPSA id
	lv4sm33234570wjb.43.2015.10.18.03.03.09
	(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Sun, 18 Oct 2015 03:03:09 -0700 (PDT)
In-Reply-To: <56230695.4070501@cs.ucla.edu> (Paul Eggert's message of "Sat, 17
	Oct 2015 19:40:21 -0700")
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)
X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address
	(bad octet value).
X-Received-From: 2a00:1450:400c:c05::22b
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.emacs.devel:191925
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/191925>

Paul Eggert <eggert@cs.ucla.edu> writes:

> Taylan Ulrich Bay=C4=B1rl=C4=B1/Kammer wrote:
>> Please tell me which shells shell-quote-argument is guaranteed to work
>> safely on
>
> Nobody can tell you that. What we can tell you is that
> shell-quote-argument works on a superset of uses that
> shqq--quote-string works on. The trust-based arguments against using
> shell-quote-argument all apply, with greater force, against using
> shqq--quote-string. For example, shqq--quote-string is more vulnerable
> to code-injection attacks than shell-quote-argument is.

The domain of a function is part of its semantics, even if in Lisp we
have no way to formalize it other than through documentation.

The domain of shqq--quote-string is arguments to POSIX shell commands.
It's safe within that domain, i.e. its whole domain, meaning in short
"it's safe."

The domain of shell-quote-argument is unknown, so it's unknown whether
it's safe.  (If we include csh in its domain, it's known to be unsafe.)

Saying shqq--quote-string is more vulnerable is plain wrong.  It's
either as safe as, or safer, than shell-quote-argument.

That may sound like "semantics," but it carries over to practice very
simply: if I can't tell my users what shells shqq is safe for (or worse,
imply to them that they can use it with just any shell), there's a good
chance they'll use it for shells its unsafe for, exposing themselves to
vulnerabilities.  (Or if they're smarter than that, they will see that
my library is entirely useless for arbitrary input.)

Of course, I could use shell-quote-argument, but still document that
shqq is safe only for POSIX shells, no matter what shell-quote-argument
seems to try to accommodate for.  I think that's an unnecessary
complication, but if it's going to satisfy others for whatever reason
then I'm not opposed to it because it's at least harmless.  (I'll first
investigate further on possible breakage with shell-quote-argument's
quoting strategy for POSIX though.)

> I am not a fan of non-POSIX shells. They are a hassle to deal with and
> can cause significant problems in Emacs maintenance. In areas where
> they are a significant problem, we don't need to support them. But
> this particular instance is not a significant problem. Emacs already
> has a portable, tested, easy-to-use function to quote shell arguments,
> and there's good reason to use it here.

Arbitrary code injection is a very significant problem, and it has been
demonstrated in this thread that shell-quote-argument is vulnerable
against it.


Let's please all be more rigorous about such things in the future and
not pretend that problems are known not to exist when they're merely not
known to exist, let alone pretending that they don't exist shortly after
they've been demonstrated to exist.

I'll file a bug report about shell-quote-argument shortly, where we can
decide on more precise semantics for it (even if still open-ended) and
clearly document its safety guarantees.

Taylan