Received: (at 66390) by debbugs.gnu.org; 21 Oct 2023 09:19:44 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sat Oct 21 05:19:44 2023 Received: from localhost ([127.0.0.1]:42198 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1qu891-00048w-Vl for submit <at> debbugs.gnu.org; Sat, 21 Oct 2023 05:19:44 -0400 Received: from mail-lj1-x230.google.com ([2a00:1450:4864:20::230]:60872) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <stefankangas@HIDDEN>) id 1qu88z-00048j-V6 for 66390 <at> debbugs.gnu.org; Sat, 21 Oct 2023 05:19:42 -0400 Received: by mail-lj1-x230.google.com with SMTP id 38308e7fff4ca-2bfed7c4e6dso23993381fa.1 for <66390 <at> debbugs.gnu.org>; Sat, 21 Oct 2023 02:19:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1697879948; x=1698484748; darn=debbugs.gnu.org; h=cc:to:subject:message-id:date:mime-version:references:in-reply-to :from:from:to:cc:subject:date:message-id:reply-to; bh=sRZP2f0nlvZc7hHVzHi2yZY933CeBSa5fPrqZiatct4=; b=DGY2GOU4VzfnGSE4GH9XxoR7GaXnzwbkAQ2EFF/Iul3hGUGz03DuMHLLSjh+zBnD/T dEZZ0+lywp9sgekSI09+bvLr0sV2wd2/Joe7NRGmmJfeu+XEfGWk7t8mBk9nqHIFcJEJ 1GEoCy2fwcSYLqOV+VdQeaZ8XactvHSwi1IQk/fVjyI5NdepAqEd3o+mHpYzb1iboHtH YctH0MQferRuQSe+fT5bfkU9n5ZUZwa35cAnVyX66FLNK9DqynSlz1+Gt4zT3dcmzREW QBjBWxgyn3MAw9Xq65Cn/peztxIueMxaTt0Zz8V0XgVCkKuxJCiMkwS1ZBuQyaT96HV+ F4kA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697879948; x=1698484748; h=cc:to:subject:message-id:date:mime-version:references:in-reply-to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=sRZP2f0nlvZc7hHVzHi2yZY933CeBSa5fPrqZiatct4=; b=oWJCALG9EHKYA1Mefh7jspN06bXFlM3RE1eR2XSigxEvIKrfz75yCSNyiXk2rL+/iw cMqzNBmi5BHWQ3bvLuwVrRa/zAXHN5aa15fVEjc2Yx9GCldxR3kbCejZK6rQuso9tr3z ASQKgQYkrDLkzuGsuyOlvFZipJqPCxJeEkjOwLQMX2WmGOfbUaoUizpbKDHt/+qxNNDN TIcI/mbmaWtx4FolB3TeKQismNPL7NwoJR/iMfxmpG79s2KKet51ApG2zST77UiAAx8o PSO4ZEvML6z6kdQ/1gT08EFGwi5hweTrspkbpDEa+0ubt6eGANPGL/9wsyLW1x1AtTIL YCzg== X-Gm-Message-State: AOJu0YzHtxfT7bTBbzDaRprNJToLsXQyF/b/+T0zjRayY970lQvsHyK4 tygtPwBrJW5L8iZptW6PFElfH3Z48IxlWRJdPWI= X-Google-Smtp-Source: AGHT+IFsG32OaVr3CBhMsuY5YYkzmwpto43c996bje4HpSvBOoWF/sLXi5oToOZdKkRdDP7GOelNQi7nVailobkoXsQ= X-Received: by 2002:a2e:b790:0:b0:2c2:a337:5ea with SMTP id n16-20020a2eb790000000b002c2a33705eamr2937056ljo.27.1697879948145; Sat, 21 Oct 2023 02:19:08 -0700 (PDT) Received: from 753933720722 named unknown by gmailapi.google.com with HTTPREST; Sat, 21 Oct 2023 02:19:07 -0700 From: Stefan Kangas <stefankangas@HIDDEN> In-Reply-To: <838r7ws9kt.fsf@HIDDEN> References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN> <83v8bizf9r.fsf@HIDDEN> <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN> <875y3iigua.fsf@HIDDEN> <83o7hazap7.fsf@HIDDEN> <87mswugyoq.fsf@HIDDEN> <83jzryz6op.fsf@HIDDEN> <87a5sugwcx.fsf@HIDDEN> <83h6n2z3tr.fsf@HIDDEN> <aaeb5c4f-2ae0-449e-9a8b-aa5155998e49@HIDDEN> <831qe5znrz.fsf@HIDDEN> <tencent_2EBCD42CDD9DC80B87AB06BB70EACCF8D60A@HIDDEN> <262ed9fe-b92b-489d-b1f0-5202bfdb088b@HIDDEN> <tencent_3C358C354C777BF23EE1D3C1839C3F331C08@HIDDEN> <87il7e78j5.fsf@HIDDEN> <tencent_B89C8F336F35EB3562777DF226E178C19708@HIDDEN> <CADwFkmk4y0H3pEyErqeKBrc8Evb8qMmAK-Vi1o37Ab0T8h7GHg@HIDDEN> <83h6mksaqp.fsf@HIDDEN> <87jzrgxwad.fsf@HIDDEN> <838r7ws9kt.fsf@HIDDEN> MIME-Version: 1.0 Date: Sat, 21 Oct 2023 02:19:07 -0700 Message-ID: <CADwFkmmCC2wHhKE+LGBmVK6w5xqOqHJ3XrL1MRhA-c-+yKZhfQ@HIDDEN> Subject: Re: bug#66390: `man' allows to inject arbitrary shell code To: Eli Zaretskii <eliz@HIDDEN>, Andreas Schwab <schwab@HIDDEN> Content-Type: text/plain; charset="UTF-8" X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 66390 Cc: lx@HIDDEN, manikulin@HIDDEN, 66390 <at> debbugs.gnu.org, michael.albinus@HIDDEN X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) Eli Zaretskii <eliz@HIDDEN> writes: > That's true, but neither are ':' or '[', and AFAIK we already have > man-page file names which use those two. Perhaps we should add tests for man pages with such characters.
bug-gnu-emacs@HIDDEN
:bug#66390
; Package emacs
.
Full text available.Received: (at 66390) by debbugs.gnu.org; 21 Oct 2023 07:45:48 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sat Oct 21 03:45:48 2023 Received: from localhost ([127.0.0.1]:42128 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1qu6g7-00070P-T1 for submit <at> debbugs.gnu.org; Sat, 21 Oct 2023 03:45:48 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:58348) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <eliz@HIDDEN>) id 1qu6g5-000708-An for 66390 <at> debbugs.gnu.org; Sat, 21 Oct 2023 03:45:46 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <eliz@HIDDEN>) id 1qu6fW-0006jj-7B; Sat, 21 Oct 2023 03:45:10 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date: mime-version; bh=017hl7QYPGLK9BR/jga3eRZd5YliB/ciuESZPTgsMIg=; b=Q+yaPn78H23q QWofrTmOY1xwPJ06Ttukjd2Bt9GNXfLyWajJDfrXeyl6S8cSTXdyotxYFIuWf6u58BgdqtDp4bd/7 v7JAU31nb6PMRPpJEYz5TI53Rsy6oDjrNj62emaoJg9geARIzZtfE9OMJQzqwkfumKGWZrJJytE4U 9rHV9A5BCYyA5e2LedE1LW1NiEsHfuB73b6YhaKlRo1DkOG8tE+mtG7WkwEigxzxX4oyvxnc3HBeS pw0qJCSJ7EeEvrgDzhRS7xEBLVVk9dewmtfMBcOWix8DrZz+rcBmYnt92REzMhJg9NsiM+GEDSFj7 cp6mfeocffRClf5oJ84qkA==; Date: Sat, 21 Oct 2023 10:45:06 +0300 Message-Id: <838r7ws9kt.fsf@HIDDEN> From: Eli Zaretskii <eliz@HIDDEN> To: Andreas Schwab <schwab@HIDDEN> In-Reply-To: <87jzrgxwad.fsf@HIDDEN> (message from Andreas Schwab on Sat, 21 Oct 2023 09:35:38 +0200) Subject: Re: bug#66390: `man' allows to inject arbitrary shell code References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN> <83wmvyzir2.fsf@HIDDEN> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN> <83v8bizf9r.fsf@HIDDEN> <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN> <875y3iigua.fsf@HIDDEN> <83o7hazap7.fsf@HIDDEN> <87mswugyoq.fsf@HIDDEN> <83jzryz6op.fsf@HIDDEN> <87a5sugwcx.fsf@HIDDEN> <83h6n2z3tr.fsf@HIDDEN> <aaeb5c4f-2ae0-449e-9a8b-aa5155998e49@HIDDEN> <831qe5znrz.fsf@HIDDEN> <tencent_2EBCD42CDD9DC80B87AB06BB70EACCF8D60A@HIDDEN> <262ed9fe-b92b-489d-b1f0-5202bfdb088b@HIDDEN> <tencent_3C358C354C777BF23EE1D3C1839C3F331C08@HIDDEN> <87il7e78j5.fsf@HIDDEN> <tencent_B89C8F336F35EB3562777DF226E178C19708@HIDDEN> <CADwFkmk4y0H3pEyErqeKBrc8Evb8qMmAK-Vi1o37Ab0T8h7GHg@HIDDEN> <83h6mksaqp.fsf@HIDDEN> <87jzrgxwad.fsf@HIDDEN> X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 66390 Cc: lx@HIDDEN, manikulin@HIDDEN, 66390 <at> debbugs.gnu.org, michael.albinus@HIDDEN, stefankangas@HIDDEN X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) > From: Andreas Schwab <schwab@HIDDEN> > Cc: Stefan Kangas <stefankangas@HIDDEN>, lx@HIDDEN, > manikulin@HIDDEN, 66390 <at> debbugs.gnu.org, michael.albinus@HIDDEN > Date: Sat, 21 Oct 2023 09:35:38 +0200 > > On Okt 21 2023, Eli Zaretskii wrote: > > > found in file names). In particular, who can guarantee that ';' will > > not be part of some man page some day? it's a valid file-name > > character on Posix hosts, isn't it? > > It's not part of the Portable Filename Character Set. That's true, but neither are ':' or '[', and AFAIK we already have man-page file names which use those two.
bug-gnu-emacs@HIDDEN
:bug#66390
; Package emacs
.
Full text available.Received: (at 66390) by debbugs.gnu.org; 21 Oct 2023 07:36:20 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sat Oct 21 03:36:20 2023 Received: from localhost ([127.0.0.1]:42119 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1qu6Wu-0006lu-Mu for submit <at> debbugs.gnu.org; Sat, 21 Oct 2023 03:36:20 -0400 Received: from mail-out.m-online.net ([212.18.0.9]:37878) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <whitebox@HIDDEN>) id 1qu6Wo-0006le-47 for 66390 <at> debbugs.gnu.org; Sat, 21 Oct 2023 03:36:14 -0400 Received: from frontend01.mail.m-online.net (unknown [192.168.8.182]) by mail-out.m-online.net (Postfix) with ESMTP id 4SCCt41Mbcz1r3dk; Sat, 21 Oct 2023 09:35:39 +0200 (CEST) Received: from localhost (dynscan1.mnet-online.de [192.168.6.68]) by mail.m-online.net (Postfix) with ESMTP id 4SCCt35bfZz1qqlS; Sat, 21 Oct 2023 09:35:39 +0200 (CEST) X-Virus-Scanned: amavis at mnet-online.de Received: from mail.mnet-online.de ([192.168.8.182]) by localhost (dynscan1.mail.m-online.net [192.168.6.68]) (amavis, port 10024) with ESMTP id f_FE8MafSjEE; Sat, 21 Oct 2023 09:35:38 +0200 (CEST) X-Auth-Info: V3262t4IGodv4Jy6lRE+NIUHlKsm6eCoQboIylSa65fAlf+c2wXv/vAhJ5Rp2lmj Received: from tiger.home (aftr-62-216-205-183.dynamic.mnet-online.de [62.216.205.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mail.mnet-online.de (Postfix) with ESMTPSA; Sat, 21 Oct 2023 09:35:38 +0200 (CEST) Received: by tiger.home (Postfix, from userid 1000) id 7CC13214534; Sat, 21 Oct 2023 09:35:38 +0200 (CEST) From: Andreas Schwab <schwab@HIDDEN> To: Eli Zaretskii <eliz@HIDDEN> Subject: Re: bug#66390: `man' allows to inject arbitrary shell code In-Reply-To: <83h6mksaqp.fsf@HIDDEN> (Eli Zaretskii's message of "Sat, 21 Oct 2023 10:19:58 +0300") References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN> <83wmvyzir2.fsf@HIDDEN> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN> <83v8bizf9r.fsf@HIDDEN> <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN> <875y3iigua.fsf@HIDDEN> <83o7hazap7.fsf@HIDDEN> <87mswugyoq.fsf@HIDDEN> <83jzryz6op.fsf@HIDDEN> <87a5sugwcx.fsf@HIDDEN> <83h6n2z3tr.fsf@HIDDEN> <aaeb5c4f-2ae0-449e-9a8b-aa5155998e49@HIDDEN> <831qe5znrz.fsf@HIDDEN> <tencent_2EBCD42CDD9DC80B87AB06BB70EACCF8D60A@HIDDEN> <262ed9fe-b92b-489d-b1f0-5202bfdb088b@HIDDEN> <tencent_3C358C354C777BF23EE1D3C1839C3F331C08@HIDDEN> <87il7e78j5.fsf@HIDDEN> <tencent_B89C8F336F35EB3562777DF226E178C19708@HIDDEN> <CADwFkmk4y0H3pEyErqeKBrc8Evb8qMmAK-Vi1o37Ab0T8h7GHg@HIDDEN> <83h6mksaqp.fsf@HIDDEN> X-Yow: .. Once upon a time, four AMPHIBIOUS HOG CALLERS attacked a family of DEFENSELESS, SENSITIVE COIN COLLECTORS and brought DOWN their PROPERTY VALUES!! Date: Sat, 21 Oct 2023 09:35:38 +0200 Message-ID: <87jzrgxwad.fsf@HIDDEN> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -0.4 (/) X-Debbugs-Envelope-To: 66390 Cc: lx@HIDDEN, manikulin@HIDDEN, 66390 <at> debbugs.gnu.org, michael.albinus@HIDDEN, Stefan Kangas <stefankangas@HIDDEN> X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.4 (-) On Okt 21 2023, Eli Zaretskii wrote: > found in file names). In particular, who can guarantee that ';' will > not be part of some man page some day? it's a valid file-name > character on Posix hosts, isn't it? It's not part of the Portable Filename Character Set. -- Andreas Schwab, schwab@HIDDEN GPG Key fingerprint = 7578 EB47 D4E5 4D69 2510 2552 DF73 E780 A9DA AEC1 "And now for something completely different."
bug-gnu-emacs@HIDDEN
:bug#66390
; Package emacs
.
Full text available.Received: (at 66390) by debbugs.gnu.org; 21 Oct 2023 07:20:50 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sat Oct 21 03:20:50 2023 Received: from localhost ([127.0.0.1]:42104 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1qu6Hu-0006FG-1J for submit <at> debbugs.gnu.org; Sat, 21 Oct 2023 03:20:50 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:58872) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <eliz@HIDDEN>) id 1qu6Ho-0006Ev-18 for 66390 <at> debbugs.gnu.org; Sat, 21 Oct 2023 03:20:44 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <eliz@HIDDEN>) id 1qu6HD-0002D4-Gq; Sat, 21 Oct 2023 03:20:03 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-version:References:Subject:In-Reply-To:To:From: Date; bh=myV6a3H5Mu87j5Jlnrib63pkVoeAkLxWFlYQVO6Y8+s=; b=X7Oxt50aKrOhsObzSDku Zairy+eN2d3PowF9IUB5S4k0+ypyoCvzDmtdmYZT91x6IUNze/E2Y8cG2UolG3OrVLkIH/9zgRGqh iYT6/+gk5ivz7Wj++QZn58YQnbtcEvjY0mJMbFGKfPSTcyyAt5kTjQikmlrD6Zj3S7KKKVwBX1kOp yPcCyreioIEPNNz06ttlfdhehVBswLdOmdki0Y1abn+8QqqFXxp363dj5NeAsL9GhEFvZUaU4bZTj 257azlE6GoMpqMIGn/XcDAj8GeTKGvL8E+HcfacVGecDm9LoGTyl/k8NwjIQQK4EtsSly29eRkw5D 9qLybFbkBAmZFw==; Date: Sat, 21 Oct 2023 10:19:58 +0300 Message-Id: <83h6mksaqp.fsf@HIDDEN> From: Eli Zaretskii <eliz@HIDDEN> To: Stefan Kangas <stefankangas@HIDDEN> In-Reply-To: <CADwFkmk4y0H3pEyErqeKBrc8Evb8qMmAK-Vi1o37Ab0T8h7GHg@HIDDEN> (message from Stefan Kangas on Fri, 20 Oct 2023 14:00:50 -0700) Subject: Re: bug#66390: `man' allows to inject arbitrary shell code References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN> <83wmvyzir2.fsf@HIDDEN> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN> <83v8bizf9r.fsf@HIDDEN> <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN> <875y3iigua.fsf@HIDDEN> <83o7hazap7.fsf@HIDDEN> <87mswugyoq.fsf@HIDDEN> <83jzryz6op.fsf@HIDDEN> <87a5sugwcx.fsf@HIDDEN> <83h6n2z3tr.fsf@HIDDEN> <aaeb5c4f-2ae0-449e-9a8b-aa5155998e49@HIDDEN> <831qe5znrz.fsf@HIDDEN> <tencent_2EBCD42CDD9DC80B87AB06BB70EACCF8D60A@HIDDEN> <262ed9fe-b92b-489d-b1f0-5202bfdb088b@HIDDEN> <tencent_3C358C354C777BF23EE1D3C1839C3F331C08@HIDDEN> <87il7e78j5.fsf@HIDDEN> <tencent_B89C8F336F35EB3562777DF226E178C19708@HIDDEN> <CADwFkmk4y0H3pEyErqeKBrc8Evb8qMmAK-Vi1o37Ab0T8h7GHg@HIDDEN> MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 66390 Cc: lx@HIDDEN, manikulin@HIDDEN, 66390 <at> debbugs.gnu.org, schwab@HIDDEN, michael.albinus@HIDDEN X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) > From: Stefan Kangas <stefankangas@HIDDEN> > Date: Fri, 20 Oct 2023 14:00:50 -0700 > Cc: Max Nikulin <manikulin@HIDDEN>, 66390 <at> debbugs.gnu.org, michael.albinus@HIDDEN, > Eli Zaretskii <eliz@HIDDEN> > > lux <lx@HIDDEN> writes: > > > On Tue, 2023-10-10 at 18:21 +0200, Andreas Schwab wrote: > >> On Okt 10 2023, lux wrote: > >> > >> > + ;; see Bug#66390 > >> > + (mapconcat 'identity > >> > + (mapcar #'shell-quote-argument > >> > + (split-string ref " ")) > >> > >> You need to split on arbitrary sequences of whitespace to not introduce > >> spurious empty arguments. > >> > > > > Thanks, I've modified it to (split-string ref "\\s-+"). > > I lost track of this discussion a little bit, but I think we should > try to have this fixed in Emacs 29.2. If we have a reliable solution (a hard-to-satisfy condition, see below), yes. > Is the below patch acceptable? I'm not sure it is reliable enough. man.el is an extremely tricky package wrt the weird file names it must support (because many man pages have weird names and include characters that are not normally found in file names). In particular, who can guarantee that ';' will not be part of some man page some day? it's a valid file-name character on Posix hosts, isn't it? So I would be happier with installing this on master instead. Distros which consider this a serious vulnerability can always cherry-pick the change in their Emacs 29 distributions.
bug-gnu-emacs@HIDDEN
:bug#66390
; Package emacs
.
Full text available.Received: (at 66390) by debbugs.gnu.org; 20 Oct 2023 21:01:26 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Fri Oct 20 17:01:26 2023 Received: from localhost ([127.0.0.1]:41747 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1qtwcY-0005z6-E2 for submit <at> debbugs.gnu.org; Fri, 20 Oct 2023 17:01:26 -0400 Received: from mail-lj1-x231.google.com ([2a00:1450:4864:20::231]:51310) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <stefankangas@HIDDEN>) id 1qtwcW-0005yt-DW for 66390 <at> debbugs.gnu.org; Fri, 20 Oct 2023 17:01:25 -0400 Received: by mail-lj1-x231.google.com with SMTP id 38308e7fff4ca-2c50cd16f3bso18275631fa.2 for <66390 <at> debbugs.gnu.org>; Fri, 20 Oct 2023 14:00:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1697835651; x=1698440451; darn=debbugs.gnu.org; h=content-transfer-encoding:cc:to:subject:message-id:date :mime-version:references:in-reply-to:from:from:to:cc:subject:date :message-id:reply-to; bh=YWC5HGdci8HtfWESn98zSc+ThdVeoudm4wIs94D7h5s=; b=bmVug3ewkPFWATKjWL6qKCGs6DdF1X63h/n9Q/tTLONdfg5q2/+v0pqIwSO+AFZvs5 MhBcBEcw0O8LCXp7UJ0hPlbKOhTcDxszzpMlyiwDFA5bVE3kLxWbXjEJOvnAr8+3TwY9 8sn8Z3NeAJyBMwyZrsnMoyjETvCdqMMX7OmgdM3+aJWKd79zj1JtmMs4W39jBwFHZu5L KdUm2UHq479HyOnAymSubqVma2kIWTytaWxxgUlhIKqN9yA69S5gteKWCltBijakdELP oV+NyDp4wGTNhSp6vTKgeHsVhgwG24mIfQmknvEUTw/M8lnAMt8eX7fgx+wblf9AbNRr 2Aew== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697835651; x=1698440451; h=content-transfer-encoding:cc:to:subject:message-id:date :mime-version:references:in-reply-to:from:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=YWC5HGdci8HtfWESn98zSc+ThdVeoudm4wIs94D7h5s=; b=gaZDk3QOvCQOtZ40JY/LuRnQumUPvNYhp0T5+WVrCMzH+Tmb3xChSyKpnXsUvtgDM6 9elbBawYyRmh48gs2BjejrVuA6uKOYaoh1LMysOwwDjw6xNX94/Y6ob9YR+1N/HIL6SJ eyXV4D+/vwg6WikpIjYz3IiQqQroRw0OBoSzkAWDJvkg+lZH/aIp3qoHaSeL63I0+bv3 gDVNE8RREP6eVusko2ggOHnICCWeLCPvt1vgqTAn7WAUBaQv6v5K5lvD45RgJDJfc+Y0 74Z8+jmN1fuUorsQHXWpACpM91DXFM9AuqN0Uf7K/fkFMkbDHyAMS4BWiHkGY6jxTzkW zJVg== X-Gm-Message-State: AOJu0YwvGoxasHwuKtekH6ID+FnbsYWdaHgoD/8tdmhyO3Zsa72MsKFr D4AJwHnQrl5qlsopgDp9tHnrId3+TtyGdcOgqlU= X-Google-Smtp-Source: AGHT+IEhl8E9wgdFTHoVKcUqL5DjNB+dRHmXpMjB1dUmSxnZvEdu/H0j8f6PS8hbaQDAVjEsBoP0oRNAjlznkIKU4Uo= X-Received: by 2002:a2e:a7cc:0:b0:2c5:fb9:49b6 with SMTP id x12-20020a2ea7cc000000b002c50fb949b6mr3217244ljp.10.1697835650808; Fri, 20 Oct 2023 14:00:50 -0700 (PDT) Received: from 753933720722 named unknown by gmailapi.google.com with HTTPREST; Fri, 20 Oct 2023 14:00:50 -0700 From: Stefan Kangas <stefankangas@HIDDEN> In-Reply-To: <tencent_B89C8F336F35EB3562777DF226E178C19708@HIDDEN> References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN> <83wmvyzir2.fsf@HIDDEN> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN> <83v8bizf9r.fsf@HIDDEN> <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN> <875y3iigua.fsf@HIDDEN> <83o7hazap7.fsf@HIDDEN> <87mswugyoq.fsf@HIDDEN> <83jzryz6op.fsf@HIDDEN> <87a5sugwcx.fsf@HIDDEN> <83h6n2z3tr.fsf@HIDDEN> <aaeb5c4f-2ae0-449e-9a8b-aa5155998e49@HIDDEN> <831qe5znrz.fsf@HIDDEN> <tencent_2EBCD42CDD9DC80B87AB06BB70EACCF8D60A@HIDDEN> <262ed9fe-b92b-489d-b1f0-5202bfdb088b@HIDDEN> <tencent_3C358C354C777BF23EE1D3C1839C3F331C08@HIDDEN> <87il7e78j5.fsf@HIDDEN> <tencent_B89C8F336F35EB3562777DF226E178C19708@HIDDEN> MIME-Version: 1.0 Date: Fri, 20 Oct 2023 14:00:50 -0700 Message-ID: <CADwFkmk4y0H3pEyErqeKBrc8Evb8qMmAK-Vi1o37Ab0T8h7GHg@HIDDEN> Subject: Re: bug#66390: `man' allows to inject arbitrary shell code To: lux <lx@HIDDEN>, Andreas Schwab <schwab@HIDDEN> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 66390 Cc: Max Nikulin <manikulin@HIDDEN>, 66390 <at> debbugs.gnu.org, michael.albinus@HIDDEN, Eli Zaretskii <eliz@HIDDEN> X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) lux <lx@HIDDEN> writes: > On Tue, 2023-10-10 at 18:21 +0200, Andreas Schwab wrote: >> On Okt 10 2023, lux wrote: >> >> > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ;; see Bug#66390 >> > + (mapconcat 'identity >> > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 (mapcar #'shell-quote-argument >> > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0 (split-string ref " ")) >> >> You need to split on arbitrary sequences of whitespace to not introduce >> spurious empty arguments. >> > > Thanks, I've modified it to (split-string ref "\\s-+"). I lost track of this discussion a little bit, but I think we should try to have this fixed in Emacs 29.2. Is the below patch acceptable? > From faa49ba78a203d47740280e5c6fd0e075628b507 Mon Sep 17 00:00:00 2001 > From: Xi Lu <lx@HIDDEN> > Date: Tue, 10 Oct 2023 22:20:05 +0800 > Subject: [PATCH] Fix man.el code injection vulnerability. > > * lisp/man.el (Man-translate-references): Fix code injection. > * test/lisp/man-tests.el (man-tests-Man-translate-references): New. > --- > lisp/man.el | 6 +++++- > test/lisp/man-tests.el | 12 ++++++++++++ > 2 files changed, 17 insertions(+), 1 deletion(-) > > diff --git a/lisp/man.el b/lisp/man.el > index 506d6060269..a95435c7ea0 100644 > --- a/lisp/man.el > +++ b/lisp/man.el > @@ -692,7 +692,11 @@ Man-translate-references > (setq name (match-string 2 ref) > section (match-string 1 ref)))) > (if (string=3D name "") > - ref ; Return the reference as is > + ;; see Bug#66390 > + (mapconcat 'identity > + (mapcar #'shell-quote-argument > + (split-string ref "\\s-+")) > + " ") ; Return the reference as is > (if Man-downcase-section-letters-flag > (setq section (downcase section))) > (while slist > diff --git a/test/lisp/man-tests.el b/test/lisp/man-tests.el > index e3657d7df8a..1c6dcb63a5c 100644 > --- a/test/lisp/man-tests.el > +++ b/test/lisp/man-tests.el > @@ -161,6 +161,18 @@ man-bgproc-filter-buttonize-includes > (let ((button (button-at (match-beginning 0)))) > (should (and button (eq 'Man-xref-header-file (button-type b= utton)))))))))) > > +(ert-deftest man-tests-Man-translate-references () > + (should (equal (Man-translate-references "basename") > + "basename")) > + (should (equal (Man-translate-references "basename(3)") > + "3 basename")) > + (should (equal (Man-translate-references "basename(3v)") > + "3v basename")) > + (should (equal (Man-translate-references ";id") > + "\\;id")) > + (should (equal (Man-translate-references "-k basename") > + "-k basename"))) > + > (provide 'man-tests) > > ;;; man-tests.el ends here > -- > 2.42.0
bug-gnu-emacs@HIDDEN
:bug#66390
; Package emacs
.
