We don't know what this is being used for.  For all we know, someone has
written an Emacs plugin that passes a file with an attacker-controlled
basename (ex. downloaded from the Internet) and uses this function to
escape the filename before passing it to an external command, and in a
context where there are unbalanced double quotes (say) in a known env var.
Result: remote execution of arbitrary code.

On Aug 11, 2016 8:41 PM, <npostavs@users.sourceforge.net> wrote:

Demi Obenour <demiobenour@gmail.com> writes:

> I think that this needs to be fixed 100% — it is a security issue.

Doesn't it require the attacker to already control Emacs' environment?