I think that this needs to be fixed 100% — it is a security issue. Another option is to enable command extensions every time Emacs spawns a shell. On Aug 10, 2016 9:00 AM, "Noam Postavsky" wrote: > > tag 19350 confirmed > severity 19350 minor > quit > > > Looking at the code in subr.el, it is clear that Emacs mishandles > > %-signs when escaping for the Windows command interpreter. > [...] > > > > I deleted the lossage from the report, as there is no point in including > > it, this being a logic error in subr.el. In fact, the buggy code is dead > > on my machine (I run Linux) -- I happened to know about the problem on > > Windows. > > Well, it would have been nice to mention which function you're talking > about, and give an example problematic string. I guess it's > shell-quote-argument: > > Evaluating > > (let ((process-environment (cl-list* "ca^=with-caret" > "ca=without-caret" > process-environment))) > (insert (shell-command-to-string > (format "echo %s %s %s" > "%ca%" > (shell-quote-argument "%ca%") > "%%CD:~,0%ca%%CD:~,0%")))) > gives > > without-caret "with-caret" %ca% > > On the other hand, this is such an obscure corner case, I'm don't know > if it's even worth fixing. > > > A method of handling % that I believe to be fully > > robust is to follow (not precede) each series of % characters with > > %CD:~,0%. This is an expansion that always expands to the empty > > string. It will work provided that: > > > > * Command Extensions are enabled. > > I'm not sure if Emacs can assume this. > > > > > * It is not possible for cmd.exe to interpret an environment variable > > whose name is the empty string. > > I found that adding "=emptyvar" to process-environment caused > "Spawning child process: exec format error", so I guess this > assumption is safe.