Full text available.Received: (at 66390) by debbugs.gnu.org; 11 Oct 2023 10:56:47 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Wed Oct 11 06:56:47 2023 Received: from localhost ([127.0.0.1]:37638 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1qqWtT-0003lT-CP for submit <at> debbugs.gnu.org; Wed, 11 Oct 2023 06:56:47 -0400 Received: from mail-lf1-x12c.google.com ([2a00:1450:4864:20::12c]:52688) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <manikulin@HIDDEN>) id 1qqWtM-0003l9-SJ for 66390 <at> debbugs.gnu.org; Wed, 11 Oct 2023 06:56:46 -0400 Received: by mail-lf1-x12c.google.com with SMTP id 2adb3069b0e04-5042bfb4fe9so8213061e87.1 for <66390 <at> debbugs.gnu.org>; Wed, 11 Oct 2023 03:56:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1697021773; x=1697626573; darn=debbugs.gnu.org; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :sender:from:to:cc:subject:date:message-id:reply-to; bh=WagCzv9i6BPbxxkAcIz8qNpbdHOrYSts3aEz0Y5tuEE=; b=KBrYFDVsFwCctGWi0A/t4CPAY9oavjwrL1D0qLFuatI/HGj0FzwHlTXNx7eMOTCnGn l2KAVJRjG5uurl5RMXF/fm1lFQSpMAO03mXU2/W/d6mhjig161Nse+1+b9LuyHa5ffZH 3aX3A373CNK+zzmk4IdNPc021maQ9G/r8J7ZCAWpQI93ldXqUVZUJ+3ByAMgMbRwANqh Hr302rIruhwIFHg1+RnsTjo+ESb+2sGmwjPxNItj5A5BJagN1tHvoKV6O6x1oEPW9LE6 3X1VYMgY7xb+m1B87tfG+bsiSRzs5f77S0V9h4NH0o+OEPkP8f7aVcpKrqq6eqUZR3zJ w1Qw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697021773; x=1697626573; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :sender:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=WagCzv9i6BPbxxkAcIz8qNpbdHOrYSts3aEz0Y5tuEE=; b=cYqDS0W2D2C1e6ReysPNL2hNInrEvxfkhaUnW1c4nWrlkA0g82OHrRL8WMBiOJfqu4 zNxBD18Z2FwxkJSa6lG7Ww55FK8YIijCRjimodaMOCBulwvIpK+vNM7ER2VWjSpKK0lO Z+71qqjZmuoKy/qTJIDBJW/DB1/NRCrz9bNYeJwXCrIM78o6b1Y+QjfxQBH56eb5xBAm dpvDZChnNKcRDJFBiYIYWaj3Qz6h86uMoJH+hy3nHjcjvoUkiKGqneuMrL7diLncji18 Er8/Gs8hV9RRbIKenQ905VxXZNRj4IaYDVeAOveuK6vkDLAy08QHAvJgZhi5LYyQoqsS YSbg== X-Gm-Message-State: AOJu0YyL+V83mPgXxS02Vccy+iC3g6S1hRU19M3izp+79QQNPhS1vJLF HoxvXCfIbzHixAZv2p6XNH5BuIZxPg9mTg== X-Google-Smtp-Source: AGHT+IHnOFmHqFEK1W5lDmIjTNFgrvFKoEeBdy83eK2eQBM2V7xMrR1i1VqSUUehWcT7yD1y0zaY1w== X-Received: by 2002:ac2:5f55:0:b0:502:ffff:feff with SMTP id 21-20020ac25f55000000b00502fffffeffmr15318211lfz.58.1697021772497; Wed, 11 Oct 2023 03:56:12 -0700 (PDT) Received: from [192.168.0.101] (nat-0-0.nsk.sibset.net. [5.44.169.188]) by smtp.googlemail.com with ESMTPSA id p7-20020a19f007000000b004ff8631d6c0sm2195927lfc.278.2023.10.11.03.56.11 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 11 Oct 2023 03:56:12 -0700 (PDT) Message-ID: <0aec81ba-4467-43ca-8a0c-f17f11ae7d76@HIDDEN> Date: Wed, 11 Oct 2023 17:56:11 +0700 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: bug#66390: `man' allows to inject arbitrary shell code Content-Language: en-US, ru-RU To: rms@HIDDEN, Eli Zaretskii <eliz@HIDDEN> References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN> <83wmvyzir2.fsf@HIDDEN> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN> <83v8bizf9r.fsf@HIDDEN> <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN> <875y3iigua.fsf@HIDDEN> <83o7hazap7.fsf@HIDDEN> <87mswugyoq.fsf@HIDDEN> <83jzryz6op.fsf@HIDDEN> <87a5sugwcx.fsf@HIDDEN> <83h6n2z3tr.fsf@HIDDEN> <E1qpg8N-0004yH-3Y@HIDDEN> <83ttr0vyyi.fsf@HIDDEN> <E1qqBLk-0005VF-9r@HIDDEN> From: Max Nikulin <manikulin@HIDDEN> In-Reply-To: <E1qqBLk-0005VF-9r@HIDDEN> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 66390 Cc: 66390 <at> debbugs.gnu.org, michael.albinus@HIDDEN X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) On 10/10/2023 18:56, Richard Stallman wrote: > In general, that is a reasonable policy -- but maybe a serious security > problem, which this eesms to be, calls for special treatment. I would not consider this particular issue as a serious security problem despite if reported as a CVE it may get high score. However, I believe, it should be addressed. ol-man is not loaded by default. Enough features for Org mode are convenient in case of trusted files, but close to dangerous when a user walks through a malicious file. There are some issues that requires significant amount of efforts to fix without ruining usability.
bug-gnu-emacs@HIDDEN
:bug#66390
; Package emacs
.
Full text available.Received: (at 66390) by debbugs.gnu.org; 11 Oct 2023 10:46:56 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Wed Oct 11 06:46:56 2023 Received: from localhost ([127.0.0.1]:37634 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1qqWjw-0003Nh-91 for submit <at> debbugs.gnu.org; Wed, 11 Oct 2023 06:46:56 -0400 Received: from mail-lf1-x12d.google.com ([2a00:1450:4864:20::12d]:58480) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <manikulin@HIDDEN>) id 1qqWjq-0003NN-Hi for 66390 <at> debbugs.gnu.org; Wed, 11 Oct 2023 06:46:55 -0400 Received: by mail-lf1-x12d.google.com with SMTP id 2adb3069b0e04-50325ce89e9so8832217e87.0 for <66390 <at> debbugs.gnu.org>; Wed, 11 Oct 2023 03:46:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1697021182; x=1697625982; darn=debbugs.gnu.org; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :sender:from:to:cc:subject:date:message-id:reply-to; bh=vSYt4lYW5TD3dyzc9rO/R5JcDYwV1aCnK/Tw+9zlZ8I=; b=IzJoOMlqaLjCupCQhC9sF4iGg5EjqSRIymVxlws0czE4pA+JKbuzu/TCxwrSsf1X7z ACNZvFklr0Lu2pV0PLCus/OoZs6u9NNJfKnkPZZe2XyA8XT7juZB55Tu+GI+LwzsX67o nwq7q0+tf9V7yUn3v7pc3oF/OPziXk9h5PsyKchTsZYPnsjZGA6cOm8Mw2Jy3NBKAVlx J/vSY0EKTdarodUCUQtn2/xngBLdKB0apVTZ/XX2fpYhKn0Lsb93A1LkTURqxq2/WWKx 5sxDWaTwylfRgT2jUIUrko5WBRqbYTHneyMylPeJfR4rYGci6Sx9vhTPOiHGFg3NwsmF E9LQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697021182; x=1697625982; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :sender:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=vSYt4lYW5TD3dyzc9rO/R5JcDYwV1aCnK/Tw+9zlZ8I=; b=ltrTloHr7Eg6ezcBCBmmce6EcYRu/yy91BqpSzziOv5M1/oZvNAbZQzBfDRd9iR26L MYqKszHA1MJX5WusKmfsvWHzJkTwgfdbR9ZeCit528+LWW/CrMqC10sLelKsjPQ+9Onh V+4lR2eRz3tmupt2Lc5JSJWJDTjqHvL8Zu+cNFwiXwKM6OQiq8MTmLzuNe7m1uQgwuGM PsjRbMYmIZBHQU2kzTi2YCNSvSsJ38oCRJTkEpEXqM7GmGHo/kkr6Hy+9/C3vO3ypmZ0 10yZkpPoDN3+5fEOSH7S5FsrQYaJTUX+nans4rO3KXLm2P7Ri2v+m32Gr/8zHvikCZEu Q0SA== X-Gm-Message-State: AOJu0YzLEdVXr6Ru0AEkkIAU37UG79F9/7meZ5iPom9t2kc+RHzMWRrX zXb00A5PgUNgJU62CKMAP6w= X-Google-Smtp-Source: AGHT+IH1SODhVTcBe/dmZcKJ6tnLswRldpUPoVSDRBCZoh38ITBGhCqpWO8JNwESKY6hc6bzIb2a9A== X-Received: by 2002:a05:6512:ea9:b0:500:b2f6:592 with SMTP id bi41-20020a0565120ea900b00500b2f60592mr22108119lfb.50.1697021182086; Wed, 11 Oct 2023 03:46:22 -0700 (PDT) Received: from [192.168.0.101] (nat-0-0.nsk.sibset.net. [5.44.169.188]) by smtp.googlemail.com with ESMTPSA id t26-20020ac243ba000000b0050296068a12sm2205782lfl.30.2023.10.11.03.46.21 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 11 Oct 2023 03:46:21 -0700 (PDT) Message-ID: <b8f58d43-be03-4bf3-b494-97a88153448f@HIDDEN> Date: Wed, 11 Oct 2023 17:46:20 +0700 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: bug#66390: `man' allows to inject arbitrary shell code Content-Language: en-US, ru-RU To: lux <lx@HIDDEN>, Andreas Schwab <schwab@HIDDEN> References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN> <83wmvyzir2.fsf@HIDDEN> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN> <83v8bizf9r.fsf@HIDDEN> <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN> <875y3iigua.fsf@HIDDEN> <83o7hazap7.fsf@HIDDEN> <87mswugyoq.fsf@HIDDEN> <83jzryz6op.fsf@HIDDEN> <87a5sugwcx.fsf@HIDDEN> <83h6n2z3tr.fsf@HIDDEN> <aaeb5c4f-2ae0-449e-9a8b-aa5155998e49@HIDDEN> <831qe5znrz.fsf@HIDDEN> <tencent_2EBCD42CDD9DC80B87AB06BB70EACCF8D60A@HIDDEN> <262ed9fe-b92b-489d-b1f0-5202bfdb088b@HIDDEN> <tencent_3C358C354C777BF23EE1D3C1839C3F331C08@HIDDEN> <87il7e78j5.fsf@HIDDEN> <tencent_B89C8F336F35EB3562777DF226E178C19708@HIDDEN> From: Max Nikulin <manikulin@HIDDEN> In-Reply-To: <tencent_B89C8F336F35EB3562777DF226E178C19708@HIDDEN> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 66390 Cc: Eli Zaretskii <eliz@HIDDEN>, 66390 <at> debbugs.gnu.org, michael.albinus@HIDDEN X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) On 11/10/2023 10:08, lux wrote: > On Tue, 2023-10-10 at 18:21 +0200, Andreas Schwab wrote: >> On Okt 10 2023, lux wrote: >> >>> + ;; see Bug#66390 >>> + (mapconcat 'identity >>> + (mapcar #'shell-quote-argument >>> + (split-string ref " ")) >> >> You need to split on arbitrary sequences of whitespace to not introduce >> spurious empty arguments. > > Thanks, I've modified it to (split-string ref "\\s-+"). At this point spaces are supposed to be already normalized by the a bit buggy `Man-translate-cleanup' function. I can not provide an example that is not handled by the suggested patch. I am not still feeling comfortable since it affects rather specific code path. Even the last line of this function might be more suitable. Other considerations: The patch changes behavior. Earler users had to escape characters to get reliable result, but it will break searches (I am in doubts if enough people will notice it): (man "-k \\[a-z\\]dparm") Buffer names will have backslashes. I do not like that tests for `system-type' are not the same in `shell-quote-argument' and in `Man-getpage-in-background'. I am afraid that in some cases improper style of escaping may be applied. From my point of view, code that performs quoting should be close to the code that invokes shell otherwise risk of inconsistent changes increases. I admit, it requires more work than quick plumbing at the place where a minimal patch fixes the issue.
bug-gnu-emacs@HIDDEN
:bug#66390
; Package emacs
.
Full text available.Received: (at 66390) by debbugs.gnu.org; 11 Oct 2023 03:09:18 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Tue Oct 10 23:09:18 2023 Received: from localhost ([127.0.0.1]:37276 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1qqPb3-0004de-BP for submit <at> debbugs.gnu.org; Tue, 10 Oct 2023 23:09:18 -0400 Received: from out203-205-221-149.mail.qq.com ([203.205.221.149]:38580) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <lx@HIDDEN>) id 1qqPav-0004cr-0d for 66390 <at> debbugs.gnu.org; Tue, 10 Oct 2023 23:09:15 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512; t=1696993718; bh=zdlVdBI4PebMZyILknuts+WrwrrJqynhgy8x57gQfXI=; h=Subject:From:To:Cc:Date:In-Reply-To:References; b=pfqy0f4yAy5PEsyHi7iJh//pjF203pqQjpJmsZ+qzsqz0cpVW44hYBQXE+1dCupK6 Utq1LsiZm+xecc9stWfc26JXGDmNIj1wwH12rjY8rIVzLLnY+nCkIce4X1h8h02nFr bPWbowHeVmJOyPc3MaMwkbjJge1UL4Q6oqNAbVSQ= Received: from [10.8.192.150] ([140.210.194.131]) by newxmesmtplogicsvrszc2-1.qq.com (NewEsmtp) with SMTP id 222A2AAA; Wed, 11 Oct 2023 11:08:34 +0800 X-QQ-mid: xmsmtpt1696993714tpiw3w65w Message-ID: <tencent_B89C8F336F35EB3562777DF226E178C19708@HIDDEN> X-QQ-XMAILINFO: N3l5ASPewLWqBsmGmx0o2aLB/Zcggyzg5J5xClVz2aA6x8CtwLDuyT/QHy2OOI f0dylzqea83G3WHiHkFIzxN7j26arpbaQC403zSpDGC73rrMhobFz1BaYbdNgsBr8YiWJVjbPaWB 7dcT/erE07YW9DOOLxetXNw9y7FyhlOKbVVwCLYXnfzVPpfvycW6rrniODJXgBXQUKre5eQgvcLd nUoPcePvdoipiBI7bnc6Dstm5QC4ywKIxK1DFXEuwExed0VypnRtv+4tNII9dCzvChn7rXBWRgB9 aDepoIiOuBWiK4Zvj6xROedR+fNIFqBcFPG95U3xKbXrxFkX9ZQxZYhkPBHFpbcW+Movv+cf7vVa 09qa81MYKe4aBaXDnkT4suyaSnblTDeFLjTXoaqUr2o+He0Taz4yUpmuYbDypSSluWcu20Y0K744 FdFH/WYItCxB3luS1Xe9bqFNkDcx/YIlw+5qAxfHi0v8roBOFG7GiM71IEdms4bO8lOzOeNUyzLx zITv1VordeB2HX+TmSwSLSLNb5zd7UOif9dv7W3JiTznt/jRQsynEqRJoyALewNXGt9VEVt/0Ov1 Uro+Epk98kVkhfrzVi6H6MYwIs08w5Myoso9o1ugf8zUpTNQmHYhfEOXZwL67DBIqe4thHu/LdN9 KG/K0oggV5/Y1m8iGZ0TIkiFQGfG9vcjjDl/TerwCxbvDmWkQ8SukfGQejrJ0InOXeIogF/wJSij u9jlK2welHluuqKxcjEveBf87nj0L3+9F2E/u7lCTN23OxTUh252Dgt8eGZ/21ihGsoSS3FLLM8P EuWNgdsPrenj8I7sARAPYdauDA102AZ9O5KsGKMCdfmMRNOtkgjnlGuR0TMmhoj8stuUjT1OuXYY uFm8AX/4SkvUeKPUya/4en8cwMqJYWJOhV2n4v6LQwXA4RbC5dxteboq7agf6RoWkw6iJW4JUkR3 hDtV9Ryis= X-QQ-XMRINFO: MPJ6Tf5t3I/ycC2BItcBVIA= X-OQ-MSGID: <4231edb7920ea7ba394fddf82d153ac1c819ee61.camel@HIDDEN> Subject: Re: bug#66390: `man' allows to inject arbitrary shell code From: lux <lx@HIDDEN> To: Andreas Schwab <schwab@HIDDEN> Date: Wed, 11 Oct 2023 11:08:34 +0800 In-Reply-To: <87il7e78j5.fsf@HIDDEN> References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN> <83wmvyzir2.fsf@HIDDEN> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN> <83v8bizf9r.fsf@HIDDEN> <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN> <875y3iigua.fsf@HIDDEN> <83o7hazap7.fsf@HIDDEN> <87mswugyoq.fsf@HIDDEN> <83jzryz6op.fsf@HIDDEN> <87a5sugwcx.fsf@HIDDEN> <83h6n2z3tr.fsf@HIDDEN> <aaeb5c4f-2ae0-449e-9a8b-aa5155998e49@HIDDEN> <831qe5znrz.fsf@HIDDEN> <tencent_2EBCD42CDD9DC80B87AB06BB70EACCF8D60A@HIDDEN> <262ed9fe-b92b-489d-b1f0-5202bfdb088b@HIDDEN> <tencent_3C358C354C777BF23EE1D3C1839C3F331C08@HIDDEN> <87il7e78j5.fsf@HIDDEN> Autocrypt: