From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Max Nikulin Newsgroups: gmane.emacs.bugs Subject: bug#66390: `man' allows to inject arbitrary shell code Date: Wed, 11 Oct 2023 17:46:20 +0700 Message-ID: References: <83wmvyzir2.fsf@gnu.org> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@gmail.com> <83v8bizf9r.fsf@gnu.org> <1865abb8-16cd-4570-9a8a-87cf9430583d@gmail.com> <875y3iigua.fsf@gmx.de> <83o7hazap7.fsf@gnu.org> <87mswugyoq.fsf@gmx.de> <83jzryz6op.fsf@gnu.org> <87a5sugwcx.fsf@gmx.de> <83h6n2z3tr.fsf@gnu.org> <831qe5znrz.fsf@gnu.org> <262ed9fe-b92b-489d-b1f0-5202bfdb088b@gmail.com> <87il7e78j5.fsf@igel.home> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="26858"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Mozilla Thunderbird Cc: Eli Zaretskii , 66390@debbugs.gnu.org, michael.albinus@gmx.de To: lux , Andreas Schwab Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Wed Oct 11 12:47:03 2023 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1qqWk3-0006tw-3r for geb-bug-gnu-emacs@m.gmane-mx.org; Wed, 11 Oct 2023 12:47:03 +0200 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qqWjo-0005JU-B4; Wed, 11 Oct 2023 06:46:48 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qqWjh-0005GR-9K for bug-gnu-emacs@gnu.org; Wed, 11 Oct 2023 06:46:41 -0400 Original-Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1qqWjh-0000H2-0f for bug-gnu-emacs@gnu.org; Wed, 11 Oct 2023 06:46:41 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1qqWk2-0003O1-Ak for bug-gnu-emacs@gnu.org; Wed, 11 Oct 2023 06:47:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Max Nikulin Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Wed, 11 Oct 2023 10:47:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 66390 X-GNU-PR-Package: emacs Original-Received: via spool by 66390-submit@debbugs.gnu.org id=B66390.169702121613005 (code B ref 66390); Wed, 11 Oct 2023 10:47:02 +0000 Original-Received: (at 66390) by debbugs.gnu.org; 11 Oct 2023 10:46:56 +0000 Original-Received: from localhost ([127.0.0.1]:37634 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qqWjw-0003Nh-91 for submit@debbugs.gnu.org; Wed, 11 Oct 2023 06:46:56 -0400 Original-Received: from mail-lf1-x12d.google.com ([2a00:1450:4864:20::12d]:58480) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qqWjq-0003NN-Hi for 66390@debbugs.gnu.org; Wed, 11 Oct 2023 06:46:55 -0400 Original-Received: by mail-lf1-x12d.google.com with SMTP id 2adb3069b0e04-50325ce89e9so8832217e87.0 for <66390@debbugs.gnu.org>; Wed, 11 Oct 2023 03:46:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1697021182; x=1697625982; darn=debbugs.gnu.org; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :sender:from:to:cc:subject:date:message-id:reply-to; bh=vSYt4lYW5TD3dyzc9rO/R5JcDYwV1aCnK/Tw+9zlZ8I=; b=IzJoOMlqaLjCupCQhC9sF4iGg5EjqSRIymVxlws0czE4pA+JKbuzu/TCxwrSsf1X7z ACNZvFklr0Lu2pV0PLCus/OoZs6u9NNJfKnkPZZe2XyA8XT7juZB55Tu+GI+LwzsX67o nwq7q0+tf9V7yUn3v7pc3oF/OPziXk9h5PsyKchTsZYPnsjZGA6cOm8Mw2Jy3NBKAVlx J/vSY0EKTdarodUCUQtn2/xngBLdKB0apVTZ/XX2fpYhKn0Lsb93A1LkTURqxq2/WWKx 5sxDWaTwylfRgT2jUIUrko5WBRqbYTHneyMylPeJfR4rYGci6Sx9vhTPOiHGFg3NwsmF E9LQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697021182; x=1697625982; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :sender:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=vSYt4lYW5TD3dyzc9rO/R5JcDYwV1aCnK/Tw+9zlZ8I=; b=ltrTloHr7Eg6ezcBCBmmce6EcYRu/yy91BqpSzziOv5M1/oZvNAbZQzBfDRd9iR26L MYqKszHA1MJX5WusKmfsvWHzJkTwgfdbR9ZeCit528+LWW/CrMqC10sLelKsjPQ+9Onh V+4lR2eRz3tmupt2Lc5JSJWJDTjqHvL8Zu+cNFwiXwKM6OQiq8MTmLzuNe7m1uQgwuGM PsjRbMYmIZBHQU2kzTi2YCNSvSsJ38oCRJTkEpEXqM7GmGHo/kkr6Hy+9/C3vO3ypmZ0 10yZkpPoDN3+5fEOSH7S5FsrQYaJTUX+nans4rO3KXLm2P7Ri2v+m32Gr/8zHvikCZEu Q0SA== X-Gm-Message-State: AOJu0YzLEdVXr6Ru0AEkkIAU37UG79F9/7meZ5iPom9t2kc+RHzMWRrX zXb00A5PgUNgJU62CKMAP6w= X-Google-Smtp-Source: AGHT+IH1SODhVTcBe/dmZcKJ6tnLswRldpUPoVSDRBCZoh38ITBGhCqpWO8JNwESKY6hc6bzIb2a9A== X-Received: by 2002:a05:6512:ea9:b0:500:b2f6:592 with SMTP id bi41-20020a0565120ea900b00500b2f60592mr22108119lfb.50.1697021182086; Wed, 11 Oct 2023 03:46:22 -0700 (PDT) Original-Received: from [192.168.0.101] (nat-0-0.nsk.sibset.net. [5.44.169.188]) by smtp.googlemail.com with ESMTPSA id t26-20020ac243ba000000b0050296068a12sm2205782lfl.30.2023.10.11.03.46.21 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 11 Oct 2023 03:46:21 -0700 (PDT) Content-Language: en-US, ru-RU In-Reply-To: X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.bugs:272248 Archived-At: On 11/10/2023 10:08, lux wrote: > On Tue, 2023-10-10 at 18:21 +0200, Andreas Schwab wrote: >> On Okt 10 2023, lux wrote: >> >>> +        ;; see Bug#66390 >>> + (mapconcat 'identity >>> +                   (mapcar #'shell-quote-argument >>> +                           (split-string ref " ")) >> >> You need to split on arbitrary sequences of whitespace to not introduce >> spurious empty arguments. > > Thanks, I've modified it to (split-string ref "\\s-+"). At this point spaces are supposed to be already normalized by the a bit buggy `Man-translate-cleanup' function. I can not provide an example that is not handled by the suggested patch. I am not still feeling comfortable since it affects rather specific code path. Even the last line of this function might be more suitable. Other considerations: The patch changes behavior. Earler users had to escape characters to get reliable result, but it will break searches (I am in doubts if enough people will notice it): (man "-k \\[a-z\\]dparm") Buffer names will have backslashes. I do not like that tests for `system-type' are not the same in `shell-quote-argument' and in `Man-getpage-in-background'. I am afraid that in some cases improper style of escaping may be applied. From my point of view, code that performs quoting should be close to the code that invokes shell otherwise risk of inconsistent changes increases. I admit, it requires more work than quick plumbing at the place where a minimal patch fixes the issue.