From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: taylanbayirli@gmail.com (Taylan Ulrich =?utf-8?Q?Bay=C4=B1rl=C4=B1?= =?utf-8?Q?=2FKammer?=) Newsgroups: gmane.emacs.devel Subject: Re: [PATCH] Add shell-quasiquote. Date: Sun, 18 Oct 2015 00:45:32 +0200 Message-ID: <87h9lpt8qb.fsf@T420.taylan> References: <87si59wj42.fsf@T420.taylan> <83eggt4esi.fsf@gnu.org> <87fv19wh7b.fsf@T420.taylan> <83bnbx4d7e.fsf@gnu.org> <87twppuzfu.fsf@T420.taylan> <83a8rh48if.fsf@gnu.org> <87io65utmt.fsf@T420.taylan> <5622B337.4050700@yandex.ru> <876125uqzw.fsf@T420.taylan> <87oafx171d.fsf@fastmail.com> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Trace: ger.gmane.org 1445121985 11642 80.91.229.3 (17 Oct 2015 22:46:25 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Sat, 17 Oct 2015 22:46:25 +0000 (UTC) Cc: emacs-devel@gnu.org To: Random832 Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Sun Oct 18 00:46:11 2015 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1ZnaEs-0000af-Jw for ged-emacs-devel@m.gmane.org; Sun, 18 Oct 2015 00:46:10 +0200 Original-Received: from localhost ([::1]:60003 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZnaEs-0002WW-25 for ged-emacs-devel@m.gmane.org; Sat, 17 Oct 2015 18:46:10 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:33857) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZnaEK-0002Vg-IJ for emacs-devel@gnu.org; Sat, 17 Oct 2015 18:45:37 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ZnaEJ-0000F1-FQ for emacs-devel@gnu.org; Sat, 17 Oct 2015 18:45:36 -0400 Original-Received: from mail-wi0-x233.google.com ([2a00:1450:400c:c05::233]:34136) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZnaEJ-0000Es-9k for emacs-devel@gnu.org; Sat, 17 Oct 2015 18:45:35 -0400 Original-Received: by wikq8 with SMTP id q8so5470014wik.1 for ; Sat, 17 Oct 2015 15:45:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version:content-type:content-transfer-encoding; bh=7R3gEkYDEy2V1F+1jqUsusc0e/e3rlRa+3Mf4fzUgLE=; b=RQzssjNRjGSitQbVE4xce5LO12rrOwXT8TaQm/lgHUnxl7IuyRu0Xrn4sToibps7zR peCeHCobB2U3i2axY1p5vPtbJp+vSliM/R6Zh7WeS0D182vZmdz1MoJrZNdO046alwf5 5UmoodeRDUWCgDEhKE5Vrhe4WKS0NkV9DG7nRtcjk7oj+73EvRMaPWj+E94uj6vfuxH8 BOJ0yIhdWuw30CorNwmHoIadhVynFNAPOGfpX0tViBa3Bf0bso7W3SJfFrDeAOZJSVCT xMgwx1QOsBjOgdkQ06AUJaWszNCslOJP3VFwNXi6njl32QFrCkcB+CrTuBh+GAZ3gjES TYxA== X-Received: by 10.180.105.33 with SMTP id gj1mr11856983wib.90.1445121934816; Sat, 17 Oct 2015 15:45:34 -0700 (PDT) Original-Received: from T420.taylan ([2a02:908:c32:4740:221:ccff:fe66:68f0]) by smtp.gmail.com with ESMTPSA id lv4sm30725617wjb.43.2015.10.17.15.45.33 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 17 Oct 2015 15:45:33 -0700 (PDT) In-Reply-To: <87oafx171d.fsf@fastmail.com> (Random's message of "Sat, 17 Oct 2015 18:09:34 -0400") User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-Received-From: 2a00:1450:400c:c05::233 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:191900 Archived-At: Random832 writes: > taylanbayirli@gmail.com (Taylan Ulrich "Bay=C4=B1rl=C4=B1/Kammer") writes: > >> Dmitry Gutov writes: >>> If you know of a real problem scenario reproducible with >>> shell-quote-argument, please file a bug. Then we'll fix it. >> >> Not knowing that there are bugs is not proof that there are no bugs. > > Why aren't you as sure of its safety, regarding the POSIX section, as you > are of the safety of your implementation? I was probably being overly pedantic on that one, but if \ has a semantics other than resulting in a literal newline, I thought maybe some other \ sequences might also have different semantics. With different kinds of whitespace and all. >>> Either way, please avoid reinventing the wheel. >> >> It's not a reinvention because it has very strict semantics with regard >> to safety guarantees, which shell-quote-argument apparently doesn't. > > Out of curiosity, how are you guaranteeing that the result will be > executed by a POSIX shell? Passing a string quoted by your function to > MS Windows' cmd.exe (or, to that matter, to csh - even worse than the > existing version) would be an absolute disaster as far as injection > vulnerabilities go. I'm afraid there's no way for my library to mechanically prevent that, since the library only outputs commands as strings. (So the user can pass it to shell-command, async-shell-command, shell-command-on-region, or anything else.) Though it would have been best to be able to prevent such mistakes mechanically, I hope having it in the first two sentences of the documentation is good enough. :-) Taylan