addr=lx@HIDDEN; prefer-encrypt=mutual; keydata=mQENBF9ZlQQBCADp/JGo1JwVC86MQCSKI9Z2zeUOU2nItnuhfNfGLF3xueuL3QojOfPiBDdk14PqxXoZI6r2dS/YY2Nsr1iYch/ldkA1m9D8siwIzuWdkxntmuP56dtJVt6zGnMf+aijN4diRYPCmcENcdIly4aRPqcQZcftJRpLhsu+zDOT8LC+vCP9A5IEfqv1oFAbxt0pE/Lwymn/jzuqRnaEV5TA2+c+fMNhzfhaMp0FxrpO6sZIqU+c7r/d9ZJ98k3g8eq9MkK2s6ZQRnZUbngZ9p2c3zYB0BwHWovzDsGCl8pmUiUHEhGLhu6N2OGnQdUUuSU/Fdoq/zVsDfMz70II00pxSYOJABEBAAG0GWx1NG54IDxseEBzaGVsbGNvZGVzLm9yZz6JAU4EEwEIADgWIQSwvd/kky9UAikm2YRcdI5fNjiBRQUCX1mVBAIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRBcdI5fNjiBRTVbCAC510aF/8rpCzyAlBdxRlBzcz5FLw8ZS2VHn6FwxZbdk9USQPlnbtPSMzWRk7KLdzkUvvdRE8C8Z4JwnWOuNp3oDob5UEfLHQfL1+o/yHQqo2n5Wf9BFjIgvB2UThd2nxk1lW0yAnPsUrWX1Dy63hHtyAbpSMOXEjrn//EIH7If7BRTT5VYUEnhqMogWYWX8mE/ZrfFFY3LVyelHK86iYnIgW18Efg7g8k+Kys66tCSOdz19jhsxjbOKMrCISs5aQH5TNO0mqZq2eOdEi+nc6yLu1FLfUYeTXhIwA8jujSYdqswNU+2OU/JazMBFBK4duhHo5YqvneGwAt7Ksc4bRP7uQENBF9ZlQQBCADCAmMMp+tCYA32TIBRT+5yZjUeePgFkh7b+fvxfShyzgcsCFpFVzt+9YE7UjKMnb9fc3nAq2tHvphEDDreKN+FJKshzoziTriLvAnq9vV9QZmTbJ93R7io5i2EmnvB8 356kgVTl5RwZtX3DjTZ+rv4Wn0qAowa/S3NZq8U87AuQ1z9s3Q2Jm8g1QCTJ3sFIKmg+hYAyaS3RvbKjGeOUOykrg5vRPqDl41Ra4jSiVQfFX+iD/k2grbUnHfn6kpDLQgBFPB4nJfkjj0e4MEg8PIqHs7n/MglJeKQ9ReExwhv4w7zpVgaE9Wv0ONJMyi+PAODCEq4w650KFJ3Yi4p+JSLABEBAAGJATYEGAEIACAWIQSwvd/kky9UAikm2YRcdI5fNjiBRQUCX1mVBAIbDAAKCRBcdI5fNjiBReafCADUXswXiE5Gov2GfQTvBjEpFKNG9AirE3l0mSIUj6+ch+GhTv9bTt2ozZb9t3RGq+BifCO9EVu98fjvAIwg9bHnU54Q+IGevnjUK61I80Not0Kq05o5yMOpK0cB7I9dWpo0Pmtx781ioWqWON4gcPYYGFhTyj7DE7Y0F4+7XSb8Aeuu6y8i1Oxsrh4MwdcNp48lbM/+AZice/f+K1i+oGg037Qal1CykNBfvE0ujPagDbxExZxKtjnrC0yUmj1y09YP+Z0WOpyAdSCSiwMh3zHJUvXnacX+ZlhUwsVEPlrYKtps2DrtgIo9tR/csSfsOOD+1gnedaLM7OfT6vCdwiFtmQINBGUPDqUBEADSEqnlY9wh+avEI1T40IlNg6/hMi5lTHg9KKeF4cEU/XYhh1POIuyZMJbeFyGTCOAN64emcDEhDZqgc007YX5rbdA7juyOjnCkAeezJJl7yuHdhkvOv56qpoLbrqXNXrCPWHYnIffpp2ovmvndgPr++EXXrzxIposgY+PXDekj/EnToNn+iCb4z7Mh4vYIxc8m4CDeoCf4Y/77o4XT84SNfuKMqdld9ktjzkP5thLJ6N2hH6YnXYfwrh7UVP6Pg+dVM/hEmSUJFwvRpDxkErVzkaIqqtv94BOqPHVifOUXIq++SuMSqDqkH4irLBRVXqAVs+0nnKYAk5Fjjn16MF5DI0 kDjqyLJ18pWJFiegy+bBT837oNlPqdTFfG3pYlOC0mN5mYMFU2S2CsRujevBOnO2anQEdAv6T+PNu7LXfD1/Z9AgRn0NzHTkJWlAJ+PT8T0QFrVVW2H6T7WmpXP3FqFyeYbEedJyHbVm3Yd9HtdWJCUHSbTjJYcfhlWc8IeeHtna87Zjn8Ql1RFIo3kV2Pd3dk+IsOq1S3QZUiTTtwgRPP9fsx9OVB0v6k09R5PuvvFYzrccfuwdMvP8lWBNA+1XHX97JFC6nTPGeaPJLxYgcxhcRgXN+kaD8rFXva0YkyvkNgW+GismWimOrpsKgDdyxXzgK87OWL093xWjRlgwARAQABtBlYaSBMdSA8bHhAc2hlbGxjb2Rlcy5vcmc+iQJOBBMBCgA4FiEEdJQucETGhxqWHw3/SCoXYcbax74FAmUPDqUCGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQSCoXYcbax77pjQ/8CUsISqqy7CnbyVxAcarTHL8aw1cymaaqhni/rW2QDslaxmrp/h5NpWXE8TLPu0DH3BgJVztVjAUyx9wKpuSPntb+KwzeFO3SlaKlJyzcF/qKz0TisoGhpgn/BDCswrQyFV3bBtucLovdF6bjQ2JpamD+fOewas4/llU6ChtgRuT7J8wIJx6XfquO8jYcgDCHf9q3F2LF639hnadBaHxye4TEQ6VCWFDn/3kr0dnKSwb7TfeBeLt7wfdjM+AjQiyu1UF618poDp/1AzXHvxV0p9PcgCyHYIo+jjYOnvwYMbx4u0iUfHKwKSLUfgOiyAhRpOou0H3veC7vByDOyGEDhlP3rHD8d664PJMvG1hmp/OAhf7BhBRvvkvSGRSYI+vs5TyC72LLMlR8dx7XCc0ziRrWtmt6XFpDaIHftfGPcR4PEyTsnNFBll6+1EaX0U/oD3yNp4uTW7M5ShUqVBwrHviEiVyiluzEl6csJU4hreoDZ7NRovxDloBttiW tZ+TLgbbBOGHDeUbv7bSJ8+cR7nnL0FOeJwF3IRONDyZz6nQtd0aHbVg9Zpgl/JwQcXuTZrDz8E6qcZGjYtSlA/q8cwpDsen70rjg5S3GCnRfQQDwo1E6LOi3pEuCMy40iFJ/JEHtgxCHHeJ0i5jA+5zuEv02BndqllQkeyT4kkLSXcq5Ag0EZRAa8gEQAMF+frOpFPotOeC9OutnMyZY6jK8LjjqlHmZEFemBxUH8r6eY2P2+cChx6jwfkz9KMzM132gZAVAlE0nBhbiDJodPMGiYblNvs8thvxh2szLmErqWh7GcOF0feCvfY7QWjKwdtDJg1kUIxvgjrhE44k0/H7cvu/d4qWLsULAk0RsTzTLAZDmEBlEN5UlCXgDcjq5c5Lo52QAkWivWqg37k3PaFqmOKH0HKdRYAOgS/P9tdlgC/WDybxZy5tRsvi/d9NBza42WmvGU3PFvd7WDwhSQ7HwSfbMYFb3mSBfC3FR1796WeGAuMOesMCHp8TkaMtHZfUfbqF9VHhRyQf/r6GjTqYKtU5kjrg39gX1/5Ys5KFriNQLM/2cdLRqxBZ89u+Fi/VvnCJQ07NncqILwLmPcrtk8qH35aPOdxBf38/n9TAH44n/msmewjmVosprAfD8qwQjrwKkr8TausrBPrAkic7Vi8VFAyME6kUG77ctUDIv3jxqR08NrSiR1Ftt0AraQHWNUcLg6XVClR5GxVkkx4o+yefpukninIQlYwq3Sy/ZNsFkD2dYub/6OJhnWJxVVRDpVJsdKz9E7vBtgwcx2OPjG695w7L8RKl9qkIoRsKYDQ74Svxiw8vcdkz4O6FLFSayvsLTZgfsY3Krvuens2iFNWHnsBgIWVU+IW91ABEBAAGJAjYEGAEKACAWIQR0lC5wRMaHGpYfDf9IKhdhxtrHvgUCZRAa8gIbDAAKCRBIKhdhxtrHvvpLEADRSTXN0Fm/tdeQMVLy63fcTw8wjxEUelr0bDBzBeEc k328UqFrPDMOMWlREQ4GB/vHbTIvPYbOiCngH5WCPwRWVS/ycY4gCHHbPLlo24Or9NNvPRbkGYSEhP9ezcZD7F29/XCwi8+VfCNzcL6l7+V0BJNUly6Gwy3O4kUwgHlhpJn3cuKvMdSHe/JaJYx/BXu553vSh2s75XFJOMOlI0IC2lzzd2ohrwLEOwhCrFSkSRKXx63zt/uZL6oF2zIzHspGygtRR+KScnx/Gklp0nCGYMAenuRuixVICyaiB0Hkarwxm8kKpDzP6pD+5Zzdhzg3Sqj0RR5oqfqOWkh0hxJ+gblapLFBSXnGQqTT1gHrTHyIOBoBBVOxlaXb95sotfCwSU8VcoN0BexVwCsUFVR0jINlmJqMIpy2N0RNjU35bAnPgeGe5z+Zs5GPcEBK6XX4rQeTwWmVltQccWuM3+oca3sOcQsWD3ZACUWjGZboxTCMwiHkrm0VTxP4kO0CRILM5Ln3cisS/GdikCAv6O8K6jhckLEml1sFB6jCVK6EAInXKFzZGol281nGRPKzeI3V9BpDZmXplqdhe4R0FBGUbu5ffw3b/vNV770xhXLI7aOp0dlkGDh4In4Li5cBRgR8FTrIBEH9+I0l4EjliVr6k/skqVPYK2rKtwx/kjhzAA== Content-Type: multipart/mixed; boundary="=-rLVAPJWRAGvwcNQqiOFF" User-Agent: Evolution 3.50.0-1 MIME-Version: 1.0 X-Spam-Score: 3.6 (+++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: On Tue, 2023-10-10 at 18:21 +0200, Andreas Schwab wrote: > On Okt 10 2023, lux wrote: > > > + ;; see Bug#66390 > > + (mapconcat 'identity > > + (mapca [...] Content analysis details: (3.6 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [203.205.221.149 listed in list.dnswl.org] 0.4 RDNS_DYNAMIC Delivered to internal network by host with dynamic-looking rDNS 3.2 HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP addr 1) X-Debbugs-Envelope-To: 66390 Cc: Max Nikulin <manikulin@HIDDEN>, 66390 <at> debbugs.gnu.org, michael.albinus@HIDDEN, Eli Zaretskii <eliz@HIDDEN> X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: 2.6 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: On Tue, 2023-10-10 at 18:21 +0200, Andreas Schwab wrote: > On Okt 10 2023, lux wrote: > > > + ;; see Bug#66390 > > + (mapconcat 'identity > > + (mapca [...] Content analysis details: (2.6 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [203.205.221.149 listed in list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.4 RDNS_DYNAMIC Delivered to internal network by host with dynamic-looking rDNS -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager 3.2 HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP addr 1) --=-rLVAPJWRAGvwcNQqiOFF Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: base64 T24gVHVlLCAyMDIzLTEwLTEwIGF0IDE4OjIxICswMjAwLCBBbmRyZWFzIFNjaHdhYiB3cm90ZToK PiBPbiBPa3QgMTAgMjAyMywgbHV4IHdyb3RlOgo+IAo+ID4gK8KgwqDCoMKgwqDCoMKgIDs7IHNl ZSBCdWcjNjYzOTAKPiA+ICsJKG1hcGNvbmNhdCAnaWRlbnRpdHkKPiA+ICvCoMKgwqDCoMKgwqDC oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqAgKG1hcGNhciAjJ3NoZWxsLXF1b3RlLWFyZ3VtZW50Cj4g PiArwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoCAo c3BsaXQtc3RyaW5nIHJlZiAiICIpKQo+IAo+IFlvdSBuZWVkIHRvIHNwbGl0IG9uIGFyYml0cmFy eSBzZXF1ZW5jZXMgb2Ygd2hpdGVzcGFjZSB0byBub3QgaW50cm9kdWNlCj4gc3B1cmlvdXMgZW1w dHkgYXJndW1lbnRzLgo+IAoKVGhhbmtzLCBJJ3ZlIG1vZGlmaWVkIGl0IHRvIChzcGxpdC1zdHJp bmcgcmVmICJcXHMtKyIpLgoKCg== --=-rLVAPJWRAGvwcNQqiOFF Content-Disposition: attachment; filename="0001-Fix-man.el-code-injection-vulnerability.patch" Content-Transfer-Encoding: base64 Content-Type: text/x-patch; name="0001-Fix-man.el-code-injection-vulnerability.patch"; charset="UTF-8" RnJvbSBmYWE0OWJhNzhhMjAzZDQ3NzQwMjgwZTVjNmZkMGUwNzU2MjhiNTA3IE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBYaSBMdSA8bHhAc2hlbGxjb2Rlcy5vcmc+CkRhdGU6IFR1ZSwg MTAgT2N0IDIwMjMgMjI6MjA6MDUgKzA4MDAKU3ViamVjdDogW1BBVENIXSBGaXggbWFuLmVsIGNv ZGUgaW5qZWN0aW9uIHZ1bG5lcmFiaWxpdHkuCgoqIGxpc3AvbWFuLmVsIChNYW4tdHJhbnNsYXRl LXJlZmVyZW5jZXMpOiBGaXggY29kZSBpbmplY3Rpb24uCiogdGVzdC9saXNwL21hbi10ZXN0cy5l bCAobWFuLXRlc3RzLU1hbi10cmFuc2xhdGUtcmVmZXJlbmNlcyk6IE5ldy4KLS0tCiBsaXNwL21h bi5lbCAgICAgICAgICAgIHwgIDYgKysrKystCiB0ZXN0L2xpc3AvbWFuLXRlc3RzLmVsIHwgMTIg KysrKysrKysrKysrCiAyIGZpbGVzIGNoYW5nZWQsIDE3IGluc2VydGlvbnMoKyksIDEgZGVsZXRp b24oLSkKCmRpZmYgLS1naXQgYS9saXNwL21hbi5lbCBiL2xpc3AvbWFuLmVsCmluZGV4IDUwNmQ2 MDYwMjY5Li5hOTU0MzVjN2VhMCAxMDA2NDQKLS0tIGEvbGlzcC9tYW4uZWwKKysrIGIvbGlzcC9t YW4uZWwKQEAgLTY5Miw3ICs2OTIsMTEgQEAgTWFuLXRyYW5zbGF0ZS1yZWZlcmVuY2VzCiAgICAg ICAoc2V0cSBuYW1lIChtYXRjaC1zdHJpbmcgMiByZWYpCiAJICAgIHNlY3Rpb24gKG1hdGNoLXN0 cmluZyAxIHJlZikpKSkKICAgICAoaWYgKHN0cmluZz0gbmFtZSAiIikKLQlyZWYJCQkJOyBSZXR1 cm4gdGhlIHJlZmVyZW5jZSBhcyBpcworICAgICAgICA7OyBzZWUgQnVnIzY2MzkwCisJKG1hcGNv bmNhdCAnaWRlbnRpdHkKKyAgICAgICAgICAgICAgICAgICAobWFwY2FyICMnc2hlbGwtcXVvdGUt YXJndW1lbnQKKyAgICAgICAgICAgICAgICAgICAgICAgICAgIChzcGxpdC1zdHJpbmcgcmVmICJc XHMtKyIpKQorICAgICAgICAgICAgICAgICAgICIgIikgICAgICAgICAgICAgICAgIDsgUmV0dXJu IHRoZSByZWZlcmVuY2UgYXMgaXMKICAgICAgIChpZiBNYW4tZG93bmNhc2Utc2VjdGlvbi1sZXR0 ZXJzLWZsYWcKIAkgIChzZXRxIHNlY3Rpb24gKGRvd25jYXNlIHNlY3Rpb24pKSkKICAgICAgICh3 aGlsZSBzbGlzdApkaWZmIC0tZ2l0IGEvdGVzdC9saXNwL21hbi10ZXN0cy5lbCBiL3Rlc3QvbGlz cC9tYW4tdGVzdHMuZWwKaW5kZXggZTM2NTdkN2RmOGEuLjFjNmRjYjYzYTVjIDEwMDY0NAotLS0g YS90ZXN0L2xpc3AvbWFuLXRlc3RzLmVsCisrKyBiL3Rlc3QvbGlzcC9tYW4tdGVzdHMuZWwKQEAg LTE2MSw2ICsxNjEsMTggQEAgbWFuLWJncHJvYy1maWx0ZXItYnV0dG9uaXplLWluY2x1ZGVzCiAg ICAgICAgICAgKGxldCAoKGJ1dHRvbiAoYnV0dG9uLWF0IChtYXRjaC1iZWdpbm5pbmcgMCkpKSkK ICAgICAgICAgICAgIChzaG91bGQgKGFuZCBidXR0b24gKGVxICdNYW4teHJlZi1oZWFkZXItZmls ZSAoYnV0dG9uLXR5cGUgYnV0dG9uKSkpKSkpKSkpKQogCisoZXJ0LWRlZnRlc3QgbWFuLXRlc3Rz LU1hbi10cmFuc2xhdGUtcmVmZXJlbmNlcyAoKQorICAoc2hvdWxkIChlcXVhbCAoTWFuLXRyYW5z bGF0ZS1yZWZlcmVuY2VzICJiYXNlbmFtZSIpCisgICAgICAgICAgICAgICAgICJiYXNlbmFtZSIp KQorICAoc2hvdWxkIChlcXVhbCAoTWFuLXRyYW5zbGF0ZS1yZWZlcmVuY2VzICJiYXNlbmFtZSgz KSIpCisgICAgICAgICAgICAgICAgICIzIGJhc2VuYW1lIikpCisgIChzaG91bGQgKGVxdWFsIChN YW4tdHJhbnNsYXRlLXJlZmVyZW5jZXMgImJhc2VuYW1lKDN2KSIpCisgICAgICAgICAgICAgICAg ICIzdiBiYXNlbmFtZSIpKQorICAoc2hvdWxkIChlcXVhbCAoTWFuLXRyYW5zbGF0ZS1yZWZlcmVu Y2VzICI7aWQiKQorICAgICAgICAgICAgICAgICAiXFw7aWQiKSkKKyAgKHNob3VsZCAoZXF1YWwg KE1hbi10cmFuc2xhdGUtcmVmZXJlbmNlcyAiLWsgYmFzZW5hbWUiKQorICAgICAgICAgICAgICAg ICAiLWsgYmFzZW5hbWUiKSkpCisKIChwcm92aWRlICdtYW4tdGVzdHMpCiAKIDs7OyBtYW4tdGVz dHMuZWwgZW5kcyBoZXJlCi0tIAoyLjQyLjAKCg== --=-rLVAPJWRAGvwcNQqiOFF--
bug-gnu-emacs@HIDDEN
:bug#66390
; Package emacs
.
Full text available.Received: (at 66390) by debbugs.gnu.org; 10 Oct 2023 16:22:02 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Tue Oct 10 12:22:02 2023 Received: from localhost ([127.0.0.1]:36802 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1qqFUg-0007dn-3H for submit <at> debbugs.gnu.org; Tue, 10 Oct 2023 12:22:02 -0400 Received: from mail-out.m-online.net ([212.18.0.9]:44139) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <whitebox@HIDDEN>) id 1qqFUd-0007dL-Uu for 66390 <at> debbugs.gnu.org; Tue, 10 Oct 2023 12:22:01 -0400 Received: from frontend01.mail.m-online.net (unknown [192.168.8.182]) by mail-out.m-online.net (Postfix) with ESMTP id 4S4h3z4vRRz1r3FC; Tue, 10 Oct 2023 18:21:35 +0200 (CEST) Received: from localhost (dynscan1.mnet-online.de [192.168.6.68]) by mail.m-online.net (Postfix) with ESMTP id 4S4h3z2XQcz1qqlW; Tue, 10 Oct 2023 18:21:35 +0200 (CEST) X-Virus-Scanned: amavis at mnet-online.de Received: from mail.mnet-online.de ([192.168.8.182]) by localhost (dynscan1.mail.m-online.net [192.168.6.68]) (amavis, port 10024) with ESMTP id yXJ0GzLZtvBd; Tue, 10 Oct 2023 18:21:34 +0200 (CEST) X-Auth-Info: E7BQoBmjgSDdzp18KP3zAVKH306EZWhz7ayK8MElbY9atyLx3dsWCg/AFCynCJaR Received: from igel.home (aftr-62-216-205-95.dynamic.mnet-online.de [62.216.205.95]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mail.mnet-online.de (Postfix) with ESMTPSA; Tue, 10 Oct 2023 18:21:34 +0200 (CEST) Received: by igel.home (Postfix, from userid 1000) id 202BC2C151C; Tue, 10 Oct 2023 18:21:34 +0200 (CEST) From: Andreas Schwab <schwab@HIDDEN> To: lux <lx@HIDDEN> Subject: Re: bug#66390: `man' allows to inject arbitrary shell code In-Reply-To: <tencent_3C358C354C777BF23EE1D3C1839C3F331C08@HIDDEN> (lux's message of "Tue, 10 Oct 2023 22:30:03 +0800") References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN> <83wmvyzir2.fsf@HIDDEN> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN> <83v8bizf9r.fsf@HIDDEN> <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN> <875y3iigua.fsf@HIDDEN> <83o7hazap7.fsf@HIDDEN> <87mswugyoq.fsf@HIDDEN> <83jzryz6op.fsf@HIDDEN> <87a5sugwcx.fsf@HIDDEN> <83h6n2z3tr.fsf@HIDDEN> <aaeb5c4f-2ae0-449e-9a8b-aa5155998e49@HIDDEN> <831qe5znrz.fsf@HIDDEN> <tencent_2EBCD42CDD9DC80B87AB06BB70EACCF8D60A@HIDDEN> <262ed9fe-b92b-489d-b1f0-5202bfdb088b@HIDDEN> <tencent_3C358C354C777BF23EE1D3C1839C3F331C08@HIDDEN> X-Yow: I'm QUIETLY reading the latest issue of ``BOWLING WORLD'' while my wife and two children stand QUIETLY BY.. Date: Tue, 10 Oct 2023 18:21:34 +0200 Message-ID: <87il7e78j5.fsf@HIDDEN> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -0.4 (/) X-Debbugs-Envelope-To: 66390 Cc: Max Nikulin <manikulin@HIDDEN>, 66390 <at> debbugs.gnu.org, michael.albinus@HIDDEN, Eli Zaretskii <eliz@HIDDEN> X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.4 (-) On Okt 10 2023, lux wrote: > + ;; see Bug#66390 > + (mapconcat 'identity > + (mapcar #'shell-quote-argument > + (split-string ref " ")) You need to split on arbitrary sequences of whitespace to not introduce spurious empty arguments. -- Andreas Schwab, schwab@HIDDEN GPG Key fingerprint = 7578 EB47 D4E5 4D69 2510 2552 DF73 E780 A9DA AEC1 "And now for something completely different."
bug-gnu-emacs@HIDDEN
:bug#66390
; Package emacs
.
