From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Michael Albinus Newsgroups: gmane.emacs.devel Subject: Re: [PATCH] Add shell-quasiquote. Date: Sun, 18 Oct 2015 12:55:09 +0200 Message-ID: <87si58phte.fsf@gmx.de> References: <87si59wj42.fsf@T420.taylan> <83eggt4esi.fsf@gnu.org> <87fv19wh7b.fsf@T420.taylan> <83bnbx4d7e.fsf@gnu.org> <87twppuzfu.fsf@T420.taylan> <83a8rh48if.fsf@gnu.org> <87io65utmt.fsf@T420.taylan> <5622B337.4050700@yandex.ru> <876125uqzw.fsf@T420.taylan> <5622BE84.8030209@yandex.ru> <87twpptato.fsf@T420.taylan> <87pp0cehly.fsf@gmx.de> <878u70trqz.fsf@T420.taylan> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Trace: ger.gmane.org 1445165738 6479 80.91.229.3 (18 Oct 2015 10:55:38 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Sun, 18 Oct 2015 10:55:38 +0000 (UTC) Cc: Eli Zaretskii , emacs-devel@gnu.org, Dmitry Gutov To: taylanbayirli@gmail.com (Taylan Ulrich =?utf-8?Q?=22Bay=C4=B1rl=C4=B1?= =?utf-8?Q?=2FKammer=22?=) Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Sun Oct 18 12:55:29 2015 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1Znlcf-0002cF-1z for ged-emacs-devel@m.gmane.org; Sun, 18 Oct 2015 12:55:29 +0200 Original-Received: from localhost ([::1]:33211 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Znlce-0004Nu-A3 for ged-emacs-devel@m.gmane.org; Sun, 18 Oct 2015 06:55:28 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:33310) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZnlcS-0004Nn-1D for emacs-devel@gnu.org; Sun, 18 Oct 2015 06:55:16 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ZnlcO-00081G-Qu for emacs-devel@gnu.org; Sun, 18 Oct 2015 06:55:15 -0400 Original-Received: from mout.gmx.net ([212.227.17.22]:54002) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZnlcO-00081C-LR; Sun, 18 Oct 2015 06:55:12 -0400 Original-Received: from detlef.gmx.de ([93.209.76.209]) by mail.gmx.com (mrgmx103) with ESMTPSA (Nemesis) id 0MTBfe-1Zx12m33IM-00S9Ef; Sun, 18 Oct 2015 12:55:10 +0200 In-Reply-To: <878u70trqz.fsf@T420.taylan> ("Taylan Ulrich \=\?utf-8\?Q\?\=5C\=22Bay\=C4\=B1rl\=C4\=B1\=2FKammer\=5C\=22\=22's\?\= message of "Sun, 18 Oct 2015 12:07:00 +0200") User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.0.50 (gnu/linux) X-Provags-ID: V03:K0:pmdx3j9F8g/urylmGDLsjSuyhO+3f64PnJ+g0v2SBzuWeFuDcZz 5P/q5EYKQKNIucoqd55Tl6ciNxqpQVSkzUgcyStZ4tyUkHB8swadnFWbtzaFENVvtnjZd3t ROl9vrTwVWyzq9PuTRRSLZjSx2m9Lmx7FT45Gm2llYGwOtTLqYhkpzlTeUXwKakrqPd1y39 B2L3xCIIPxMx9KaSnvnbw== X-UI-Out-Filterresults: notjunk:1;V01:K0:IuD9ZbEPQtI=:leH1d+ZqSQlsXXIlIOaynh KuMmDT/z7Dk2jMPKFIihnAg/SnKOfrxVVGQfT572eXytm3oc0AKans0h0G+sSFJbes6TISSRm k6qLwi22nFc4ujYYTIXdAdYVTlk4oHgfABPgrVArz0vXpy08Wb2mfOfBL+bfT6ejgGCHQeMsa Rw6l0UA6uSUOsKTtyRiETx0ozmaeA56ePUjE3I6S6mCeoiRdIL/EQDH+tx3Zwt3x71yFnG4xw B7mTHhgDhCjiK0BfBPZaqEBdkgylXWcpWMUsAvCx5d8eZjDUk+g8eiZQ+GW4hlJWHsWV7Npju kD8VSY3zhlZ9ATKPJ9CmBU/CSEwwpLgeUweWKun0qKT+5m+3fEkAvTKVmoFegmBaPMf7hBuEF WKa4nzER2Ey/9n2Q7pWPLva0shT4oBJ31y4399kW/RbWzsLERXreV+bk7a0yUZjuHv7badS8f WWvY0KpWT7dRjMjj/Qotz3qtfuRZZJX0USz8oXaE2A2e44TdqDXZBgCepX2COFiwoLmZIduVS GOFlWCMGIHEIXqaJDNDtn+LsmAu1RS+OKhUQGeXG3bZqbIL9KuX6XQuIB6l+fvmqCzZ32oLrt D1/xCe9fT0ZLrDthaca3fT4xzNT1FhgCH+xDuvNkv64k0JV+LqHpaF1trb6rdfLYAUNnROhlF 7BgVt7IDAIij8ipK6Op35I4cRUCAQlT58ispRAAaJZwpQIyVPgIR+LRkvJvg+wocwOydM45ww rc4LE/ZwhycdXwu64mkw8d1C/CPb7m/tcH5mNOQIOLqghUuY6rXDFBNqZALxAfidawLKSWZg X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 212.227.17.22 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:191932 Archived-At: taylanbayirli@gmail.com (Taylan Ulrich "Bay=C4=B1rl=C4=B1/Kammer") writes: > Can a remote host arrange for TRAMP to use shell-quote-argument on > arbitrary strings and pass these to a shell that could potentially be > csh, or any shell we don't know shell-quote-argument to be safe for? Tramp uses `shell-quote-argument' on strings it has been constructed itself. But those strings contain file names Tramp has read on the remote side. No check what's the contents of such file names. There is no special check on a remote shell being csh. But most of the shell commands Tramp emits require a bournish shell. Otherwise, there would be syntax errors soon, and Tramp would cease to continue on that host. In theory, anything could go with unknown file name strings. But I'm not aware how one could exploit it. If you could show me a real exploit, I will react. > Taylan Best regards, Michael. PS: I'm working as Security Consultant, and so I am paranoid per definition. But I'm not *such* paranoid until I see there are good reasons for.