all messages for Emacs-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
* Structurally fixing command injection bugs
@ 2023-02-22 10:08 Vasilij Schneidermann
  2023-02-22 10:20 ` lux
                   ` (2 more replies)
  0 siblings, 3 replies; 7+ messages in thread
From: Vasilij Schneidermann @ 2023-02-22 10:08 UTC (permalink / raw)
  To: emacs-devel

[-- Attachment #1: Type: text/plain, Size: 1436 bytes --]

I've come across a few recent bugfixes arising from the same underlying problem
recently:

- Command injection in etags via system(3): CVE-2022-45939
- Command injection in htmlfontify.el via `shell-command-to-string`
- Command injection in ruby-mode.el via `shell-command-to-string`

The issue is well-known: Passing user input containing shell control
characters to system(3) is dangerous. Quoting the argument strings is a
band-aid solution. The text-book solution is to avoid using the shell in
the first place whenever possible. Emacs even provides a convenient
function for this, `process-lines`. It does not use the shell, accepts
several argument strings, raises errors (rather than failing silently)
and returns its output as a list of lines, thereby removing the need for
removing the trailing newline.

I see several options for moving forward:

- Keep using `shell-command-to-string` and `shell-quote-argument`
- Migrate existing use of `shell-command-to-string` to `process-lines` 
- Come up with a different replacement working much like
  `process-lines`, but returning a string instead (I have no idea what
  an appropriate name would be, maybe `command-to-string`?)

PS: Where should I report analogous misuse of `shell-command-to-string`?
I cannot submit patches currently because I've changed employers and
need to renew copyright assignment, again (that would be the third time
already).

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2023-02-22 18:57 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-02-22 10:08 Structurally fixing command injection bugs Vasilij Schneidermann
2023-02-22 10:20 ` lux
2023-02-22 10:34   ` Vasilij Schneidermann
2023-02-22 12:05     ` lux
2023-02-22 12:57     ` Gregory Heytings
2023-02-22 12:01 ` lux
2023-02-22 18:57 ` Jim Porter

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/emacs.git
	https://git.savannah.gnu.org/cgit/emacs/org-mode.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.