Full text available.Received: (at 66390) by debbugs.gnu.org; 10 Oct 2023 14:31:05 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Tue Oct 10 10:31:05 2023 Received: from localhost ([127.0.0.1]:36687 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1qqDlJ-0000uw-6U for submit <at> debbugs.gnu.org; Tue, 10 Oct 2023 10:31:05 -0400 Received: from out203-205-221-239.mail.qq.com ([203.205.221.239]:45052) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <lx@HIDDEN>) id 1qqDlD-0000uE-Kh for 66390 <at> debbugs.gnu.org; Tue, 10 Oct 2023 10:31:04 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512; t=1696948226; bh=tFg3bARd2TZVDKIzpVishAMuEpt3wohH7dGeXB8YRqE=; h=Subject:From:To:Cc:Date:In-Reply-To:References; b=uxinFPykOLUwMxsldH2LO/rzwr2DrBfCIsoVIRN19dDcioM0jkuF8nJdVPghxBrFe aTvj7NGB70oZ948JizfbKEZJOry0zU7dbe5C5QvSzoTgsoytNGhiI0XeFlFr7pC3hE OKFGdoO/mEaM1ARMebDNJ7BlFH53K2erH7GSpTOw= Received: from [IPv6:240e:399:e6f:ee32:d16f:6236:55f6:6273] ([240e:399:e6f:ee32:d16f:6236:55f6:6273]) by newxmesmtplogicsvrsza7-0.qq.com (NewEsmtp) with SMTP id 783B02E5; Tue, 10 Oct 2023 22:30:03 +0800 X-QQ-mid: xmsmtpt1696948203t5jrf5cly Message-ID: <tencent_3C358C354C777BF23EE1D3C1839C3F331C08@HIDDEN> X-QQ-XMAILINFO: MRMtjO3A6C9XcUkATALXaKMURMr92/xsgL56X/jBXD5QBoFxC2j7zPrXqhe4SR px4ya/EGocKnPHMoVvOErPio1VKs6rRQ1xPQ7ufyJaBQyc0kY18SIHX9oYe30Yp1w+ngOT99u36n YsDppQXdLbnD6dzX3VtFUjIFXNLAoBIrEMQWZx3UM+qlKF7yxTErCBxqLlHTOTkaUyML1d+F6+fa 5tr10evisCV6d5NEvazVD5XD8reKh3UqXzumD7mP/KcSqkKkF/xDhcJZq5165uewOtIvjRIRoYn/ gR66ZfnYchqdkzQrgo3XH8/8BZe8Sp7XBJivfZ20dDuSVnnRzmbyO5uSqwGFeKcqkxPMqMb+Ujgt cszYw837GavkeWMByJJre1D9oJhe1XGBgxRClFkbqc/EfM3vKRHYzvctO53v7U16kQQOh1cGVLqv DNin/Szv6p6twIbHTZ+ayLzlrvppg08kLtoUu0PZOALUaxZGCsRGVzbPLncYFO+eon0bsCtl9H4A Iw+r4wP7BRneqDPiEsx79ugu5cBIzMtKIiCtCNV7f1icAv/y4sIOp4Akm7Qi1eIqeli16M0EK6Ns vnLb/SHjExPYiVsgzrYtiarn/V2b4dsavnWiajDlFkEqGEfg8bI9vJAbreoY9xsDu016tYexcjIr 4pVC9Ieliy/bNxH6t3MdzxS0yNWjNTCV9cIBxV3wljdNpmaQv4kFjyTGBjKDF/bF5wGuBEeEhtVU 7sKYUEk9vUwLyjyzWvvkMCAL+LeNp3wwqhiyKr23jFLHrvp7otuUIKljETV6uyAmr5QAIoM37WTc wiyh9Zcbu74FJIuJ26NufT9AjXxZmvU+3xvfGHB4f2lSsvAHCe7MnGgVA9+Tcoes/LAMd9bcYwZN 553KgafhrRRWTkDnC/NJi8K8vVY4Bywq0KGgupWghY+L8xhGHv0p/8iiweSPqFeGPX+jrAh3Duab xLTaigJMAzfXH+1wsTGgSLfvPkmsFx2GXeV/Ekag+hcmDLqKoBXYEzQoSPwL46kGcJrzVdQyQBCJ uJ3U4yAnj4PQMtQluhm4dzGWyAefTOYuH1wJPgIg== X-QQ-XMRINFO: MSVp+SPm3vtS1Vd6Y4Mggwc= X-OQ-MSGID: <b67b17c315433cecd33da782ffad8534597d3dc0.camel@HIDDEN> Subject: Re: bug#66390: `man' allows to inject arbitrary shell code From: lux <lx@HIDDEN> To: Max Nikulin <manikulin@HIDDEN>, Eli Zaretskii <eliz@HIDDEN> Date: Tue, 10 Oct 2023 22:30:03 +0800 In-Reply-To: <262ed9fe-b92b-489d-b1f0-5202bfdb088b@HIDDEN> References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN> <83wmvyzir2.fsf@HIDDEN> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN> <83v8bizf9r.fsf@HIDDEN> <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN> <875y3iigua.fsf@HIDDEN> <83o7hazap7.fsf@HIDDEN> <87mswugyoq.fsf@HIDDEN> <83jzryz6op.fsf@HIDDEN> <87a5sugwcx.fsf@HIDDEN> <83h6n2z3tr.fsf@HIDDEN> <aaeb5c4f-2ae0-449e-9a8b-aa5155998e49@HIDDEN> <831qe5znrz.fsf@HIDDEN> <tencent_2EBCD42CDD9DC80B87AB06BB70EACCF8D60A@HIDDEN> <262ed9fe-b92b-489d-b1f0-5202bfdb088b@HIDDEN> Autocrypt: addr=lx@HIDDEN; prefer-encrypt=mutual; keydata=mQENBF9ZlQQBCADp/JGo1JwVC86MQCSKI9Z2zeUOU2nItnuhfNfGLF3xueuL3QojOfPiBDdk14PqxXoZI6r2dS/YY2Nsr1iYch/ldkA1m9D8siwIzuWdkxntmuP56dtJVt6zGnMf+aijN4diRYPCmcENcdIly4aRPqcQZcftJRpLhsu+zDOT8LC+vCP9A5IEfqv1oFAbxt0pE/Lwymn/jzuqRnaEV5TA2+c+fMNhzfhaMp0FxrpO6sZIqU+c7r/d9ZJ98k3g8eq9MkK2s6ZQRnZUbngZ9p2c3zYB0BwHWovzDsGCl8pmUiUHEhGLhu6N2OGnQdUUuSU/Fdoq/zVsDfMz70II00pxSYOJABEBAAG0GWx1NG54IDxseEBzaGVsbGNvZGVzLm9yZz6JAU4EEwEIADgWIQSwvd/kky9UAikm2YRcdI5fNjiBRQUCX1mVBAIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRBcdI5fNjiBRTVbCAC510aF/8rpCzyAlBdxRlBzcz5FLw8ZS2VHn6FwxZbdk9USQPlnbtPSMzWRk7KLdzkUvvdRE8C8Z4JwnWOuNp3oDob5UEfLHQfL1+o/yHQqo2n5Wf9BFjIgvB2UThd2nxk1lW0yAnPsUrWX1Dy63hHtyAbpSMOXEjrn//EIH7If7BRTT5VYUEnhqMogWYWX8mE/ZrfFFY3LVyelHK86iYnIgW18Efg7g8k+Kys66tCSOdz19jhsxjbOKMrCISs5aQH5TNO0mqZq2eOdEi+nc6yLu1FLfUYeTXhIwA8jujSYdqswNU+2OU/JazMBFBK4duhHo5YqvneGwAt7Ksc4bRP7uQENBF9ZlQQBCADCAmMMp+tCYA32TIBRT+5yZjUeePgFkh7b+fvxfShyzgcsCFpFVzt+9YE7UjKMnb9fc3nAq2tHvphEDDreKN+FJKshzoziTriLvAnq9vV9QZmTbJ93R7io5i2EmnvB8 356kgVTl5RwZtX3DjTZ+rv4Wn0qAowa/S3NZq8U87AuQ1z9s3Q2Jm8g1QCTJ3sFIKmg+hYAyaS3RvbKjGeOUOykrg5vRPqDl41Ra4jSiVQfFX+iD/k2grbUnHfn6kpDLQgBFPB4nJfkjj0e4MEg8PIqHs7n/MglJeKQ9ReExwhv4w7zpVgaE9Wv0ONJMyi+PAODCEq4w650KFJ3Yi4p+JSLABEBAAGJATYEGAEIACAWIQSwvd/kky9UAikm2YRcdI5fNjiBRQUCX1mVBAIbDAAKCRBcdI5fNjiBReafCADUXswXiE5Gov2GfQTvBjEpFKNG9AirE3l0mSIUj6+ch+GhTv9bTt2ozZb9t3RGq+BifCO9EVu98fjvAIwg9bHnU54Q+IGevnjUK61I80Not0Kq05o5yMOpK0cB7I9dWpo0Pmtx781ioWqWON4gcPYYGFhTyj7DE7Y0F4+7XSb8Aeuu6y8i1Oxsrh4MwdcNp48lbM/+AZice/f+K1i+oGg037Qal1CykNBfvE0ujPagDbxExZxKtjnrC0yUmj1y09YP+Z0WOpyAdSCSiwMh3zHJUvXnacX+ZlhUwsVEPlrYKtps2DrtgIo9tR/csSfsOOD+1gnedaLM7OfT6vCdwiFtmQINBGUPDqUBEADSEqnlY9wh+avEI1T40IlNg6/hMi5lTHg9KKeF4cEU/XYhh1POIuyZMJbeFyGTCOAN64emcDEhDZqgc007YX5rbdA7juyOjnCkAeezJJl7yuHdhkvOv56qpoLbrqXNXrCPWHYnIffpp2ovmvndgPr++EXXrzxIposgY+PXDekj/EnToNn+iCb4z7Mh4vYIxc8m4CDeoCf4Y/77o4XT84SNfuKMqdld9ktjzkP5thLJ6N2hH6YnXYfwrh7UVP6Pg+dVM/hEmSUJFwvRpDxkErVzkaIqqtv94BOqPHVifOUXIq++SuMSqDqkH4irLBRVXqAVs+0nnKYAk5Fjjn16MF5DI0 kDjqyLJ18pWJFiegy+bBT837oNlPqdTFfG3pYlOC0mN5mYMFU2S2CsRujevBOnO2anQEdAv6T+PNu7LXfD1/Z9AgRn0NzHTkJWlAJ+PT8T0QFrVVW2H6T7WmpXP3FqFyeYbEedJyHbVm3Yd9HtdWJCUHSbTjJYcfhlWc8IeeHtna87Zjn8Ql1RFIo3kV2Pd3dk+IsOq1S3QZUiTTtwgRPP9fsx9OVB0v6k09R5PuvvFYzrccfuwdMvP8lWBNA+1XHX97JFC6nTPGeaPJLxYgcxhcRgXN+kaD8rFXva0YkyvkNgW+GismWimOrpsKgDdyxXzgK87OWL093xWjRlgwARAQABtBlYaSBMdSA8bHhAc2hlbGxjb2Rlcy5vcmc+iQJOBBMBCgA4FiEEdJQucETGhxqWHw3/SCoXYcbax74FAmUPDqUCGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQSCoXYcbax77pjQ/8CUsISqqy7CnbyVxAcarTHL8aw1cymaaqhni/rW2QDslaxmrp/h5NpWXE8TLPu0DH3BgJVztVjAUyx9wKpuSPntb+KwzeFO3SlaKlJyzcF/qKz0TisoGhpgn/BDCswrQyFV3bBtucLovdF6bjQ2JpamD+fOewas4/llU6ChtgRuT7J8wIJx6XfquO8jYcgDCHf9q3F2LF639hnadBaHxye4TEQ6VCWFDn/3kr0dnKSwb7TfeBeLt7wfdjM+AjQiyu1UF618poDp/1AzXHvxV0p9PcgCyHYIo+jjYOnvwYMbx4u0iUfHKwKSLUfgOiyAhRpOou0H3veC7vByDOyGEDhlP3rHD8d664PJMvG1hmp/OAhf7BhBRvvkvSGRSYI+vs5TyC72LLMlR8dx7XCc0ziRrWtmt6XFpDaIHftfGPcR4PEyTsnNFBll6+1EaX0U/oD3yNp4uTW7M5ShUqVBwrHviEiVyiluzEl6csJU4hreoDZ7NRovxDloBttiW tZ+TLgbbBOGHDeUbv7bSJ8+cR7nnL0FOeJwF3IRONDyZz6nQtd0aHbVg9Zpgl/JwQcXuTZrDz8E6qcZGjYtSlA/q8cwpDsen70rjg5S3GCnRfQQDwo1E6LOi3pEuCMy40iFJ/JEHtgxCHHeJ0i5jA+5zuEv02BndqllQkeyT4kkLSXcq5Ag0EZRAa8gEQAMF+frOpFPotOeC9OutnMyZY6jK8LjjqlHmZEFemBxUH8r6eY2P2+cChx6jwfkz9KMzM132gZAVAlE0nBhbiDJodPMGiYblNvs8thvxh2szLmErqWh7GcOF0feCvfY7QWjKwdtDJg1kUIxvgjrhE44k0/H7cvu/d4qWLsULAk0RsTzTLAZDmEBlEN5UlCXgDcjq5c5Lo52QAkWivWqg37k3PaFqmOKH0HKdRYAOgS/P9tdlgC/WDybxZy5tRsvi/d9NBza42WmvGU3PFvd7WDwhSQ7HwSfbMYFb3mSBfC3FR1796WeGAuMOesMCHp8TkaMtHZfUfbqF9VHhRyQf/r6GjTqYKtU5kjrg39gX1/5Ys5KFriNQLM/2cdLRqxBZ89u+Fi/VvnCJQ07NncqILwLmPcrtk8qH35aPOdxBf38/n9TAH44n/msmewjmVosprAfD8qwQjrwKkr8TausrBPrAkic7Vi8VFAyME6kUG77ctUDIv3jxqR08NrSiR1Ftt0AraQHWNUcLg6XVClR5GxVkkx4o+yefpukninIQlYwq3Sy/ZNsFkD2dYub/6OJhnWJxVVRDpVJsdKz9E7vBtgwcx2OPjG695w7L8RKl9qkIoRsKYDQ74Svxiw8vcdkz4O6FLFSayvsLTZgfsY3Krvuens2iFNWHnsBgIWVU+IW91ABEBAAGJAjYEGAEKACAWIQR0lC5wRMaHGpYfDf9IKhdhxtrHvgUCZRAa8gIbDAAKCRBIKhdhxtrHvvpLEADRSTXN0Fm/tdeQMVLy63fcTw8wjxEUelr0bDBzBeEc k328UqFrPDMOMWlREQ4GB/vHbTIvPYbOiCngH5WCPwRWVS/ycY4gCHHbPLlo24Or9NNvPRbkGYSEhP9ezcZD7F29/XCwi8+VfCNzcL6l7+V0BJNUly6Gwy3O4kUwgHlhpJn3cuKvMdSHe/JaJYx/BXu553vSh2s75XFJOMOlI0IC2lzzd2ohrwLEOwhCrFSkSRKXx63zt/uZL6oF2zIzHspGygtRR+KScnx/Gklp0nCGYMAenuRuixVICyaiB0Hkarwxm8kKpDzP6pD+5Zzdhzg3Sqj0RR5oqfqOWkh0hxJ+gblapLFBSXnGQqTT1gHrTHyIOBoBBVOxlaXb95sotfCwSU8VcoN0BexVwCsUFVR0jINlmJqMIpy2N0RNjU35bAnPgeGe5z+Zs5GPcEBK6XX4rQeTwWmVltQccWuM3+oca3sOcQsWD3ZACUWjGZboxTCMwiHkrm0VTxP4kO0CRILM5Ln3cisS/GdikCAv6O8K6jhckLEml1sFB6jCVK6EAInXKFzZGol281nGRPKzeI3V9BpDZmXplqdhe4R0FBGUbu5ffw3b/vNV770xhXLI7aOp0dlkGDh4In4Li5cBRgR8FTrIBEH9+I0l4EjliVr6k/skqVPYK2rKtwx/kjhzAA== Content-Type: multipart/mixed; boundary="=-dHXcW2HU6s+HOY92wqUK" User-Agent: Evolution 3.50.0-1 MIME-Version: 1.0 X-Spam-Score: 3.6 (+++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: On Tue, 2023-10-10 at 17:54 +0700, Max Nikulin wrote: > On 09/10/2023 23:30, lux wrote: > > > > Here's my patch and the test cases. > > Thank you for your attempt to fix the issue. Unfortunately the p [...] Content analysis details: (3.6 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [203.205.221.239 listed in list.dnswl.org] 0.4 RDNS_DYNAMIC Delivered to internal network by host with dynamic-looking rDNS 3.2 HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP addr 1) X-Debbugs-Envelope-To: 66390 Cc: 66390 <at> debbugs.gnu.org, michael.albinus@HIDDEN X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: 2.6 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: On Tue, 2023-10-10 at 17:54 +0700, Max Nikulin wrote: > On 09/10/2023 23:30, lux wrote: > > > > Here's my patch and the test cases. > > Thank you for your attempt to fix the issue. Unfortunately the p [...] Content analysis details: (2.6 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [203.205.221.239 listed in list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.4 RDNS_DYNAMIC Delivered to internal network by host with dynamic-looking rDNS -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager 3.2 HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP addr 1) --=-dHXcW2HU6s+HOY92wqUK Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Tue, 2023-10-10 at 17:54 +0700, Max Nikulin wrote: > On 09/10/2023 23:30, lux wrote: > >=20 > > Here's my patch and the test cases. >=20 > Thank you for your attempt to fix the issue. Unfortunately the proposed= =20 > patch breaks the following case >=20 > =C2=A0=C2=A0=C2=A0 M-x man RET -k man RET >=20 > That is why I wrote that each word should escaped independently. >=20 > I am unsure if (man "-k man") should be supported as call with argument. >=20 >=20 >=20 Thanks for the correction :-) I am fix my patch, and test on Emacs 30.0.50 it's ok. Stefan, Max, can you test it again? --=-dHXcW2HU6s+HOY92wqUK Content-Disposition: attachment; filename="0001-Fix-man.el-code-injection-vulnerability.patch" Content-Type: text/x-patch; name="0001-Fix-man.el-code-injection-vulnerability.patch"; charset="UTF-8" Content-Transfer-Encoding: base64 RnJvbSBjMTk4OWMxNTE3MWE0YTQwZGNmNmY5YmZiZjI5NzVjMGI3ODk1ZGQyIE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBYaSBMdSA8bHhAc2hlbGxjb2Rlcy5vcmc+CkRhdGU6IFR1ZSwg MTAgT2N0IDIwMjMgMjI6MjA6MDUgKzA4MDAKU3ViamVjdDogW1BBVENIXSBGaXggbWFuLmVsIGNv ZGUgaW5qZWN0aW9uIHZ1bG5lcmFiaWxpdHkuCgoqIGxpc3AvbWFuLmVsIChNYW4tdHJhbnNsYXRl LXJlZmVyZW5jZXMpOiBGaXggY29kZSBpbmplY3Rpb24uCiogdGVzdC9saXNwL21hbi10ZXN0cy5l bCAobWFuLXRlc3RzLU1hbi10cmFuc2xhdGUtcmVmZXJlbmNlcyk6IE5ldy4KLS0tCiBsaXNwL21h bi5lbCAgICAgICAgICAgIHwgIDYgKysrKystCiB0ZXN0L2xpc3AvbWFuLXRlc3RzLmVsIHwgMTIg KysrKysrKysrKysrCiAyIGZpbGVzIGNoYW5nZWQsIDE3IGluc2VydGlvbnMoKyksIDEgZGVsZXRp b24oLSkKCmRpZmYgLS1naXQgYS9saXNwL21hbi5lbCBiL2xpc3AvbWFuLmVsCmluZGV4IDUwNmQ2 MDYwMjY5Li45ZDhiM2E2Y2YyZCAxMDA2NDQKLS0tIGEvbGlzcC9tYW4uZWwKKysrIGIvbGlzcC9t YW4uZWwKQEAgLTY5Miw3ICs2OTIsMTEgQEAgTWFuLXRyYW5zbGF0ZS1yZWZlcmVuY2VzCiAgICAg ICAoc2V0cSBuYW1lIChtYXRjaC1zdHJpbmcgMiByZWYpCiAJICAgIHNlY3Rpb24gKG1hdGNoLXN0 cmluZyAxIHJlZikpKSkKICAgICAoaWYgKHN0cmluZz0gbmFtZSAiIikKLQlyZWYJCQkJOyBSZXR1 cm4gdGhlIHJlZmVyZW5jZSBhcyBpcworICAgICAgICA7OyBzZWUgQnVnIzY2MzkwCisJKG1hcGNv bmNhdCAnaWRlbnRpdHkKKyAgICAgICAgICAgICAgICAgICAobWFwY2FyICMnc2hlbGwtcXVvdGUt YXJndW1lbnQKKyAgICAgICAgICAgICAgICAgICAgICAgICAgIChzcGxpdC1zdHJpbmcgcmVmICIg IikpCisgICAgICAgICAgICAgICAgICAgIiAiKSAgICAgICAgICAgICAgICAgOyBSZXR1cm4gdGhl IHJlZmVyZW5jZSBhcyBpcwogICAgICAgKGlmIE1hbi1kb3duY2FzZS1zZWN0aW9uLWxldHRlcnMt ZmxhZwogCSAgKHNldHEgc2VjdGlvbiAoZG93bmNhc2Ugc2VjdGlvbikpKQogICAgICAgKHdoaWxl IHNsaXN0CmRpZmYgLS1naXQgYS90ZXN0L2xpc3AvbWFuLXRlc3RzLmVsIGIvdGVzdC9saXNwL21h bi10ZXN0cy5lbAppbmRleCBlMzY1N2Q3ZGY4YS4uMWM2ZGNiNjNhNWMgMTAwNjQ0Ci0tLSBhL3Rl c3QvbGlzcC9tYW4tdGVzdHMuZWwKKysrIGIvdGVzdC9saXNwL21hbi10ZXN0cy5lbApAQCAtMTYx LDYgKzE2MSwxOCBAQCBtYW4tYmdwcm9jLWZpbHRlci1idXR0b25pemUtaW5jbHVkZXMKICAgICAg ICAgICAobGV0ICgoYnV0dG9uIChidXR0b24tYXQgKG1hdGNoLWJlZ2lubmluZyAwKSkpKQogICAg ICAgICAgICAgKHNob3VsZCAoYW5kIGJ1dHRvbiAoZXEgJ01hbi14cmVmLWhlYWRlci1maWxlIChi dXR0b24tdHlwZSBidXR0b24pKSkpKSkpKSkpCiAKKyhlcnQtZGVmdGVzdCBtYW4tdGVzdHMtTWFu LXRyYW5zbGF0ZS1yZWZlcmVuY2VzICgpCisgIChzaG91bGQgKGVxdWFsIChNYW4tdHJhbnNsYXRl LXJlZmVyZW5jZXMgImJhc2VuYW1lIikKKyAgICAgICAgICAgICAgICAgImJhc2VuYW1lIikpCisg IChzaG91bGQgKGVxdWFsIChNYW4tdHJhbnNsYXRlLXJlZmVyZW5jZXMgImJhc2VuYW1lKDMpIikK KyAgICAgICAgICAgICAgICAgIjMgYmFzZW5hbWUiKSkKKyAgKHNob3VsZCAoZXF1YWwgKE1hbi10 cmFuc2xhdGUtcmVmZXJlbmNlcyAiYmFzZW5hbWUoM3YpIikKKyAgICAgICAgICAgICAgICAgIjN2 IGJhc2VuYW1lIikpCisgIChzaG91bGQgKGVxdWFsIChNYW4tdHJhbnNsYXRlLXJlZmVyZW5jZXMg IjtpZCIpCisgICAgICAgICAgICAgICAgICJcXDtpZCIpKQorICAoc2hvdWxkIChlcXVhbCAoTWFu LXRyYW5zbGF0ZS1yZWZlcmVuY2VzICItayBiYXNlbmFtZSIpCisgICAgICAgICAgICAgICAgICIt ayBiYXNlbmFtZSIpKSkKKwogKHByb3ZpZGUgJ21hbi10ZXN0cykKIAogOzs7IG1hbi10ZXN0cy5l bCBlbmRzIGhlcmUKLS0gCjIuNDIuMAoK --=-dHXcW2HU6s+HOY92wqUK--
bug-gnu-emacs@HIDDEN
:bug#66390
; Package emacs
.
Full text available.Received: (at 66390) by debbugs.gnu.org; 10 Oct 2023 12:26:16 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Tue Oct 10 08:26:15 2023 Received: from localhost ([127.0.0.1]:34212 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1qqBoV-0007jy-F6 for submit <at> debbugs.gnu.org; Tue, 10 Oct 2023 08:26:15 -0400 Received: from mail-lj1-x231.google.com ([2a00:1450:4864:20::231]:44116) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <stefankangas@HIDDEN>) id 1qqBoQ-0007jb-3K for 66390 <at> debbugs.gnu.org; Tue, 10 Oct 2023 08:26:14 -0400 Received: by mail-lj1-x231.google.com with SMTP id 38308e7fff4ca-2c135cf2459so64913221fa.0 for <66390 <at> debbugs.gnu.org>; Tue, 10 Oct 2023 05:25:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1696940743; x=1697545543; darn=debbugs.gnu.org; h=cc:to:subject:message-id:date:mime-version:references:in-reply-to :from:from:to:cc:subject:date:message-id:reply-to; bh=zDW6NnzJG7dxgYY7JzDFLL8d+YI1dE+d+umE3cVapcE=; b=lx4SR25gx9VxS7IwJnJziaAv+wvqjiG3TNgIoqDkC2utDSOhYdItYuuH5cZuqBJjfg 8VkZsmHrcU9GRcpAwWOHvtLBfLOCfL8npF/zz9hi9lz0EsJNT0cTV1S8pv1iU2aY2pa+ poRjB4i6hud9fRfSOSrmHRBztJeSfwq9l4qOdbyKlG2CIK5IOKRdyCIjbwbXp/efaHcw unYRo+3NSnRNWCE4x4rY9fof8X5fNJaVRNfuZy/BbzWBmutJ6cdC6C+M833z2sO06pji QQhoioW3OSdQNgBuEx609EDaDgnRrku6dFWrmcEJsn2qc9OM9+wSE2juSzOYJoKJ4SqY 4o8g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696940743; x=1697545543; h=cc:to:subject:message-id:date:mime-version:references:in-reply-to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=zDW6NnzJG7dxgYY7JzDFLL8d+YI1dE+d+umE3cVapcE=; b=OGfBYT68GWKylwQdEE+DGqjLVhDSEMML00yfaElICgAO+YHDeEufcSAeZh1T6iNYpc ZAomAY7/DEaedIMRab3GSBhTx+3Xg2ZvKuzoRVVpXzEedq7J8tf/dE6N1f2gkuLIUJBA tyABI6+68YetEZ81F0hjBVWGGebpnrYPIUhkP0wE9zW5fU0H2PPKH6TrTd5fjFjHdXqV nixTV25ggy6Cg3qJTD5K92A5F5MEYogKqu3zV30IE9mjlcb7ImpKks0ElT5A7QPO2feq 8NkPmDF8iJM8iQIlliQFGct+rR53cO8DFFsM70W7Xi60plDg9X1qMl7xNUPVQFzcnfkM 5h2A== X-Gm-Message-State: AOJu0YzET3bapn5hyo1/b8Wp1Jsu5XeD02ESsy8mEHzz+tHU+KpzHItw nOf3uGJaN8hTuzCNIYx3KZ4wImRUmWJfFqDGmjI= X-Google-Smtp-Source: AGHT+IF5YUFufFtg/dk25BMDkd59atQPszoEPj9r9GZlarW2pKGkSOmEdhOOb+EBxijX3lLhi/990UZgXE9v3oTwY3Y= X-Received: by 2002:a2e:9f10:0:b0:2ba:18e5:1063 with SMTP id u16-20020a2e9f10000000b002ba18e51063mr15317876ljk.50.1696940742676; Tue, 10 Oct 2023 05:25:42 -0700 (PDT) Received: from 753933720722 named unknown by gmailapi.google.com with HTTPREST; Tue, 10 Oct 2023 12:25:42 +0000 From: Stefan Kangas <stefankangas@HIDDEN> In-Reply-To: <83mswqvfrm.fsf@HIDDEN> References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN> <83wmvyzir2.fsf@HIDDEN> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN> <83v8bizf9r.fsf@HIDDEN> <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN> <875y3iigua.fsf@HIDDEN> <83o7hazap7.fsf@HIDDEN> <87mswugyoq.fsf@HIDDEN> <83jzryz6op.fsf@HIDDEN> <87a5sugwcx.fsf@HIDDEN> <83h6n2z3tr.fsf@HIDDEN> <aaeb5c4f-2ae0-449e-9a8b-aa5155998e49@HIDDEN> <831qe5znrz.fsf@HIDDEN> <tencent_2EBCD42CDD9DC80B87AB06BB70EACCF8D60A@HIDDEN> <834jizwxm2.fsf@HIDDEN> <CADwFkm=Yov5nmWB8JSJ+hNG_Hs=ayG+Efb46fLnhR5WjVA1Ukw@HIDDEN> <83mswqvfrm.fsf@HIDDEN> MIME-Version: 1.0 Date: Tue, 10 Oct 2023 12:25:42 +0000 Message-ID: <CADwFkmnaBrMVnegOyEJ4j8VxSKDnd+LfZ47rz9cCHWyM-Fr41A@HIDDEN> Subject: Re: bug#66390: `man' allows to inject arbitrary shell code To: Eli Zaretskii <eliz@HIDDEN> Content-Type: text/plain; charset="UTF-8" X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 66390 Cc: lx@HIDDEN, manikulin@HIDDEN, 66390 <at> debbugs.gnu.org, michael.albinus@HIDDEN X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) Eli Zaretskii <eliz@HIDDEN> writes: > Does it also work correctly in all the scenarios described in > bug#64795, including completion? No, trying to complete there gives the prompt: Manual entry: [ [No match] On the other hand this already seems broken in a different way in Emacs 29 on this macOS machine. Trying to complete with: M-x man RET [ TAB TAB leads to Manual entry: [: [Sole completion] and RET at this point gives Can't find the [: manpage
bug-gnu-emacs@HIDDEN
:bug#66390
; Package emacs
.
Full text available.Received: (at 66390) by debbugs.gnu.org; 10 Oct 2023 12:12:27 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Tue Oct 10 08:12:26 2023 Received: from localhost ([127.0.0.1]:34200 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1qqBb8-0007E4-JX for submit <at> debbugs.gnu.org; Tue, 10 Oct 2023 08:12:26 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:41942) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <eliz@HIDDEN>) id 1qqBb7-0007Ds-1W for 66390 <at> debbugs.gnu.org; Tue, 10 Oct 2023 08:12:25 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <eliz@HIDDEN>) id 1qqBag-00047g-Ft; Tue, 10 Oct 2023 08:11:58 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-version:References:Subject:In-Reply-To:To:From: Date; bh=C1GaHp/Mg2hiX4/XzhvrkFHhZ1SIu1h68rRnXC2Q+HM=; b=jVcONF/E95dw3thQVa7G OZ8tm3v1C/4Ky5C6es3mDuuYn+vJtKTupvPIdJ8D1eKypajzXhii+GkXghNShczmQi9PRhgLa5Vr9 Tq5ceBld2wZeIu2hfyfe52fneEsv92cIhJHHg2hEG82n/3m3x2yVkB1UqFwCLoOOscudkuaTVl7wn 1T1KmPXUznRP1gYWU9RxpKNin1LumBaph2XWauuoHUHhrN8RCg/2e/bkoz7Eeo4v6qR5LqgHwjgmT zFd6wJ2SJDTSn+o1h4V0goN+hJaifBY/Gaca0IdHFFhN5TvFY7/2IEzmodaf9lf7f1KIJtjtwJoY+ ZYMpG0493VgE0Q==; Date: Tue, 10 Oct 2023 15:11:25 +0300 Message-Id: <83mswqvfrm.fsf@HIDDEN> From: Eli Zaretskii <eliz@HIDDEN> To: Stefan Kangas <stefankangas@HIDDEN> In-Reply-To: <CADwFkm=Yov5nmWB8JSJ+hNG_Hs=ayG+Efb46fLnhR5WjVA1Ukw@HIDDEN> (message from Stefan Kangas on Tue, 10 Oct 2023 07:43:00 +0000) Subject: Re: bug#66390: `man' allows to inject arbitrary shell code References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN> <83wmvyzir2.fsf@HIDDEN> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN> <83v8bizf9r.fsf@HIDDEN> <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN> <875y3iigua.fsf@HIDDEN> <83o7hazap7.fsf@HIDDEN> <87mswugyoq.fsf@HIDDEN> <83jzryz6op.fsf@HIDDEN> <87a5sugwcx.fsf@HIDDEN> <83h6n2z3tr.fsf@HIDDEN> <aaeb5c4f-2ae0-449e-9a8b-aa5155998e49@HIDDEN> <831qe5znrz.fsf@HIDDEN> <tencent_2EBCD42CDD9DC80B87AB06BB70EACCF8D60A@HIDDEN> <834jizwxm2.fsf@HIDDEN> <CADwFkm=Yov5nmWB8JSJ+hNG_Hs=ayG+Efb46fLnhR5WjVA1Ukw@HIDDEN> MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 66390 Cc: lx@HIDDEN, manikulin@HIDDEN, 66390 <at> debbugs.gnu.org, michael.albinus@HIDDEN X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) > From: Stefan Kangas <stefankangas@HIDDEN> > Date: Tue, 10 Oct 2023 07:43:00 +0000 > Cc: manikulin@HIDDEN, 66390 <at> debbugs.gnu.org, michael.albinus@HIDDEN > > Eli Zaretskii <eliz@HIDDEN> writes: > > > what happens with command (man "[") in this case? > > It works fine here with that patch. IOW, I get the expected man page > > test, [ – condition evaluation utility Does it also work correctly in all the scenarios described in bug#64795, including completion?
bug-gnu-emacs@HIDDEN
:bug#66390
; Package emacs
.
Full text available.Received: (at 66390) by debbugs.gnu.org; 10 Oct 2023 11:57:04 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Tue Oct 10 07:57:04 2023 Received: from localhost ([127.0.0.1]:34166 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1qqBMG-0006ly-1U for submit <at> debbugs.gnu.org; Tue, 10 Oct 2023 07:57:04 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:59060) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <rms@HIDDEN>) id 1qqBMB-0006lQ-Gi for 66390 <at> debbugs.gnu.org; Tue, 10 Oct 2023 07:57:02 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <rms@HIDDEN>) id 1qqBLk-0008Sq-MU; Tue, 10 Oct 2023 07:56:32 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=Date:References:Subject:In-Reply-To:To:From: mime-version; bh=l9FnPVvWLfNJ+2wTf/PWGo++lkKx6YjDoCYkm8yy0iY=; b=BIF3jAqL6mH2 dbOtVHXce2XqaI06U3lo6/ZUhQ7WgPiXRRetnGyC0w1ATnWNocuw20JFkHGcxcePgKJRc+ibKcqp3 QzyB20KBSrJUc2PSaoUORyawROUhxywpBWUCzXOE0CrAU23OSIfEmoD5F4FIuOi20YOT7HV0EbdtN bjecpdLhgeHIgMb2Xvu63I9NvTicAliTQwRO5v9y43RQ2oNH6M8UVMnP7mDUnQ7hv3nVum1vd95wW l4fMhqDhdi4JFPBjA7BISs3+P3NM66euy4ljt7CO2jXaQjRvO7tKJuLSNJ8jGQQse+tTCNSYbMe2b 3wYSPIaUIQbB9ubxEw6okA==; Received: from rms by fencepost.gnu.org with local (Exim 4.90_1) (envelope-from <rms@HIDDEN>) id 1qqBLk-0005VF-9r; Tue, 10 Oct 2023 07:56:32 -0400 Content-Type: text/plain; charset=Utf-8 From: Richard Stallman <rms@HIDDEN> To: Eli Zaretskii <eliz@HIDDEN> In-Reply-To: <83ttr0vyyi.fsf@HIDDEN> (message from Eli Zaretskii on Mon, 09 Oct 2023 14:04:37 +0300) Subject: Re: bug#66390: `man' allows to inject arbitrary shell code References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN> <83wmvyzir2.fsf@HIDDEN> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN> <83v8bizf9r.fsf@HIDDEN> <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN> <875y3iigua.fsf@HIDDEN> <83o7hazap7.fsf@HIDDEN> <87mswugyoq.fsf@HIDDEN> <83jzryz6op.fsf@HIDDEN> <87a5sugwcx.fsf@HIDDEN> <83h6n2z3tr.fsf@HIDDEN> <E1qpg8N-0004yH-3Y@HIDDEN> <83ttr0vyyi.fsf@HIDDEN> Message-Id: <E1qqBLk-0005VF-9r@HIDDEN> Date: Tue, 10 Oct 2023 07:56:32 -0400 X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 66390 Cc: manikulin@HIDDEN, 66390 <at> debbugs.gnu.org, michael.albinus@HIDDEN X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Reply-To: rms@HIDDEN Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) [[[ To any NSA and FBI agents reading my email: please consider ]]] [[[ whether defending the US Constitution against all enemies, ]]] [[[ foreign or domestic, requires you to follow Snowden's example. ]]] > We don't retrofit fixes into old branches of Emacs that are no longer > developed; In general, that is a reasonable policy -- but maybe a serious security problem, which this eesms to be, calls for special treatment. we leave that to the distros (who maintain old Emacs > versions for many more years than we do). That might be sufficient for the problem, but we should think carefully about whether it _is_ sufficient. -- Dr Richard Stallman (https://stallman.org) Chief GNUisance of the GNU Project (https://gnu.org) Founder, Free Software Foundation (https://fsf.org) Internet Hall-of-Famer (https://internethalloffame.org)
bug-gnu-emacs@HIDDEN
:bug#66390
; Package emacs
.
Full text available.Received: (at 66390) by debbugs.gnu.org; 10 Oct 2023 11:10:14 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Tue Oct 10 07:10:14 2023 Received: from localhost ([127.0.0.1]:34105 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1qqAcw-0002Sh-06 for submit <at> debbugs.gnu.org; Tue, 10 Oct 2023 07:10:14 -0400 Received: from mail-lj1-x236.google.com ([2a00:1450:4864:20::236]:50583) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <manikulin@HIDDEN>) id 1qqAcu-0002SS-30 for 66390 <at> debbugs.gnu.org; Tue, 10 Oct 2023 07:10:12 -0400 Received: by mail-lj1-x236.google.com with SMTP id 38308e7fff4ca-2c189dabcc3so65547791fa.1 for <66390 <at> debbugs.gnu.org>; Tue, 10 Oct 2023 04:09:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1696936185; x=1697540985; darn=debbugs.gnu.org; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :sender:from:to:cc:subject:date:message-id:reply-to; bh=9BCJ6/zTcbn/B18kLa5Sa2/T2AfOae2Pv7jevKujyyY=; b=YUAv38dYOOZRInu4dx+7Tvrqc2m7i3DVkQ6gK58QeMAbthlYj/sv7nEz91YIG2iGuj S3wj3lmbH+iijuyGFCu8E3KtD8soGb4xCML+nX6MlZutAAxdPpGurHA9TNz0uR9oUXIp 4FygrVcaWdYzvZSyUMaeXQKCPqON/hEdgBtaU8EIy57So26LrXuUHR2TePSYGlgRLSsg v6OXBweFAsdEaOG6Q5yIgkpnRFKqtaTA5+0cJih/v2JEHcVYUqNhL8mdhP7+crMQMW+M Dy0Rh7T/yBAFyuQrWx1LGkJVwLPfvG2qpqbl1Nn2U0VbyrI0gW2pYZhhMObHGOO2DsKl s9TQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696936185; x=1697540985; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :sender:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=9BCJ6/zTcbn/B18kLa5Sa2/T2AfOae2Pv7jevKujyyY=; b=grVB4/QKxqQT1w0Yixg0jAVs4bI9qDDIOGISyxocjOcdiQvV8LUQaA/AqkXYJSsUkr vPedwpTmNUAnUdGnCbWIqaXhL+844IAJPtlxZ0pGa11U32VPYcrLvPm7B5B8e0pVFcWu pkZeLeVRwj4nZ/rmlYHM3rcOYt9dbiQc3JUpvB9mpDSb24nv8jAvo3jblHNpYlZ1bKaa X3dKQ9TqvmzFhVcScMvscwj2u69AOC1zCywMcuCi0GOpft6GfPoyJF8RxvqjhBs+3RKv MVnAkWvgK+b8gOg0dOMEUoUIYhP4PMnMM6BExa66n7RyTUQ+zxchPbEn5j1s0F10IfFe o9Uw== X-Gm-Message-State: AOJu0YxElx7lpueS0NjKkboWnZRaYqFMH4bpqwTa4UuEbDITxnIWSBO5 C2HzVO1eoVCW5IEnT42vx0A= X-Google-Smtp-Source: AGHT+IFTeIbAhOnN2M9FB6PdD/Q+AjXJevW8GbCm0nOfN5rM/J7NfqdAoAgNqB9leSfxaQYrDkEFmg== X-Received: by 2002:a2e:92c6:0:b0:2bf:e9e8:de23 with SMTP id k6-20020a2e92c6000000b002bfe9e8de23mr13619176ljh.16.1696936184727; Tue, 10 Oct 2023 04:09:44 -0700 (PDT) Received: from [192.168.0.101] (nat-0-0.nsk.sibset.net. [5.44.169.188]) by smtp.googlemail.com with ESMTPSA id k11-20020a2e888b000000b002c00da5c522sm2387803lji.78.2023.10.10.04.09.43 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 10 Oct 2023 04:09:44 -0700 (PDT) Message-ID: <76847bef-83a5-4bbe-8641-9dd82cf377a2@HIDDEN> Date: Tue, 10 Oct 2023 18:09:43 +0700 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: bug#66390: `man' allows to inject arbitrary shell code Content-Language: en-US, ru-RU To: Eli Zaretskii <eliz@HIDDEN>, lux <lx@HIDDEN> References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN> <83wmvyzir2.fsf@HIDDEN> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN> <83v8bizf9r.fsf@HIDDEN> <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN> <875y3iigua.fsf@HIDDEN> <83o7hazap7.fsf@HIDDEN> <87mswugyoq.fsf@HIDDEN> <83jzryz6op.fsf@HIDDEN> <87a5sugwcx.fsf@HIDDEN> <83h6n2z3tr.fsf@HIDDEN> <aaeb5c4f-2ae0-449e-9a8b-aa5155998e49@HIDDEN> <831qe5znrz.fsf@HIDDEN> <tencent_2EBCD42CDD9DC80B87AB06BB70EACCF8D60A@HIDDEN> <834jizwxm2.fsf@HIDDEN> From: Max Nikulin <manikulin@HIDDEN> In-Reply-To: <834jizwxm2.fsf@HIDDEN> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 66390 Cc: 66390 <at> debbugs.gnu.org, michael.albinus@HIDDEN X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) On 09/10/2023 23:48, Eli Zaretskii wrote: > And I ask again: what happens with command (man "[") in this case? "sh" "-c" "man [ 2>/dev/null | sed -e '/^[\1-\32][\1-\32]*$/d' #... so the code in man.el relies on "[" not interpreted as a special character when it is alone. It is not escaped! Perhaps you are confused by the following commit 4ef9cc5a5de 2023-07-26 17:30:21 +0300 Eli Zaretskii: Fix "M-x man RET [ RET" It affects completion, but not M-x man RET [ RET. (And I am surprised that "@" is treated specially for some reason.) > Please believe me: this is not simple. There's more here than meets > the eye. In addition to all kinds of weird characters in man-page > names, you also need to consider SEE ALSO links from one man page to > another, which can cross lines and include dashes and whitespace. > Etc. etc... I had my share of messing with this code, and one thing I > know is that nothing is ever as simple as quoting here. References split across lines should be handled by the code that creates/opens references, not by `man'. `man' should receive cleaned up references. (Cross-references is a case when properly implemented roff parser has advantages over dealing with text formatted for tty.) If you believe that other packages must not call `man' then this function should not have an argument since it is a part of public interface.
bug-gnu-emacs@HIDDEN
:bug#66390
; Package emacs
.
Full text available.Received: (at 66390) by debbugs.gnu.org; 10 Oct 2023 10:55:36 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Tue Oct 10 06:55:36 2023 Received: from localhost ([127.0.0.1]:34096 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1qqAOl-0007ng-Oo for submit <at> debbugs.gnu.org; Tue, 10 Oct 2023 06:55:36 -0400 Received: from mail-lf1-x12b.google.com ([2a00:1450:4864:20::12b]:49263) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <manikulin@HIDDEN>) id 1qqAOf-0007nI-MA for 66390 <at> debbugs.gnu.org; Tue, 10 Oct 2023 06:55:34 -0400 Received: by mail-lf1-x12b.google.com with SMTP id 2adb3069b0e04-5031ccf004cso6662492e87.2 for <66390 <at> debbugs.gnu.org>; Tue, 10 Oct 2023 03:55:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1696935302; x=1697540102; darn=debbugs.gnu.org; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :sender:from:to:cc:subject:date:message-id:reply-to; bh=FJJaXyC4OWBBnDWiy6UC91VT6EUe9V1m7XBxCe2NPyY=; b=S7mDM5axmNvCieChS28MzvHcMk3LKCAsKR6/mgtadH0OZrIVAdrjadXhhE3giNUpyX 0Fe8PXpDbc8yMuoIrtLP6v8IS0t2fVlUCf/dI1goEUZr2L8LBv09ZXHKSfdSRjZdpGGE ceMqplZEcS+FK3uJtL7/UDeTs1Ot96K3EkxZdqVEo9t4E+M78ipay8b1vdy6qx8gHvPg VAepBhw52fWs78pHcT/qbfysIppVHOuLbzGm/di6711eOPLmiNkPWCfa3DOculgs9nC9 7Ns5ETwD1PN6P0W9OUBWpBuIAwAwqGM8XLc/I3AtVXwh0QZJTT9AXfn30Nk0CGOFh+GE gzkQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696935302; x=1697540102; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :sender:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=FJJaXyC4OWBBnDWiy6UC91VT6EUe9V1m7XBxCe2NPyY=; b=ZLRiLcJI2rMN37uiktlsibkEoJuhBFGnylxZMqWDF3yos5upDK+ybhBbYGjSle5yEK NQEV3z28XNpHI18M1KtYxfRKPR2NOPhrwqPah0/FYF5Xu8ccWprZVm8/I7/SZkedu0cm HtDIazKg+YyGxzNxs8ALqKHFkcSjFq67BPMc0wL094uOpXyGDcuVyCaIlxiDkr2oHo06 moR1C3DZUPRk/8H612+6o6BkWG8PXbwFPU6JPzNiiU1/4fdfTacFU/2et8pQHDqSiQGR 2xgyYcl59SNpK/MoneCya4/MQwTpO6pZ98ePcFDz4i2Pq+uy1X+uTXV+AYBc87eYUCbx 2dlQ== X-Gm-Message-State: AOJu0Ywy4MZawftAoB1O5idg9oopExjbe6W7FtiEl3zbf3NpFb6zDUJ7 VIno5f16wmmuRhKWT77yFDE= X-Google-Smtp-Source: AGHT+IE9S9W182Miw98sN2ZyLPQ8NMooM5zy/+2FrzT5Jb9HMUL8YjimOSetjPT3Yva3yGPwVN00KQ== X-Received: by 2002:a19:5e10:0:b0:4f9:5519:78b8 with SMTP id s16-20020a195e10000000b004f9551978b8mr12147469lfb.63.1696935301920; Tue, 10 Oct 2023 03:55:01 -0700 (PDT) Received: from [192.168.0.101] (nat-0-0.nsk.sibset.net. [5.44.169.188]) by smtp.googlemail.com with ESMTPSA id j13-20020ac253ad000000b00504211d2a7bsm1749758lfh.297.2023.10.10.03.55.00 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 10 Oct 2023 03:55:01 -0700 (PDT) Message-ID: <262ed9fe-b92b-489d-b1f0-5202bfdb088b@HIDDEN> Date: Tue, 10 Oct 2023 17:54:59 +0700 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: bug#66390: `man' allows to inject arbitrary shell code Content-Language: en-US, ru-RU To: lux <lx@HIDDEN>, Eli Zaretskii <eliz@HIDDEN> References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN> <83wmvyzir2.fsf@HIDDEN> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN> <83v8bizf9r.fsf@HIDDEN> <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN> <875y3iigua.fsf@HIDDEN> <83o7hazap7.fsf@HIDDEN> <87mswugyoq.fsf@HIDDEN> <83jzryz6op.fsf@HIDDEN> <87a5sugwcx.fsf@HIDDEN> <83h6n2z3tr.fsf@HIDDEN> <aaeb5c4f-2ae0-449e-9a8b-aa5155998e49@HIDDEN> <831qe5znrz.fsf@HIDDEN> <tencent_2EBCD42CDD9DC80B87AB06BB70EACCF8D60A@HIDDEN> From: Max Nikulin <manikulin@HIDDEN> In-Reply-To: <tencent_2EBCD42CDD9DC80B87AB06BB70EACCF8D60A@HIDDEN> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 66390 Cc: 66390 <at> debbugs.gnu.org, michael.albinus@HIDDEN X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) On 09/10/2023 23:30, lux wrote: > > Here's my patch and the test cases. Thank you for your attempt to fix the issue. Unfortunately the proposed patch breaks the following case M-x man RET -k man RET That is why I wrote that each word should escaped independently. I am unsure if (man "-k man") should be supported as call with argument.
bug-gnu-emacs@HIDDEN
:bug#66390
; Package emacs
.
Full text available.Received: (at 66390) by debbugs.gnu.org; 10 Oct 2023 07:43:31 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Tue Oct 10 03:43:31 2023 Received: from localhost ([127.0.0.1]:33910 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1qq7Ot-0000hY-BU for submit <at> debbugs.gnu.org; Tue, 10 Oct 2023 03:43:31 -0400 Received: from mail-lf1-x12d.google.com ([2a00:1450:4864:20::12d]:57661) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <stefankangas@HIDDEN>) id 1qq7Oq-0000hF-MP for 66390 <at> debbugs.gnu.org; Tue, 10 Oct 2023 03:43:29 -0400 Received: by mail-lf1-x12d.google.com with SMTP id 2adb3069b0e04-505748580ceso6727597e87.3 for <66390 <at> debbugs.gnu.org>; Tue, 10 Oct 2023 00:43:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1696923782; x=1697528582; darn=debbugs.gnu.org; h=content-transfer-encoding:cc:to:subject:message-id:date :mime-version:references:in-reply-to:from:from:to:cc:subject:date :message-id:reply-to; bh=sKQo4x/v23+Vy0SWGXDGMzB+j++6d2bl9Q3DVP4SM48=; b=UQ6YI1HuWj8JO0oZQs1cK3abdOP7YU63945pDqq+epQVSmZ0WcjYRl6g6mvUJ7yduh 2/5TNdUPllvjbjev7jfxZRmZK8sxsrmDhoLLx82nqlYcd9+omuTvaN1mk9cQTJ1bDFeZ AYCUUynqJdym5x/laS7AfI1dyPxgIrJk7hSCvGVHOP92/NG7C83VPnGiTp1FQrTfPlmb mT27qs6nRCWZepWIcGIq+cSWW7Na/ZzYzbGVC4aI3duuyny+Db54L2SCp3P60UHq0Ap+ VmWk2zWFqnnKaSjsMXykzWfzLQXV2dqu8jx49rU/5lTWeT+eZ/ZFXzvsZcdMVJJ12+MW wByw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696923782; x=1697528582; h=content-transfer-encoding:cc:to:subject:message-id:date :mime-version:references:in-reply-to:from:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=sKQo4x/v23+Vy0SWGXDGMzB+j++6d2bl9Q3DVP4SM48=; b=RcEq5AVOi3xoFz/iS0wyPRTOc+/OvPwfKmGOM2nDNUOkIlBtCq8R+li3n8XoCU59+z A7t7rsuIPBYJ0SAUsqAAuzFE1jrNs2kTYisbsVa2ieDjr5DNSLPYEbV6qTyxcLxcasFW 4BKd0idVkVqqJ99Ez7sajRqdvQSLAFjbzA/itNSIO71Lh4tGPA13lOKCOYdp+aUAuwRj Gvou6g+6LvCpJk/xbYi4jUnZjFVGsGNW5Gj+6HhADwGkh1ITJwPeGcpPf7l7x/Nb0ole 4rt3umY2xRq18AJb5CHce/tKVcLkaj+FgmN2KzslwDrKYkkj8yeAS4xqm23Q7fS0hTVT ya7g== X-Gm-Message-State: AOJu0YznH6rB85zQOnusK5bhjuhOP/SdeimzAAKUYeeAnxv+x77uPRth V+HK19LuTs6JErlUqiMnkKx+OP3w+jPNs12BGRQ= X-Google-Smtp-Source: AGHT+IH56p4Fu9Ob3enA/Kd/CGDvLrxg4AcRgeSKjRRWEJ9ATNtdNde+Zpia/mvRHfTObM+RjoS3CAojO8E1Dw5MhdM= X-Received: by 2002:a05:6512:605:b0:503:1ca6:c590 with SMTP id b5-20020a056512060500b005031ca6c590mr13459376lfe.22.1696923781519; Tue, 10 Oct 2023 00:43:01 -0700 (PDT) Received: from 753933720722 named unknown by gmailapi.google.com with HTTPREST; Tue, 10 Oct 2023 07:43:00 +0000 From: Stefan Kangas <stefankangas@HIDDEN> In-Reply-To: <834jizwxm2.fsf@HIDDEN> References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN> <83wmvyzir2.fsf@HIDDEN> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN> <83v8bizf9r.fsf@HIDDEN> <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN> <875y3iigua.fsf@HIDDEN> <83o7hazap7.fsf@HIDDEN> <87mswugyoq.fsf@HIDDEN> <83jzryz6op.fsf@HIDDEN> <87a5sugwcx.fsf@HIDDEN> <83h6n2z3tr.fsf@HIDDEN> <aaeb5c4f-2ae0-449e-9a8b-aa5155998e49@HIDDEN> <831qe5znrz.fsf@HIDDEN> <tencent_2EBCD42CDD9DC80B87AB06BB70EACCF8D60A@HIDDEN> <834jizwxm2.fsf@HIDDEN> MIME-Version: 1.0 Date: Tue, 10 Oct 2023 07:43:00 +0000 Message-ID: <CADwFkm=Yov5nmWB8JSJ+hNG_Hs=ayG+Efb46fLnhR5WjVA1Ukw@HIDDEN> Subject: Re: bug#66390: `man' allows to inject arbitrary shell code To: Eli Zaretskii <eliz@HIDDEN>, lux <lx@HIDDEN> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 66390 Cc: manikulin@HIDDEN, 66390 <at> debbugs.gnu.org, michael.albinus@HIDDEN X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) Eli Zaretskii <eliz@HIDDEN> writes: > what happens with command (man "[") in this case? It works fine here with that patch. IOW, I get the expected man page test, [ =E2=80=93 condition evaluation utility
bug-gnu-emacs@HIDDEN
:bug#66390
; Package emacs
.
Full text available.Received: (at 66390) by debbugs.gnu.org; 10 Oct 2023 02:47:58 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Mon Oct 09 22:47:58 2023 Received: from localhost ([127.0.0.1]:33713 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1qq2mr-0000a4-F4 for submit <at> debbugs.gnu.org; Mon, 09 Oct 2023 22:47:57 -0400 Received: from out162-62-57-87.mail.qq.com ([162.62.57.87]:59113) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <lx@HIDDEN>) id 1qq2ml-0000Zi-AC for 66390 <at> debbugs.gnu.org; Mon, 09 Oct 2023 22:47:55 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512; t=1696906040; bh=Dt9Cv93v8UilCaG4eTYPZiSCwuIQjAg0yPQIM2/3tSA=; h=Subject:From:To:Cc:Date:In-Reply-To:References; b=JtyKD7WsnyMu/N2UssZNvdtMcoagS3uwZzXNGk3JPCCdg8TI3EQYfxHrsgD2UoTb+ mo4mJiPEDb5kvZs9z08BI9jHXbEmFi8QryywshmbQFoBFf5pHWjTMFcaVoXT198d3D tkrFcWdbSg5wXk+GKF+Dxk/f7pMJXaH0hQqsHzkY= Received: from [10.8.192.150] ([140.210.194.131]) by newxmesmtplogicsvrszb1-0.qq.com (NewEsmtp) with SMTP id BD1A64CD; Tue, 10 Oct 2023 10:47:17 +0800 X-QQ-mid: xmsmtpt1696906037tiyxbgqmk Message-ID: <tencent_19A566126A8A6B26EFA0E463C2D383F33809@HIDDEN> X-QQ-XMAILINFO: MAehWEgsdgwGAt4o+kI+v/v4GHFFTsn9SMfjxeje80k+KypF0sBfKIrQ5SaxXs 3hZDQVI/MI1fB/Nmq3XIBIVihXpdf9EvmhdwHo5HJPiRDKzf+GZM2YkPsjKTKeoO0Kp+RKl1jxY7 q8bPKhwKYfPZY8im+ANeN3g6sQbf9iAEAsIqmBWtg1Px/x2VBFVXUWtCXP31YeR/a2MrJrd5r/FF ldFywHW0lBW7PQHqYabRERz4fgOeFF9lMzer7s4h69gXeQCYgZHv4PyI+ww6u71VOHQ0IKh5cHaT BE3/v5soHLIMTJNKoSVQ1h9laqhOo77uyrJU2DbSuerGw7bbBIe90oeYqu7Y+RaRHTAlogarR2Il X+RzBoFh0MFyrVmnixNaPjHNcuuk0lkBn8IOOHIShKW2U/hrAi1hPnGfI/aBlU1DC67/l8uFLPi0 bWcNqbLRsAqjzkvwf+L4297MgGbU6OLlyJzCcHbSwFIX2oH0E0tIgk+O8fCUOni56hZ6aOovCc8m rBxUFMuqoBXYMKSiIl7cY9oDfq4EJKYCaPzsa6bUULi/8BKeYMl05GGvASKESN7+UsvnPpZgH5a2 08RdErNu6VMh+H1FLx42nfkifh6ZABh2eIJ9srQZ1JclQJ7vLkzP0q2NCEITw0fBsst2VK4ZbSgB so5OQLg6ZAgtmuB3m81oXNJ7xTdE6hft6cCwJwpyVfkq+FVv+WRUXrdR9p7dS3tFuoVxwDuVbIye tji44sZzsLcX6TRAGkbHf5zpW1mrAcjIdvsyF4nFYyLgVLxXKn1mOkBjkq5gy4wj4c3nTGOWKDLR UQPTBSxYaJ3MwMXA/0XUyZ32BZ6ynhffOA1umvoKQxXO6m4WDr5yPVMWXAMYi8AZ0VrBLo0hgJyq 3QCba+ApwaspIohYJE2Rma8+SRrVTFft+ZVElV+2WRLIS1Z76ssM60Zs97dL8BFqYDWFnSRip0pb lr06LhqFg= X-QQ-XMRINFO: M/715EihBoGSf6IYSX1iLFg= X-OQ-MSGID: <bfd8c0f9d6ba3fda09bf5be4f855d13351a844a4.camel@HIDDEN> Subject: Re: bug#66390: `man' allows to inject arbitrary shell code From: lux <lx@HIDDEN> To: Eli Zaretskii <eliz@HIDDEN> Date: Tue, 10 Oct 2023 10:47:17 +0800 In-Reply-To: <834jizwxm2.fsf@HIDDEN> References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN> <83wmvyzir2.fsf@HIDDEN> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN> <83v8bizf9r.fsf@HIDDEN> <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN> <875y3iigua.fsf@HIDDEN> <83o7hazap7.fsf@HIDDEN> <87mswugyoq.fsf@HIDDEN> <83jzryz6op.fsf@HIDDEN> <87a5sugwcx.fsf@HIDDEN> <83h6n2z3tr.fsf@HIDDEN> <aaeb5c4f-2ae0-449e-9a8b-aa5155998e49@HIDDEN> <831qe5znrz.fsf@HIDDEN> <tencent_2EBCD42CDD9DC80B87AB06BB70EACCF8D60A@HIDDEN> <834jizwxm2.fsf@HIDDEN> Autocrypt: addr=lx@HIDDEN; prefer-encrypt=mutual; keydata=mQENBF9ZlQQBCADp/JGo1JwVC86MQCSKI9Z2zeUOU2nItnuhfNfGLF3xueuL3QojOfPiBDdk14PqxXoZI6r2dS/YY2Nsr1iYch/ldkA1m9D8siwIzuWdkxntmuP56dtJVt6zGnMf+aijN4diRYPCmcENcdIly4aRPqcQZcftJRpLhsu+zDOT8LC+vCP9A5IEfqv1oFAbxt0pE/Lwymn/jzuqRnaEV5TA2+c+fMNhzfhaMp0FxrpO6sZIqU+c7r/d9ZJ98k3g8eq9MkK2s6ZQRnZUbngZ9p2c3zYB0BwHWovzDsGCl8pmUiUHEhGLhu6N2OGnQdUUuSU/Fdoq/zVsDfMz70II00pxSYOJABEBAAG0GWx1NG54IDxseEBzaGVsbGNvZGVzLm9yZz6JAU4EEwEIADgWIQSwvd/kky9UAikm2YRcdI5fNjiBRQUCX1mVBAIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRBcdI5fNjiBRTVbCAC510aF/8rpCzyAlBdxRlBzcz5FLw8ZS2VHn6FwxZbdk9USQPlnbtPSMzWRk7KLdzkUvvdRE8C8Z4JwnWOuNp3oDob5UEfLHQfL1+o/yHQqo2n5Wf9BFjIgvB2UThd2nxk1lW0yAnPsUrWX1Dy63hHtyAbpSMOXEjrn//EIH7If7BRTT5VYUEnhqMogWYWX8mE/ZrfFFY3LVyelHK86iYnIgW18Efg7g8k+Kys66tCSOdz19jhsxjbOKMrCISs5aQH5TNO0mqZq2eOdEi+nc6yLu1FLfUYeTXhIwA8jujSYdqswNU+2OU/JazMBFBK4duhHo5YqvneGwAt7Ksc4bRP7uQENBF9ZlQQBCADCAmMMp+tCYA32TIBRT+5yZjUeePgFkh7b+fvxfShyzgcsCFpFVzt+9YE7UjKMnb9fc3nAq2tHvphEDDreKN+FJKshzoziTriLvAnq9vV9QZmTbJ93R7io5i2EmnvB8 356kgVTl5RwZtX3DjTZ+rv4Wn0qAowa/S3NZq8U87AuQ1z9s3Q2Jm8g1QCTJ3sFIKmg+hYAyaS3RvbKjGeOUOykrg5vRPqDl41Ra4jSiVQfFX+iD/k2grbUnHfn6kpDLQgBFPB4nJfkjj0e4MEg8PIqHs7n/MglJeKQ9ReExwhv4w7zpVgaE9Wv0ONJMyi+PAODCEq4w650KFJ3Yi4p+JSLABEBAAGJATYEGAEIACAWIQSwvd/kky9UAikm2YRcdI5fNjiBRQUCX1mVBAIbDAAKCRBcdI5fNjiBReafCADUXswXiE5Gov2GfQTvBjEpFKNG9AirE3l0mSIUj6+ch+GhTv9bTt2ozZb9t3RGq+BifCO9EVu98fjvAIwg9bHnU54Q+IGevnjUK61I80Not0Kq05o5yMOpK0cB7I9dWpo0Pmtx781ioWqWON4gcPYYGFhTyj7DE7Y0F4+7XSb8Aeuu6y8i1Oxsrh4MwdcNp48lbM/+AZice/f+K1i+oGg037Qal1CykNBfvE0ujPagDbxExZxKtjnrC0yUmj1y09YP+Z0WOpyAdSCSiwMh3zHJUvXnacX+ZlhUwsVEPlrYKtps2DrtgIo9tR/csSfsOOD+1gnedaLM7OfT6vCdwiFtmQINBGUPDqUBEADSEqnlY9wh+avEI1T40IlNg6/hMi5lTHg9KKeF4cEU/XYhh1POIuyZMJbeFyGTCOAN64emcDEhDZqgc007YX5rbdA7juyOjnCkAeezJJl7yuHdhkvOv56qpoLbrqXNXrCPWHYnIffpp2ovmvndgPr++EXXrzxIposgY+PXDekj/EnToNn+iCb4z7Mh4vYIxc8m4CDeoCf4Y/77o4XT84SNfuKMqdld9ktjzkP5thLJ6N2hH6YnXYfwrh7UVP6Pg+dVM/hEmSUJFwvRpDxkErVzkaIqqtv94BOqPHVifOUXIq++SuMSqDqkH4irLBRVXqAVs+0nnKYAk5Fjjn16MF5DI0 kDjqyLJ18pWJFiegy+bBT837oNlPqdTFfG3pYlOC0mN5mYMFU2S2CsRujevBOnO2anQEdAv6T+PNu7LXfD1/Z9AgRn0NzHTkJWlAJ+PT8T0QFrVVW2H6T7WmpXP3FqFyeYbEedJyHbVm3Yd9HtdWJCUHSbTjJYcfhlWc8IeeHtna87Zjn8Ql1RFIo3kV2Pd3dk+IsOq1S3QZUiTTtwgRPP9fsx9OVB0v6k09R5PuvvFYzrccfuwdMvP8lWBNA+1XHX97JFC6nTPGeaPJLxYgcxhcRgXN+kaD8rFXva0YkyvkNgW+GismWimOrpsKgDdyxXzgK87OWL093xWjRlgwARAQABtBlYaSBMdSA8bHhAc2hlbGxjb2Rlcy5vcmc+iQJOBBMBCgA4FiEEdJQucETGhxqWHw3/SCoXYcbax74FAmUPDqUCGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQSCoXYcbax77pjQ/8CUsISqqy7CnbyVxAcarTHL8aw1cymaaqhni/rW2QDslaxmrp/h5NpWXE8TLPu0DH3BgJVztVjAUyx9wKpuSPntb+KwzeFO3SlaKlJyzcF/qKz0TisoGhpgn/BDCswrQyFV3bBtucLovdF6bjQ2JpamD+fOewas4/llU6ChtgRuT7J8wIJx6XfquO8jYcgDCHf9q3F2LF639hnadBaHxye4TEQ6VCWFDn/3kr0dnKSwb7TfeBeLt7wfdjM+AjQiyu1UF618poDp/1AzXHvxV0p9PcgCyHYIo+jjYOnvwYMbx4u0iUfHKwKSLUfgOiyAhRpOou0H3veC7vByDOyGEDhlP3rHD8d664PJMvG1hmp/OAhf7BhBRvvkvSGRSYI+vs5TyC72LLMlR8dx7XCc0ziRrWtmt6XFpDaIHftfGPcR4PEyTsnNFBll6+1EaX0U/oD3yNp4uTW7M5ShUqVBwrHviEiVyiluzEl6csJU4hreoDZ7NRovxDloBttiW tZ+TLgbbBOGHDeUbv7bSJ8+cR7nnL0FOeJwF3IRONDyZz6nQtd0aHbVg9Zpgl/JwQcXuTZrDz8E6qcZGjYtSlA/q8cwpDsen70rjg5S3GCnRfQQDwo1E6LOi3pEuCMy40iFJ/JEHtgxCHHeJ0i5jA+5zuEv02BndqllQkeyT4kkLSXcq5Ag0EZRAa8gEQAMF+frOpFPotOeC9OutnMyZY6jK8LjjqlHmZEFemBxUH8r6eY2P2+cChx6jwfkz9KMzM132gZAVAlE0nBhbiDJodPMGiYblNvs8thvxh2szLmErqWh7GcOF0feCvfY7QWjKwdtDJg1kUIxvgjrhE44k0/H7cvu/d4qWLsULAk0RsTzTLAZDmEBlEN5UlCXgDcjq5c5Lo52QAkWivWqg37k3PaFqmOKH0HKdRYAOgS/P9tdlgC/WDybxZy5tRsvi/d9NBza42WmvGU3PFvd7WDwhSQ7HwSfbMYFb3mSBfC3FR1796WeGAuMOesMCHp8TkaMtHZfUfbqF9VHhRyQf/r6GjTqYKtU5kjrg39gX1/5Ys5KFriNQLM/2cdLRqxBZ89u+Fi/VvnCJQ07NncqILwLmPcrtk8qH35aPOdxBf38/n9TAH44n/msmewjmVosprAfD8qwQjrwKkr8TausrBPrAkic7Vi8VFAyME6kUG77ctUDIv3jxqR08NrSiR1Ftt0AraQHWNUcLg6XVClR5GxVkkx4o+yefpukninIQlYwq3Sy/ZNsFkD2dYub/6OJhnWJxVVRDpVJsdKz9E7vBtgwcx2OPjG695w7L8RKl9qkIoRsKYDQ74Svxiw8vcdkz4O6FLFSayvsLTZgfsY3Krvuens2iFNWHnsBgIWVU+IW91ABEBAAGJAjYEGAEKACAWIQR0lC5wRMaHGpYfDf9IKhdhxtrHvgUCZRAa8gIbDAAKCRBIKhdhxtrHvvpLEADRSTXN0Fm/tdeQMVLy63fcTw8wjxEUelr0bDBzBeEc k328UqFrPDMOMWlREQ4GB/vHbTIvPYbOiCngH5WCPwRWVS/ycY4gCHHbPLlo24Or9NNvPRbkGYSEhP9ezcZD7F29/XCwi8+VfCNzcL6l7+V0BJNUly6Gwy3O4kUwgHlhpJn3cuKvMdSHe/JaJYx/BXu553vSh2s75XFJOMOlI0IC2lzzd2ohrwLEOwhCrFSkSRKXx63zt/uZL6oF2zIzHspGygtRR+KScnx/Gklp0nCGYMAenuRuixVICyaiB0Hkarwxm8kKpDzP6pD+5Zzdhzg3Sqj0RR5oqfqOWkh0hxJ+gblapLFBSXnGQqTT1gHrTHyIOBoBBVOxlaXb95sotfCwSU8VcoN0BexVwCsUFVR0jINlmJqMIpy2N0RNjU35bAnPgeGe5z+Zs5GPcEBK6XX4rQeTwWmVltQccWuM3+oca3sOcQsWD3ZACUWjGZboxTCMwiHkrm0VTxP4kO0CRILM5Ln3cisS/GdikCAv6O8K6jhckLEml1sFB6jCVK6EAInXKFzZGol281nGRPKzeI3V9BpDZmXplqdhe4R0FBGUbu5ffw3b/vNV770xhXLI7aOp0dlkGDh4In4Li5cBRgR8FTrIBEH9+I0l4EjliVr6k/skqVPYK2rKtwx/kjhzAA== Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.50.0-1 MIME-Version: 1.0 X-Spam-Score: 3.1 (+++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: On Mon, 2023-10-09 at 19:48 +0300, Eli Zaretskii wrote: > > From: lux <lx@HIDDEN> > > Cc: 66390 <at> debbugs.gnu.org, michael.albinus@HIDDEN > > Date: Tue, 10 Oct 2023 00:30:06 +0800 > > > > There [...] Content analysis details: (3.1 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record -0.5 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [162.62.57.87 listed in wl.mailspike.net] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [162.62.57.87 listed in list.dnswl.org] 0.4 RDNS_DYNAMIC Delivered to internal network by host with dynamic-looking rDNS 3.2 HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP addr 1) X-Debbugs-Envelope-To: 66390 Cc: manikulin@HIDDEN, 66390 <at> debbugs.gnu.org, michael.albinus@HIDDEN X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: 2.1 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: On Mon, 2023-10-09 at 19:48 +0300, Eli Zaretskii wrote: > > From: lux <lx@HIDDEN> > > Cc: 66390 <at> debbugs.gnu.org, michael.albinus@HIDDEN > > Date: Tue, 10 Oct 2023 00:30:06 +0800 > > > > There [...] Content analysis details: (2.1 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [162.62.57.87 listed in list.dnswl.org] -0.5 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [162.62.57.87 listed in wl.mailspike.net] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.4 RDNS_DYNAMIC Delivered to internal network by host with dynamic-looking rDNS -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager 3.2 HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP addr 1) On Mon, 2023-10-09 at 19:48 +0300, Eli Zaretskii wrote: > > From: lux <lx@HIDDEN> > > Cc: 66390 <at> debbugs.gnu.org, michael.albinus@HIDDEN > > Date: Tue, 10 Oct 2023 00:30:06 +0800 > >=20 > > There is indeed an code injection vulnerability issue here, for example= : > >=20 > > =C2=A0 (man ";ls")=C2=A0=C2=A0=C2=A0 <-- The `ls' command will be execu= ted. >=20 > So does this: >=20 > =C2=A0 (shell-command "ls") >=20 > Does it mean we will disallow shell-command? or forcibly quote every > shell command?=C2=A0 We cannot do that. >=20 >=20 The responsibilities of the `shell-command' are clear, execute string COMMA= ND in inferior shell, But `man' not is, we cannot describe `man' as being "Get a = Un*x manual page and put it in a buffer. But sometime can by the way execute she= ll code." For filenames, the "(", ")", and ";" characters all work. I think we should= be able to handle them correctly, or described in the docstring.
bug-gnu-emacs@HIDDEN
:bug#66390
; Package emacs
.
Full text available.Received: (at 66390) by debbugs.gnu.org; 9 Oct 2023 17:20:35 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Mon Oct 09 13:20:34 2023 Received: from localhost ([127.0.0.1]:33045 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1qptvm-0005Yk-KG for submit <at> debbugs.gnu.org; Mon, 09 Oct 2023 13:20:34 -0400 Received: from mail-out.m-online.net ([2001:a60:0:28:0:1:25:1]:39004) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <whitebox@HIDDEN>) id 1qptvh-0005YR-Eh for 66390 <at> debbugs.gnu.org; Mon, 09 Oct 2023 13:20:33 -0400 Received: from frontend01.mail.m-online.net (unknown [192.168.8.182]) by mail-out.m-online.net (Postfix) with ESMTP id 4S45Pw6Rhyz1sBpn; Mon, 9 Oct 2023 19:20:04 +0200 (CEST) Received: from localhost (dynscan1.mnet-online.de [192.168.6.68]) by mail.m-online.net (Postfix) with ESMTP id 4S45Pw4kY8z1qqlb; Mon, 9 Oct 2023 19:20:04 +0200 (CEST) X-Virus-Scanned: amavis at mnet-online.de Received: from mail.mnet-online.de ([192.168.8.182]) by localhost (dynscan1.mail.m-online.net [192.168.6.68]) (amavis, port 10024) with ESMTP id Fi5tXqFH-cXX; Mon, 9 Oct 2023 19:20:03 +0200 (CEST) X-Auth-Info: qPwoZ5uIUG6GzCIvPRp/GXmAjTuXn6VJK4UERQ3BQctdKUXb2IB1B6JCPYHkwg/H Received: from igel.home (aftr-62-216-205-170.dynamic.mnet-online.de [62.216.205.170]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mail.mnet-online.de (Postfix) with ESMTPSA; Mon, 9 Oct 2023 19:20:03 +0200 (CEST) Received: by igel.home (Postfix, from userid 1000) id 9C2872C01A1; Mon, 9 Oct 2023 19:20:03 +0200 (CEST) From: Andreas Schwab <schwab@HIDDEN> To: Eli Zaretskii <eliz@HIDDEN> Subject: Re: bug#66390: `man' allows to inject arbitrary shell code In-Reply-To: <834jizwxm2.fsf@HIDDEN> (Eli Zaretskii's message of "Mon, 09 Oct 2023 19:48:21 +0300") References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN> <83wmvyzir2.fsf@HIDDEN> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN> <83v8bizf9r.fsf@HIDDEN> <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN> <875y3iigua.fsf@HIDDEN> <83o7hazap7.fsf@HIDDEN> <87mswugyoq.fsf@HIDDEN> <83jzryz6op.fsf@HIDDEN> <87a5sugwcx.fsf@HIDDEN> <83h6n2z3tr.fsf@HIDDEN> <aaeb5c4f-2ae0-449e-9a8b-aa5155998e49@HIDDEN> <831qe5znrz.fsf@HIDDEN> <tencent_2EBCD42CDD9DC80B87AB06BB70EACCF8D60A@HIDDEN> <834jizwxm2.fsf@HIDDEN> X-Yow: This ASIAGO-N-DRIED TOMATO combo would taste a lot better between two plastic SIPPER LIDS! Date: Mon, 09 Oct 2023 19:20:03 +0200 Message-ID: <87sf6ju30c.fsf@HIDDEN> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -0.5 (/) X-Debbugs-Envelope-To: 66390 Cc: lux <lx@HIDDEN>, manikulin@HIDDEN, 66390 <at> debbugs.gnu.org, michael.albinus@HIDDEN X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.5 (-) On Okt 09 2023, Eli Zaretskii wrote: >> From: lux <lx@HIDDEN> >> Cc: 66390 <at> debbugs.gnu.org, michael.albinus@HIDDEN >> Date: Tue, 10 Oct 2023 00:30:06 +0800 >> >> There is indeed an code injection vulnerability issue here, for example: >> >> (man ";ls") <-- The `ls' command will be executed. > > So does this: > > (shell-command "ls") shell-command does what it is supposed to do. man, on the other hand, is supposed to display a manpage, _not_ execute an arbitrary command line. While the doc string of the man command says that it runs a command to do its work, it does not explain how man-args is related to that command. -- Andreas Schwab, schwab@HIDDEN GPG Key fingerprint = 7578 EB47 D4E5 4D69 2510 2552 DF73 E780 A9DA AEC1 "And now for something completely different."
bug-gnu-emacs@HIDDEN
:bug#66390
; Package emacs
.
Full text available.Received: (at 66390) by debbugs.gnu.org; 9 Oct 2023 17:06:30 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Mon Oct 09 13:06:30 2023 Received: from localhost ([127.0.0.1]:33039 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1qptiA-00053R-3f for submit <at> debbugs.gnu.org; Mon, 09 Oct 2023 13:06:30 -0400 Received: from mout02.posteo.de ([185.67.36.66]:37075) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <yantar92@HIDDEN>) id 1qpti6-00053B-Ux for 66390 <at> debbugs.gnu.org; Mon, 09 Oct 2023 13:06:28 -0400 Received: from submission (posteo.de [185.67.36.169]) by mout02.posteo.de (Postfix) with ESMTPS id 03EBE240105 for <66390 <at> debbugs.gnu.org>; Mon, 9 Oct 2023 19:05:59 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017; t=1696871160; bh=cwe/+Eo6r3KfUb9Iu2G1+UGtuy582w9w0GgqVonnhaY=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version:From; b=lDF93sJaU5AUF6N6zWYgjMLe1cRe+fqOaa3rqvxEahvVz/oFtFs2eQeCW3EgcQAnR 4GFzleARc76CBIUl5/IG8+01TLricCz3J7nvcPvoOnzOwJ17gugswjnr2E+fDDVbab CnTkAfD4OoSZtwx3znCrjltVFTOoiP9Apm/kJJXl2nBPjspblMyYNGpyTdfVvVi7l0 TfpaEx0fWRxU+ggUCNJ84VLHBnYvSYoABzhP7fTjMMnq7kX/VKqis8kWLJHb0iT+N5 GeSbW5MD/83cq2k+ZzvwfmM2llRPGLyr68wZVhP9eH9+pCLAhJidkd4l9gehRW8Rs4 COy5osTbdJV0w== Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4S455g0FgFz9rxq; Mon, 9 Oct 2023 19:05:58 +0200 (CEST) From: Ihor Radchenko <yantar92@HIDDEN> To: Eli Zaretskii <eliz@HIDDEN> Subject: Re: bug#66390: `man' allows to inject arbitrary shell code In-Reply-To: <834jizwxm2.fsf@HIDDEN> References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN> <83wmvyzir2.fsf@HIDDEN> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN> <83v8bizf9r.fsf@HIDDEN> <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN> <875y3iigua.fsf@HIDDEN> <83o7hazap7.fsf@HIDDEN> <87mswugyoq.fsf@HIDDEN> <83jzryz6op.fsf@HIDDEN> <87a5sugwcx.fsf@HIDDEN> <83h6n2z3tr.fsf@HIDDEN> <aaeb5c4f-2ae0-449e-9a8b-aa5155998e49@HIDDEN> <831qe5znrz.fsf@HIDDEN> <tencent_2EBCD42CDD9DC80B87AB06BB70EACCF8D60A@HIDDEN> <834jizwxm2.fsf@HIDDEN> Date: Mon, 09 Oct 2023 17:07:36 +0000 Message-ID: <87zg0rbu7b.fsf@localhost> MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 66390 Cc: lux <lx@HIDDEN>, manikulin@HIDDEN, 66390 <at> debbugs.gnu.org, michael.albinus@HIDDEN X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) Eli Zaretskii <eliz@HIDDEN> writes: >> There is indeed an code injection vulnerability issue here, for example: >> >> (man ";ls") <-- The `ls' command will be executed. > > So does this: > > (shell-command "ls") > > Does it mean we will disallow shell-command? or forcibly quote every > shell command? We cannot do that. You seem to have an idea what MAN-ARGS argument in `man' does. But it is not described in the docstring. I think it would help if docstring were more clear about the command argument. -- Ihor Radchenko // yantar92, Org mode contributor, Learn more about Org mode at <https://orgmode.org/>. Support Org development at <https://liberapay.com/org-mode>, or support my work at <https://liberapay.com/yantar92>
bug-gnu-emacs@HIDDEN
:bug#66390
; Package emacs
.
Full text available.Received: (at 66390) by debbugs.gnu.org; 9 Oct 2023 16:49:23 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Mon Oct 09 12:49:23 2023 Received: from localhost ([127.0.0.1]:32990 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1qptRa-0004P7-TO for submit <at> debbugs.gnu.org; Mon, 09 Oct 2023 12:49:23 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:51510) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <eliz@HIDDEN>) id 1qptRY-0004On-Bi for 66390 <at> debbugs.gnu.org; Mon, 09 Oct 2023 12:49:21 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <eliz@HIDDEN>) id 1qptR6-0004TV-1B; Mon, 09 Oct 2023 12:48:53 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date: mime-version; bh=wcyqxLdkmh1zel4PovDCoj6kfaK/NFJFs0FtCgKxIJk=; b=iL14o8bvkoo/ qcuqOJOffTUy4jE0a+QBe2T7Emt5Mu4KZvfbeDzvEIpQPZ/CquQghOst5iVebQIVNkDZnRpi8eonm gS95tm7kRx2kyFYg5vk7WbSpLFxAgFI1fc3L/eYjIr+BMAViFZveAAzXffjEWVO6uq2t7uRG5136+ jMnB2Ox+reTDt48B6HgCcbWcttQKMSNKcrflXr2Jimk2QPD+gYqFluUhLTQQ78fgIZMJDshm1UzV9 FPqrwVZz/rbB/VTotaN4Qkh8Zl1tKsH5uCFPnCoHjUTOUmRX4gPoEydCp3nyySP0U1ieu0oiYifjk tvJLmdzvH2mDD1S3enqj0Q==; Date: Mon, 09 Oct 2023 19:48:21 +0300 Message-Id: <834jizwxm2.fsf@HIDDEN> From: Eli Zaretskii <eliz@HIDDEN> To: lux <lx@HIDDEN> In-Reply-To: <tencent_2EBCD42CDD9DC80B87AB06BB70EACCF8D60A@HIDDEN> (message from lux on Tue, 10 Oct 2023 00:30:06 +0800) Subject: Re: bug#66390: `man' allows to inject arbitrary shell code References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN> <83wmvyzir2.fsf@HIDDEN> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN> <83v8bizf9r.fsf@HIDDEN> <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN> <875y3iigua.fsf@HIDDEN> <83o7hazap7.fsf@HIDDEN> <87mswugyoq.fsf@HIDDEN> <83jzryz6op.fsf@HIDDEN> <87a5sugwcx.fsf@HIDDEN> <83h6n2z3tr.fsf@HIDDEN> <aaeb5c4f-2ae0-449e-9a8b-aa5155998e49@HIDDEN> <831qe5znrz.fsf@HIDDEN> <tencent_2EBCD42CDD9DC80B87AB06BB70EACCF8D60A@HIDDEN> X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 66390 Cc: manikulin@HIDDEN, 66390 <at> debbugs.gnu.org, michael.albinus@HIDDEN X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) > From: lux <lx@HIDDEN> > Cc: 66390 <at> debbugs.gnu.org, michael.albinus@HIDDEN > Date: Tue, 10 Oct 2023 00:30:06 +0800 > > There is indeed an code injection vulnerability issue here, for example: > > (man ";ls") <-- The `ls' command will be executed. So does this: (shell-command "ls") Does it mean we will disallow shell-command? or forcibly quote every shell command? We cannot do that. > Here's my patch and the test cases. And I ask again: what happens with command (man "[") in this case? Please believe me: this is not simple. There's more here than meets the eye. In addition to all kinds of weird characters in man-page names, you also need to consider SEE ALSO links from one man page to another, which can cross lines and include dashes and whitespace. Etc. etc... I had my share of messing with this code, and one thing I know is that nothing is ever as simple as quoting here.
bug-gnu-emacs@HIDDEN
:bug#66390
; Package emacs
.
Full text available.Received: (at 66390) by debbugs.gnu.org; 9 Oct 2023 16:31:10 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Mon Oct 09 12:31:10 2023 Received: from localhost ([127.0.0.1]:60767 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1qpt9y-0003E4-5T for submit <at> debbugs.gnu.org; Mon, 09 Oct 2023 12:31:10 -0400 Received: from out203-205-251-72.mail.qq.com ([203.205.251.72]:34995) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <lx@HIDDEN>) id 1qpt9u-0003DS-A8 for 66390 <at> debbugs.gnu.org; Mon, 09 Oct 2023 12:31:09 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512; t=1696869029; bh=dsUoDWprUirfk86JsQkkrnM+J0aJ7OHhqrKZKCk3bk0=; h=Subject:From:To:Cc:Date:In-Reply-To:References; b=xop5dw0Ojp7n+TwGDIzgYXDCNukzMDmKX1QiB/TjCT494H3UjAQTsTw9/U8SXiZ5j CY+DErI4IcdGra4+5E6z3c90ed++soGunDpolMuMRv2rxUlCPztWNB1p7SgV2Pg7mZ GLNBll8a39fyEcj8x2syJ5ZmjZ1Z1Jc4hEl39rs8= Received: from [IPv6:240e:399:e6f:ee32:191c:f145:5e9e:d7e0] ([240e:399:e6f:ee32:191c:f145:5e9e:d7e0]) by newxmesmtplogicsvrsza12-0.qq.com (NewEsmtp) with SMTP id 786B04B2; Tue, 10 Oct 2023 00:30:06 +0800 X-QQ-mid: xmsmtpt1696869006t5epu5ma7 Message-ID: <tencent_2EBCD42CDD9DC80B87AB06BB70EACCF8D60A@HIDDEN> X-QQ-XMAILINFO: OLsBWtCIHsg6RK0h22podySFFH3Hm4N3iVl1kDAcASYfq1bWBzZMmxXNpDJF19 SkO+yUfc3Hwxg6Y1EzeqR1QAQo4EbAuCvgmZW6CRyfdQJ+au02ae1ZLEI0rGsa+yy8k3mbPz4vLJ j56Nk67xNL6R2SeYcHDK6I0yv0T6iJoHOU+v6aJ4cV3GRnC3UP2Ti4UmdESBZXvL6AMWdsVdY33V 9xgFSd9y9fCl4bnRX5kYliBmD8EhhuQPe+02o0LY7osUMaxHLOKqhczm2mnCp+3OG8S77V8kvJS/ 6UZd4V6Ljjsy68gesEf/PhREkfUEceW9taWxwpXMiOowUFJfWYu92JW9vNRH1u8+e+x/tdeBkR20 ZVlFJGuiV2m6LeuBRX/854iYcZcnRQTJSg5uAqm/remcZ80LhGm2ElkDbYPGmfQMapD+5XU5c/pD D0YMx/NidVZdBKF8rKlEyicE61BlN6/cBgCFO6pRnLf0uqQA+wdrSan3JFivmjQGP2vyRGN0/nEm XD6cW6q6T1jdKvH74vwntYIF5pb6itK7TmIV3DpxiE8mTVXCCbLlTe7eo8Q/ForgMI1KnCNhwhW9 ovipVOCellYcgrVEzjSSElauAb3zT0pJOCT3FxP1B4CbfYxp89W3NmakI/aSiExIDimaUEzR1UEi EMSQXO4AJ3OZOtFmZ6jC7vKd3uBt7QJwyaCNBq6sg60BmQpWt1oL3W6NJyAJPUj7iKROzHxQVqeF OYoIuygnU+zQaYcLJMN/3PfStWCAoxBaeV9o4AE92JmWmZgcDXsFguPWXk5Er1GWD5j8CXB43zyV CLj9WOIyf+2oiNePXZCAYIz1dX3NX1gjGoN4sk/VGv25HSTbxcpyyEgYGtcYvArv+Q4njR+8k40y 3AMqcnqpWl/Mf94hGTQdhXfZ6zI9nTjpvM3yhVqPfX48jXkb24oyYBcGoOkYemM1Z+j7EfUtIwGZ uLz5goH1rjGKE0f3fV3wRY+F54UUfUfdEilZX2E7o= X-QQ-XMRINFO: OD9hHCdaPRBwq3WW+NvGbIU= X-OQ-MSGID: <0dd3584d2bc7d2f904e36c2110c1b293f440ce52.camel@HIDDEN> Subject: Re: bug#66390: `man' allows to inject arbitrary shell code From: lux <lx@HIDDEN> To: Eli Zaretskii <eliz@HIDDEN>, Max Nikulin <manikulin@HIDDEN> Date: Tue, 10 Oct 2023 00:30:06 +0800 In-Reply-To: <831qe5znrz.fsf@HIDDEN> References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN> <83wmvyzir2.fsf@HIDDEN> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN> <83v8bizf9r.fsf@HIDDEN> <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN> <875y3iigua.fsf@HIDDEN> <83o7hazap7.fsf@HIDDEN> <87mswugyoq.fsf@HIDDEN> <83jzryz6op.fsf@HIDDEN> <87a5sugwcx.fsf@HIDDEN> <83h6n2z3tr.fsf@HIDDEN> <aaeb5c4f-2ae0-449e-9a8b-aa5155998e49@HIDDEN> <831qe5znrz.fsf@HIDDEN> Autocrypt: addr=lx@HIDDEN; prefer-encrypt=mutual; keydata=mQENBF9ZlQQBCADp/JGo1JwVC86MQCSKI9Z2zeUOU2nItnuhfNfGLF3xueuL3QojOfPiBDdk14PqxXoZI6r2dS/YY2Nsr1iYch/ldkA1m9D8siwIzuWdkxntmuP56dtJVt6zGnMf+aijN4diRYPCmcENcdIly4aRPqcQZcftJRpLhsu+zDOT8LC+vCP9A5IEfqv1oFAbxt0pE/Lwymn/jzuqRnaEV5TA2+c+fMNhzfhaMp0FxrpO6sZIqU+c7r/d9ZJ98k3g8eq9MkK2s6ZQRnZUbngZ9p2c3zYB0BwHWovzDsGCl8pmUiUHEhGLhu6N2OGnQdUUuSU/Fdoq/zVsDfMz70II00pxSYOJABEBAAG0GWx1NG54IDxseEBzaGVsbGNvZGVzLm9yZz6JAU4EEwEIADgWIQSwvd/kky9UAikm2YRcdI5fNjiBRQUCX1mVBAIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRBcdI5fNjiBRTVbCAC510aF/8rpCzyAlBdxRlBzcz5FLw8ZS2VHn6FwxZbdk9USQPlnbtPSMzWRk7KLdzkUvvdRE8C8Z4JwnWOuNp3oDob5UEfLHQfL1+o/yHQqo2n5Wf9BFjIgvB2UThd2nxk1lW0yAnPsUrWX1Dy63hHtyAbpSMOXEjrn//EIH7If7BRTT5VYUEnhqMogWYWX8mE/ZrfFFY3LVyelHK86iYnIgW18Efg7g8k+Kys66tCSOdz19jhsxjbOKMrCISs5aQH5TNO0mqZq2eOdEi+nc6yLu1FLfUYeTXhIwA8jujSYdqswNU+2OU/JazMBFBK4duhHo5YqvneGwAt7Ksc4bRP7uQENBF9ZlQQBCADCAmMMp+tCYA32TIBRT+5yZjUeePgFkh7b+fvxfShyzgcsCFpFVzt+9YE7UjKMnb9fc3nAq2tHvphEDDreKN+FJKshzoziTriLvAnq9vV9QZmTbJ93R7io5i2EmnvB8 356kgVTl5RwZtX3DjTZ+rv4Wn0qAowa/S3NZq8U87AuQ1z9s3Q2Jm8g1QCTJ3sFIKmg+hYAyaS3RvbKjGeOUOykrg5vRPqDl41Ra4jSiVQfFX+iD/k2grbUnHfn6kpDLQgBFPB4nJfkjj0e4MEg8PIqHs7n/MglJeKQ9ReExwhv4w7zpVgaE9Wv0ONJMyi+PAODCEq4w650KFJ3Yi4p+JSLABEBAAGJATYEGAEIACAWIQSwvd/kky9UAikm2YRcdI5fNjiBRQUCX1mVBAIbDAAKCRBcdI5fNjiBReafCADUXswXiE5Gov2GfQTvBjEpFKNG9AirE3l0mSIUj6+ch+GhTv9bTt2ozZb9t3RGq+BifCO9EVu98fjvAIwg9bHnU54Q+IGevnjUK61I80Not0Kq05o5yMOpK0cB7I9dWpo0Pmtx781ioWqWON4gcPYYGFhTyj7DE7Y0F4+7XSb8Aeuu6y8i1Oxsrh4MwdcNp48lbM/+AZice/f+K1i+oGg037Qal1CykNBfvE0ujPagDbxExZxKtjnrC0yUmj1y09YP+Z0WOpyAdSCSiwMh3zHJUvXnacX+ZlhUwsVEPlrYKtps2DrtgIo9tR/csSfsOOD+1gnedaLM7OfT6vCdwiFtmQINBGUPDqUBEADSEqnlY9wh+avEI1T40IlNg6/hMi5lTHg9KKeF4cEU/XYhh1POIuyZMJbeFyGTCOAN64emcDEhDZqgc007YX5rbdA7juyOjnCkAeezJJl7yuHdhkvOv56qpoLbrqXNXrCPWHYnIffpp2ovmvndgPr++EXXrzxIposgY+PXDekj/EnToNn+iCb4z7Mh4vYIxc8m4CDeoCf4Y/77o4XT84SNfuKMqdld9ktjzkP5thLJ6N2hH6YnXYfwrh7UVP6Pg+dVM/hEmSUJFwvRpDxkErVzkaIqqtv94BOqPHVifOUXIq++SuMSqDqkH4irLBRVXqAVs+0nnKYAk5Fjjn16MF5DI0 kDjqyLJ18pWJFiegy+bBT837oNlPqdTFfG3pYlOC0mN5mYMFU2S2CsRujevBOnO2anQEdAv6T+PNu7LXfD1/Z9AgRn0NzHTkJWlAJ+PT8T0QFrVVW2H6T7WmpXP3FqFyeYbEedJyHbVm3Yd9HtdWJCUHSbTjJYcfhlWc8IeeHtna87Zjn8Ql1RFIo3kV2Pd3dk+IsOq1S3QZUiTTtwgRPP9fsx9OVB0v6k09R5PuvvFYzrccfuwdMvP8lWBNA+1XHX97JFC6nTPGeaPJLxYgcxhcRgXN+kaD8rFXva0YkyvkNgW+GismWimOrpsKgDdyxXzgK87OWL093xWjRlgwARAQABtBlYaSBMdSA8bHhAc2hlbGxjb2Rlcy5vcmc+iQJOBBMBCgA4FiEEdJQucETGhxqWHw3/SCoXYcbax74FAmUPDqUCGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQSCoXYcbax77pjQ/8CUsISqqy7CnbyVxAcarTHL8aw1cymaaqhni/rW2QDslaxmrp/h5NpWXE8TLPu0DH3BgJVztVjAUyx9wKpuSPntb+KwzeFO3SlaKlJyzcF/qKz0TisoGhpgn/BDCswrQyFV3bBtucLovdF6bjQ2JpamD+fOewas4/llU6ChtgRuT7J8wIJx6XfquO8jYcgDCHf9q3F2LF639hnadBaHxye4TEQ6VCWFDn/3kr0dnKSwb7TfeBeLt7wfdjM+AjQiyu1UF618poDp/1AzXHvxV0p9PcgCyHYIo+jjYOnvwYMbx4u0iUfHKwKSLUfgOiyAhRpOou0H3veC7vByDOyGEDhlP3rHD8d664PJMvG1hmp/OAhf7BhBRvvkvSGRSYI+vs5TyC72LLMlR8dx7XCc0ziRrWtmt6XFpDaIHftfGPcR4PEyTsnNFBll6+1EaX0U/oD3yNp4uTW7M5ShUqVBwrHviEiVyiluzEl6csJU4hreoDZ7NRovxDloBttiW tZ+TLgbbBOGHDeUbv7bSJ8+cR7nnL0FOeJwF3IRONDyZz6nQtd0aHbVg9Zpgl/JwQcXuTZrDz8E6qcZGjYtSlA/q8cwpDsen70rjg5S3GCnRfQQDwo1E6LOi3pEuCMy40iFJ/JEHtgxCHHeJ0i5jA+5zuEv02BndqllQkeyT4kkLSXcq5Ag0EZRAa8gEQAMF+frOpFPotOeC9OutnMyZY6jK8LjjqlHmZEFemBxUH8r6eY2P2+cChx6jwfkz9KMzM132gZAVAlE0nBhbiDJodPMGiYblNvs8thvxh2szLmErqWh7GcOF0feCvfY7QWjKwdtDJg1kUIxvgjrhE44k0/H7cvu/d4qWLsULAk0RsTzTLAZDmEBlEN5UlCXgDcjq5c5Lo52QAkWivWqg37k3PaFqmOKH0HKdRYAOgS/P9tdlgC/WDybxZy5tRsvi/d9NBza42WmvGU3PFvd7WDwhSQ7HwSfbMYFb3mSBfC3FR1796WeGAuMOesMCHp8TkaMtHZfUfbqF9VHhRyQf/r6GjTqYKtU5kjrg39gX1/5Ys5KFriNQLM/2cdLRqxBZ89u+Fi/VvnCJQ07NncqILwLmPcrtk8qH35aPOdxBf38/n9TAH44n/msmewjmVosprAfD8qwQjrwKkr8TausrBPrAkic7Vi8VFAyME6kUG77ctUDIv3jxqR08NrSiR1Ftt0AraQHWNUcLg6XVClR5GxVkkx4o+yefpukninIQlYwq3Sy/ZNsFkD2dYub/6OJhnWJxVVRDpVJsdKz9E7vBtgwcx2OPjG695w7L8RKl9qkIoRsKYDQ74Svxiw8vcdkz4O6FLFSayvsLTZgfsY3Krvuens2iFNWHnsBgIWVU+IW91ABEBAAGJAjYEGAEKACAWIQR0lC5wRMaHGpYfDf9IKhdhxtrHvgUCZRAa8gIbDAAKCRBIKhdhxtrHvvpLEADRSTXN0Fm/tdeQMVLy63fcTw8wjxEUelr0bDBzBeEc k328UqFrPDMOMWlREQ4GB/vHbTIvPYbOiCngH5WCPwRWVS/ycY4gCHHbPLlo24Or9NNvPRbkGYSEhP9ezcZD7F29/XCwi8+VfCNzcL6l7+V0BJNUly6Gwy3O4kUwgHlhpJn3cuKvMdSHe/JaJYx/BXu553vSh2s75XFJOMOlI0IC2lzzd2ohrwLEOwhCrFSkSRKXx63zt/uZL6oF2zIzHspGygtRR+KScnx/Gklp0nCGYMAenuRuixVICyaiB0Hkarwxm8kKpDzP6pD+5Zzdhzg3Sqj0RR5oqfqOWkh0hxJ+gblapLFBSXnGQqTT1gHrTHyIOBoBBVOxlaXb95sotfCwSU8VcoN0BexVwCsUFVR0jINlmJqMIpy2N0RNjU35bAnPgeGe5z+Zs5GPcEBK6XX4rQeTwWmVltQccWuM3+oca3sOcQsWD3ZACUWjGZboxTCMwiHkrm0VTxP4kO0CRILM5Ln3cisS/GdikCAv6O8K6jhckLEml1sFB6jCVK6EAInXKFzZGol281nGRPKzeI3V9BpDZmXplqdhe4R0FBGUbu5ffw3b/vNV770xhXLI7aOp0dlkGDh4In4Li5cBRgR8FTrIBEH9+I0l4EjliVr6k/skqVPYK2rKtwx/kjhzAA== Content-Type: multipart/mixed; boundary="=-PyOEwl+ewaSzzvy50QcG" User-Agent: Evolution 3.50.0-1 MIME-Version: 1.0 X-Spam-Score: 3.6 (+++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: On Sun, 2023-10-08 at 08:28 +0300, Eli Zaretskii wrote: > > Date: Sun, 8 Oct 2023 10:37:33 +0700 > > Cc: 66390 <at> debbugs.gnu.org > > From: Max Nikulin <manikulin@HIDDEN> > > > > On 08/10/2023 01:26, [...] Content analysis details: (3.6 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [203.205.251.72 listed in list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.4 RDNS_DYNAMIC Delivered to internal network by host with dynamic-looking rDNS 3.2 HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP addr 1) X-Debbugs-Envelope-To: 66390 Cc: 66390 <at> debbugs.gnu.org, michael.albinus@HIDDEN X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: 2.6 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: On Sun, 2023-10-08 at 08:28 +0300, Eli Zaretskii wrote: > > Date: Sun, 8 Oct 2023 10:37:33 +0700 > > Cc: 66390 <at> debbugs.gnu.org > > From: Max Nikulin <manikulin@HIDDEN> > > > > On 08/10/2023 01:26, [...] Content analysis details: (2.6 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [203.205.251.72 listed in list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.4 RDNS_DYNAMIC Delivered to internal network by host with dynamic-looking rDNS -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager 3.2 HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP addr 1) --=-PyOEwl+ewaSzzvy50QcG Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Sun, 2023-10-08 at 08:28 +0300, Eli Zaretskii wrote: > > Date: Sun, 8 Oct 2023 10:37:33 +0700 > > Cc: 66390 <at> debbugs.gnu.org > > From: Max Nikulin <manikulin@HIDDEN> > >=20 > > On 08/10/2023 01:26, Eli Zaretskii wrote: > > >=20 > > > So the problem _is_ with the shell?=C2=A0 If so, the best way of avoi= ding > > > these problems is not invoke 'man' via the shell, but via call-proces= s > > > and its ilk instead. > >=20 > > It will be great if it is possible to avoid shell in the middle. Howeve= r > > - man.el uses pipes with sed and awk to post-process output of man=20 > > executable. > > - if support of remote man files is considered then it is even more har= d=20 > > to avoid shell. SSH assumes shell commands. >=20 > Even if sometimes the shell cannot be avoided (which has yet to be > established, AFAIU), it's not an argument against avoiding it where > possible, because that solves any security issues, definitely those > you brought up. >=20 > > I had in mind using at least `shell-quote-argument'. >=20 > That doesn't work with 'man', which has its own ideas about quoting, > besides shell-related quoting. >=20 > > The issues of sanitizing outputs in callers > > - If there was a safe function in man.el then callers code would be mor= e=20 > > simple, so it would be less probable to introduce bugs in such code. > > - behavior of the `man' emacs command is *underspecified*, so it is har= d=20 > > to provide safe argument for it. Some parenthesis are allowed as in=20 > > "man(1)" others may be interpreted by shell. > > - `shell-quote-argument' in callers would rely on man.el implementation= =20 > > details at best or may even lead to undefined behavior since I see have= =20 > > no way to bypass some processing of the argument of the `man' emacs com= mand. >=20 > Reiterating what you already said doesn't help to have a productive > discussion. >=20 > > Execution a part of `man' emacs command argument by shell is a surprise= =20 > > to the user any case. Ideally elisp code should prevent it and man.el= =20 > > should emit an error. >=20 > IMO, this ideal cannot be reached in practice, let alone kept for any > length of time.=C2=A0 Systems are adding strangely-named man pages all th= e > time.=C2=A0 We had quite a few bug reports about that during the recent > years. >=20 > > Attempts to call of `man' from other packages is an open door for=20 > > security vulnerabilities. >=20 > Then perhaps those other packages shouldn't call 'man'. >=20 >=20 >=20 Hi,=C2=A0 There is indeed an code injection vulnerability issue here, for example: (man ";ls") <-- The `ls' command will be executed. I think the fix can start with the `Man-translate-references' function. Here's my patch and the test cases. --=-PyOEwl+ewaSzzvy50QcG Content-Disposition: attachment; filename="0001-Fix-man.el-code-injection-vulnerability.patch" Content-Type: text/x-patch; name="0001-Fix-man.el-code-injection-vulnerability.patch"; charset="UTF-8" Content-Transfer-Encoding: base64 RnJvbSAxYzI5MDVkOTNkM2NiYTk2NmE3ZDI0NGY0YzI3OGM3MjBjZWZmMzc4IE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBYaSBMdSA8bHhAc2hlbGxjb2Rlcy5vcmc+CkRhdGU6IFR1ZSwg MTAgT2N0IDIwMjMgMDA6MjE6MzEgKzA4MDAKU3ViamVjdDogW1BBVENIXSBGaXggbWFuLmVsIGNv ZGUgaW5qZWN0aW9uIHZ1bG5lcmFiaWxpdHkuCgoqIGxpc3AvbWFuLmVsIChNYW4tdHJhbnNsYXRl LXJlZmVyZW5jZXMpOiBGaXggY29kZSBpbmplY3Rpb24uCiogdGVzdC9saXNwL21hbi10ZXN0cy5l bCAobWFuLXRlc3RzLU1hbi10cmFuc2xhdGUtcmVmZXJlbmNlcyk6IE5ldy4KLS0tCiBsaXNwL21h bi5lbCAgICAgICAgICAgIHwgIDIgKy0KIHRlc3QvbGlzcC9tYW4tdGVzdHMuZWwgfCAxMCArKysr KysrKysrCiAyIGZpbGVzIGNoYW5nZWQsIDExIGluc2VydGlvbnMoKyksIDEgZGVsZXRpb24oLSkK CmRpZmYgLS1naXQgYS9saXNwL21hbi5lbCBiL2xpc3AvbWFuLmVsCmluZGV4IDI4NmVkZjkzMTRl Li40MzgzOTk1OTYyMiAxMDA2NDQKLS0tIGEvbGlzcC9tYW4uZWwKKysrIGIvbGlzcC9tYW4uZWwK QEAgLTY4NCw3ICs2ODQsNyBAQCBNYW4tdHJhbnNsYXRlLXJlZmVyZW5jZXMKICAgICAgIChzZXRx IG5hbWUgKG1hdGNoLXN0cmluZyAyIHJlZikKIAkgICAgc2VjdGlvbiAobWF0Y2gtc3RyaW5nIDEg cmVmKSkpKQogICAgIChpZiAoc3RyaW5nPSBuYW1lICIiKQotCXJlZgkJCQk7IFJldHVybiB0aGUg cmVmZXJlbmNlIGFzIGlzCisJKHNoZWxsLXF1b3RlLWFyZ3VtZW50IHJlZikgICAgICA7IFJldHVy biB0aGUgcmVmZXJlbmNlIGFzIGlzCiAgICAgICAoaWYgTWFuLWRvd25jYXNlLXNlY3Rpb24tbGV0 dGVycy1mbGFnCiAJICAoc2V0cSBzZWN0aW9uIChkb3duY2FzZSBzZWN0aW9uKSkpCiAgICAgICAo d2hpbGUgc2xpc3QKZGlmZiAtLWdpdCBhL3Rlc3QvbGlzcC9tYW4tdGVzdHMuZWwgYi90ZXN0L2xp c3AvbWFuLXRlc3RzLmVsCmluZGV4IGUzNjU3ZDdkZjhhLi40ODU3MDk2N2EwOSAxMDA2NDQKLS0t IGEvdGVzdC9saXNwL21hbi10ZXN0cy5lbAorKysgYi90ZXN0L2xpc3AvbWFuLXRlc3RzLmVsCkBA IC0xNjEsNiArMTYxLDE2IEBAIG1hbi1iZ3Byb2MtZmlsdGVyLWJ1dHRvbml6ZS1pbmNsdWRlcwog ICAgICAgICAgIChsZXQgKChidXR0b24gKGJ1dHRvbi1hdCAobWF0Y2gtYmVnaW5uaW5nIDApKSkp CiAgICAgICAgICAgICAoc2hvdWxkIChhbmQgYnV0dG9uIChlcSAnTWFuLXhyZWYtaGVhZGVyLWZp bGUgKGJ1dHRvbi10eXBlIGJ1dHRvbikpKSkpKSkpKSkKIAorKGVydC1kZWZ0ZXN0IG1hbi10ZXN0 cy1NYW4tdHJhbnNsYXRlLXJlZmVyZW5jZXMgKCkKKyAgKHNob3VsZCAoZXF1YWwgKE1hbi10cmFu c2xhdGUtcmVmZXJlbmNlcyAiYmFzZW5hbWUiKQorICAgICAgICAgICAgICAgICAiYmFzZW5hbWUi KSkKKyAgKHNob3VsZCAoZXF1YWwgKE1hbi10cmFuc2xhdGUtcmVmZXJlbmNlcyAiYmFzZW5hbWUo MykiKQorICAgICAgICAgICAgICAgICAiMyBiYXNlbmFtZSIpKQorICAoc2hvdWxkIChlcXVhbCAo TWFuLXRyYW5zbGF0ZS1yZWZlcmVuY2VzICJiYXNlbmFtZSgzdikiKQorICAgICAgICAgICAgICAg ICAiM3YgYmFzZW5hbWUiKSkKKyAgKHNob3VsZCAoZXF1YWwgKE1hbi10cmFuc2xhdGUtcmVmZXJl bmNlcyAiO2lkIikKKyAgICAgICAgICAgICAgICAgIlxcO2lkIikpKQorCiAocHJvdmlkZSAnbWFu LXRlc3RzKQogCiA7OzsgbWFuLXRlc3RzLmVsIGVuZHMgaGVyZQotLSAKMi40Mi4wCgo= --=-PyOEwl+ewaSzzvy50QcG--
bug-gnu-emacs@HIDDEN
:bug#66390
; Package emacs
.
Full text available.Received: (at 66390) by debbugs.gnu.org; 9 Oct 2023 15:53:37 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Mon Oct 09 11:53:37 2023 Received: from localhost ([127.0.0.1]:60720 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1qpsZd-0001sb-1B for submit <at> debbugs.gnu.org; Mon, 09 Oct 2023 11:53:37 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:48674) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <eliz@HIDDEN>) id 1qpsZa-0001sO-MF for 66390 <at> debbugs.gnu.org; Mon, 09 Oct 2023 11:53:35 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <eliz@HIDDEN>) id 1qpsZ6-000855-NR; Mon, 09 Oct 2023 11:53:08 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date: mime-version; bh=x5F1wgBMT0Wc6bkwjWGSDXv/Zf+XCKCdVhPR08r/rMI=; b=BHUWlLqqaSxW uhE2b9nOuLPX7gI1jFRaMbsm7tQ/drgepvAmIeO4QzORC6fj2sFO2aITMoyv9O5UREjfkrPBgO6L3 F0WTkdTOrXg1x+1G9K4/iMq7yZFVyZnwbeDnosp4DB4rY1c/l2iQDrGcEwxnFEup7Q2tyg3UiFGfa cbuGlWFhXioFhuJ5vkdKrBuDj36mz1k6EB9WbouRv+6kdZTPtEU6mlfZeKnJZKJfQKAeaXyJu1wOq 6+z0i+RIOGIqJCYjktkRH9cHevVk+oteK0LbZYul4YGb2EaRUU4H6lyxuA5D5zIX7nQmOwGwDtRP3 cbh+usPs91ZVYA0W7IzhdA==; Date: Mon, 09 Oct 2023 18:52:52 +0300 Message-Id: <83bkd7x06j.fsf@HIDDEN> From: Eli Zaretskii <eliz@HIDDEN> To: Max Nikulin <manikulin@HIDDEN> In-Reply-To: <a4a1b6d4-8fb4-4f5f-aafc-a9521bcbbcc3@HIDDEN> (message from Max Nikulin on Mon, 9 Oct 2023 22:12:34 +0700) Subject: Re: bug#66390: `man' allows to inject arbitrary shell code References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN> <83wmvyzir2.fsf@HIDDEN> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN> <83v8bizf9r.fsf@HIDDEN> <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN> <875y3iigua.fsf@HIDDEN> <83o7hazap7.fsf@HIDDEN> <87mswugyoq.fsf@HIDDEN> <83jzryz6op.fsf@HIDDEN> <87a5sugwcx.fsf@HIDDEN> <83h6n2z3tr.fsf@HIDDEN> <aaeb5c4f-2ae0-449e-9a8b-aa5155998e49@HIDDEN> <831qe5znrz.fsf@HIDDEN> <a4a1b6d4-8fb4-4f5f-aafc-a9521bcbbcc3@HIDDEN> X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 66390 Cc: 66390 <at> debbugs.gnu.org, michael.albinus@HIDDEN X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) > Date: Mon, 9 Oct 2023 22:12:34 +0700 > Cc: michael.albinus@HIDDEN, 66390 <at> debbugs.gnu.org > From: Max Nikulin <manikulin@HIDDEN> > > On 08/10/2023 12:28, Eli Zaretskii wrote: > >> Date: Sun, 8 Oct 2023 10:37:33 +0700 From: Max Nikulin > > > >> I had in mind using at least `shell-quote-argument'. > > That doesn't work with 'man', which has its own ideas about quoting, > > besides shell-related quoting. > > I see usage of `shell-quote-argument' for completion where shell is not > involved. During formatting there is parsing of references with some > regular expressions to get (X) section suffix, but I have not noticed > quoting. Certainly the code relies on spaces passed literally and > substituted into shell command directly. If there were page names with > spaces it would be a problem. > > I mean passing through `shell-quote-argument' each word returned by > `Man-translate-references' What will this do with a man page called [.1 ? > (defun Man-translate-cleanup (string) > "Strip leading, trailing and middle spaces." > ^^^^^^^^^^^^^ > > (Man-translate-cleanup " w") > " w" But (Man-translate-cleanup " ww") => "ww"
bug-gnu-emacs@HIDDEN
:bug#66390
; Package emacs
.
Full text available.Received: (at 66390) by debbugs.gnu.org; 9 Oct 2023 15:13:11 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Mon Oct 09 11:13:11 2023 Received: from localhost ([127.0.0.1]:60702 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1qprwR-0000YM-5O for submit <at> debbugs.gnu.org; Mon, 09 Oct 2023 11:13:11 -0400 Received: from mail-lj1-x22a.google.com ([2a00:1450:4864:20::22a]:60689) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <manikulin@HIDDEN>) id 1qprwN-0000Xo-3J for 66390 <at> debbugs.gnu.org; Mon, 09 Oct 2023 11:13:05 -0400 Received: by mail-lj1-x22a.google.com with SMTP id 38308e7fff4ca-2bfed7c4e6dso52118301fa.1 for <66390 <at> debbugs.gnu.org>; Mon, 09 Oct 2023 08:12:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1696864356; x=1697469156; darn=debbugs.gnu.org; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :sender:from:to:cc:subject:date:message-id:reply-to; bh=/A6Fnp0ZDnH0YxljJu73DI0ix4EfIPhk2muLvghBgts=; b=MteaK7rPNskOeNh9X8nkvNiQzmGcD87ks0FV/pkqISbEcu27/AYDm+ERKcyPvlgerr uS5Iw80IfLH/sv+/r4xw7peE/esBQA1SS0X2wh5eQBA4lv2vpOWwf4rFivcgs4yXtdvR FXbsjis9VFizjk5ql3Ffqyxl6A63d7ZIxuPozRL1GXyvD1FJSl14NcHMFeRRVc7Ya2Gn tTJ1Gqw6O6/CRYI+Bo7HMOMx523p2Vxu/kMBiW8WOq+7g3X7qmKw/0KwcDcry+vVHDuu 009IwRqOlO+oDTUK3+EAPf8Fdii0/d2xqIqZ4BXiVoyZKPt/WYrLcjVQc9f9AilZNJjg Zkrw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696864356; x=1697469156; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :sender:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=/A6Fnp0ZDnH0YxljJu73DI0ix4EfIPhk2muLvghBgts=; b=mwK6IJX7uLnqwF4tI8OhWvegIVE491qM6GyOADdaUNnsOxaFBEuMeULjOfoMqIVvu1 9C6/II0WZIzKa+iVYevPuSkk2CmsSG6JQVAnh/bknkRTT4Y7oGqYcV6HzJ6uPVAf9Sns 4hmZxv4VW7A/tpYbdoowJgTeWUyOPDpI0v2R+zRSjAQkfdcdobkXfUfn5C5Swgvy1osD 7FUAEKl7hy9WbKqgSmV7k1rCpky81zsOlPzlkr8CJdoY5Ebs4recpTvnrHTH7HrIllZQ DTEl85D+csR1U3uz3Z6sHa1BZZn+cdFs9NFrBj1s8uLaU3QNbz6XeNHv798bXYf+MeYR REbA== X-Gm-Message-State: AOJu0YzGmjtU6+++ks8u2GAWy01oD/30gCxvAE4urN8nV+s94/1laHj8 RXNFEodVcA9oYtRISHazSHk= X-Google-Smtp-Source: AGHT+IEaATbEm/1n3pGgiUavsUbLCpzM4ZZIfi+Tbt93EDGDBh4PJSi3VPhxGlK0D3Q6Vbn8fSyIMQ== X-Received: by 2002:a2e:9b51:0:b0:2b9:412a:111d with SMTP id o17-20020a2e9b51000000b002b9412a111dmr15609822ljj.42.1696864356199; Mon, 09 Oct 2023 08:12:36 -0700 (PDT) Received: from [192.168.0.101] (nat-0-0.nsk.sibset.net. [5.44.169.188]) by smtp.googlemail.com with ESMTPSA id e9-20020a2e8189000000b002c12630e4d3sm2099487ljg.127.2023.10.09.08.12.35 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 09 Oct 2023 08:12:35 -0700 (PDT) Message-ID: <a4a1b6d4-8fb4-4f5f-aafc-a9521bcbbcc3@HIDDEN> Date: Mon, 9 Oct 2023 22:12:34 +0700 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: bug#66390: `man' allows to inject arbitrary shell code Content-Language: en-US, ru-RU To: Eli Zaretskii <eliz@HIDDEN> References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN> <83wmvyzir2.fsf@HIDDEN> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN> <83v8bizf9r.fsf@HIDDEN> <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN> <875y3iigua.fsf@HIDDEN> <83o7hazap7.fsf@HIDDEN> <87mswugyoq.fsf@HIDDEN> <83jzryz6op.fsf@HIDDEN> <87a5sugwcx.fsf@HIDDEN> <83h6n2z3tr.fsf@HIDDEN> <aaeb5c4f-2ae0-449e-9a8b-aa5155998e49@HIDDEN> <831qe5znrz.fsf@HIDDEN> From: Max Nikulin <manikulin@HIDDEN> In-Reply-To: <831qe5znrz.fsf@HIDDEN> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 66390 Cc: 66390 <at> debbugs.gnu.org, michael.albinus@HIDDEN X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) On 08/10/2023 12:28, Eli Zaretskii wrote: >> Date: Sun, 8 Oct 2023 10:37:33 +0700 From: Max Nikulin > >> I had in mind using at least `shell-quote-argument'. > That doesn't work with 'man', which has its own ideas about quoting, > besides shell-related quoting. I see usage of `shell-quote-argument' for completion where shell is not involved. During formatting there is parsing of references with some regular expressions to get (X) section suffix, but I have not noticed quoting. Certainly the code relies on spaces passed literally and substituted into shell command directly. If there were page names with spaces it would be a problem. I mean passing through `shell-quote-argument' each word returned by `Man-translate-references' P.S. (defun Man-translate-cleanup (string) "Strip leading, trailing and middle spaces." ^^^^^^^^^^^^^ (Man-translate-cleanup " w") " w" ?
bug-gnu-emacs@HIDDEN
:bug#66390
; Package emacs
.
Full text available.Received: (at 66390) by debbugs.gnu.org; 9 Oct 2023 11:06:04 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Mon Oct 09 07:06:04 2023 Received: from localhost ([127.0.0.1]:59405 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1qpo5M-0004Sh-6k for submit <at> debbugs.gnu.org; Mon, 09 Oct 2023 07:06:04 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:35884) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <eliz@HIDDEN>) id 1qpo5I-0004S1-Fp for 66390 <at> debbugs.gnu.org; Mon, 09 Oct 2023 07:06:02 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <eliz@HIDDEN>) id 1qpo4s-00042L-Gb; Mon, 09 Oct 2023 07:05:34 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date: mime-version; bh=tY1THgED6T1aWQPLiclmA41G/HU96mN2J4yG5C+LQEE=; b=sdm88CYznaFp ucIQcTr406N0EtSA8Bxd+3FqXsZaVRTwmXCHDSQyt/fFIt3rxki+IGw82Hj+waTX+DBSq5FnlMJS8 jKJA3imye+BwtKblbiDmO+QZRByrqoqQAHlbKS1V31lnf70apimiz54WVI91wbws+/JIl1eQcUjXz 8o/UtWxnOQQQtZ57M+21tpSNkjwweFBy8QpWiWVZqOQL0ogG0FafSaYq9GEWR1qLlMiEKFv4crPTq tUjA7JZzBzEjfgtmLuiLXYeyzPOCuowDh/q0MOTy9WyB9lRaINhdTvgKXomkWqnLhc+kQDIfSb4XM 6rl3WMlx/c5SStfCK88Aqg==; Date: Mon, 09 Oct 2023 14:04:37 +0300 Message-Id: <83ttr0vyyi.fsf@HIDDEN> From: Eli Zaretskii <eliz@HIDDEN> To: rms@HIDDEN In-Reply-To: <E1qpg8N-0004yH-3Y@HIDDEN> (message from Richard Stallman on Sun, 08 Oct 2023 22:36:39 -0400) Subject: Re: bug#66390: `man' allows to inject arbitrary shell code References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN> <83wmvyzir2.fsf@HIDDEN> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN> <83v8bizf9r.fsf@HIDDEN> <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN> <875y3iigua.fsf@HIDDEN> <83o7hazap7.fsf@HIDDEN> <87mswugyoq.fsf@HIDDEN> <83jzryz6op.fsf@HIDDEN> <87a5sugwcx.fsf@HIDDEN> <83h6n2z3tr.fsf@HIDDEN> <E1qpg8N-0004yH-3Y@HIDDEN> X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 66390 Cc: manikulin@HIDDEN, 66390 <at> debbugs.gnu.org, michael.albinus@HIDDEN X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) > From: Richard Stallman <rms@HIDDEN> > Cc: michael.albinus@HIDDEN, manikulin@HIDDEN, 66390 <at> debbugs.gnu.org > Date: Sun, 08 Oct 2023 22:36:39 -0400 > > > We can do something, just not the way it was suggested: avoid using > > the shell. > > I wonder: do we need to backport this fix to old Emacs versions that we > do not normally maintainn at all, because of the insecurity? We don't retrofit fixes into old branches of Emacs that are no longer developed; we leave that to the distros (who maintain old Emacs versions for many more years than we do). At this time, this means only Emacs 29.x and newer can get such fixes, but not older versions. (Btw, there's no fix yet, just discussions about what would be the most appropriate fix.)
bug-gnu-emacs@HIDDEN
:bug#66390
; Package emacs
.
Full text available.Received: (at 66390) by debbugs.gnu.org; 9 Oct 2023 02:37:07 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sun Oct 08 22:37:07 2023 Received: from localhost ([127.0.0.1]:58947 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1qpg8p-00015R-3t for submit <at> debbugs.gnu.org; Sun, 08 Oct 2023 22:37:07 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:49528) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <rms@HIDDEN>) id 1qpg8n-00014q-6l for 66390 <at> debbugs.gnu.org; Sun, 08 Oct 2023 22:37:05 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <rms@HIDDEN>) id 1qpg8N-0006Ty-F8; Sun, 08 Oct 2023 22:36:39 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=Date:References:Subject:In-Reply-To:To:From: mime-version; bh=FnwR0Pbq9D60GBwiyeh/jzBru9xdsvvRrWzjnfms/qk=; b=bVi8E8iOscIp JgChM7PXOrBapa6Uxc9iOun0eDrusVSjzrVF9OdSelF5KXQSJIwuM/9ZMqTsRnWJEzmjs6V4nBGvW CP9st5enhZUmZmqjVNOUQKN0zYA6G9x2uoQZWYVUZiIdU5CylevQ8OM9wP+esGrIdr3wyBhLdZ/sC z7ClJ0bJBNcpjXsBOBcXong6LNw6gphL1dp/2AtvXxDgelrmlUk44+wjItbtO7j8pOCWqbnkymaXw QGqhVtpjbZvX3ktWNrZFp2GwjDOdBEtrIIadbJVkOAotCSlmcVmMrtpLm77oWMQ/NJ4zFkMHDa48r P2l86vbo/xbnjVr2OlRUNQ==; Received: from rms by fencepost.gnu.org with local (Exim 4.90_1) (envelope-from <rms@HIDDEN>) id 1qpg8N-0004yH-3Y; Sun, 08 Oct 2023 22:36:39 -0400 Content-Type: text/plain; charset=Utf-8 From: Richard Stallman <rms@HIDDEN> To: Eli Zaretskii <eliz@HIDDEN> In-Reply-To: <83h6n2z3tr.fsf@HIDDEN> (message from Eli Zaretskii on Sat, 07 Oct 2023 21:26:40 +0300) Subject: Re: bug#66390: `man' allows to inject arbitrary shell code References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN> <83wmvyzir2.fsf@HIDDEN> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN> <83v8bizf9r.fsf@HIDDEN> <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN> <875y3iigua.fsf@HIDDEN> <83o7hazap7.fsf@HIDDEN> <87mswugyoq.fsf@HIDDEN> <83jzryz6op.fsf@HIDDEN> <87a5sugwcx.fsf@HIDDEN> <83h6n2z3tr.fsf@HIDDEN> Message-Id: <E1qpg8N-0004yH-3Y@HIDDEN> Date: Sun, 08 Oct 2023 22:36:39 -0400 X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 66390 Cc: manikulin@HIDDEN, 66390 <at> debbugs.gnu.org, michael.albinus@HIDDEN X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Reply-To: rms@HIDDEN Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) [[[ To any NSA and FBI agents reading my email: please consider ]]] [[[ whether defending the US Constitution against all enemies, ]]] [[[ foreign or domestic, requires you to follow Snowden's example. ]]] > We can do something, just not the way it was suggested: avoid using > the shell. I wonder: do we need to backport this fix to old Emacs versions that we do not normally maintainn at all, because of the insecurity? -- Dr Richard Stallman (https://stallman.org) Chief GNUisance of the GNU Project (https://gnu.org) Founder, Free Software Foundation (https://fsf.org) Internet Hall-of-Famer (https://internethalloffame.org)
bug-gnu-emacs@HIDDEN
:bug#66390
; Package emacs
.
Full text available.Received: (at 66390) by debbugs.gnu.org; 8 Oct 2023 07:23:15 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sun Oct 08 03:23:15 2023 Received: from localhost ([127.0.0.1]:56205 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1qpO8A-0000Co-9V for submit <at> debbugs.gnu.org; Sun, 08 Oct 2023 03:23:14 -0400 Received: from mail-lj1-x230.google.com ([2a00:1450:4864:20::230]:57645) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <manikulin+gzh@HIDDEN>) id 1qpKgY-00027M-CF for 66390 <at> debbugs.gnu.org; Sat, 07 Oct 2023 23:42:31 -0400 Received: by mail-lj1-x230.google.com with SMTP id 38308e7fff4ca-2bfea381255so40632131fa.3 for <66390 <at> debbugs.gnu.org>; Sat, 07 Oct 2023 20:42:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1696736524; x=1697341324; darn=debbugs.gnu.org; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :sender:from:to:cc:subject:date:message-id:reply-to; bh=GWr7+32uVjP1kcOBxOj0lZoaRtqrHDJXShqigddG94w=; b=dsaSrje+mNHJMbxPnBhdarsGLplHCIolS5YR4w9TW9sq2VycQ66rtKrl2kCH0z7/T4 /AuHgleQ3bcUMKvdojpXQasARI1B/PhgRzLRxMPE8HsClG/YrZzKnzNLp2Ie4c3uciL6 wStwTOQCZarxUHbpsEO8t7fwzOxiCZ6nGWho1Rdxx0ECk/zHPyvP5VW0JroatG6Me6vC NL+0RnjAAMhLwIFeH6kpow24bg+lvbXjLRttwwYMNVmurFKEbb4sePaYl5VOZPoyz7XF YOToOiG9+7RCvEiMdWhb9MEoR/3hmMHzt4gKE1A3d5thmqcses6NJRiUkHRQkEFvXZNi /dBg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696736524; x=1697341324; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :sender:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=GWr7+32uVjP1kcOBxOj0lZoaRtqrHDJXShqigddG94w=; b=XQes0sQBbPg3+aCPPVySOvLX2IzKZ/dlFagjnir9YsnFUacGqShypLwqmFFr6KDMyD jDOyhllDpX7QqHFlW3hZ9h06dvUvyEBRDPJWNWo6iq0zO68peCfID7+wdKHBl4iaw4GB kV7T+b/ybqs0MlWX9vB+Z844Zeka3CTVyri8idqAslA/7FQ/DcgvScMBFFXdo+GyHdku mtNcV6i4NBcr5Ink1G9L4Pzc+eHGWYJLOJyli6lE2gTa1w2qiBC70kJN199NUiLq8COB R7Y4lgWgpm3N9mt7JT53bWmQLknHkDvxahxcBH2+aGHCLypkNWn5Gy+KHoMSri2nMlQ4 I+BQ== X-Gm-Message-State: AOJu0Ywma114b2vHcaj2l1dSX3I4ENcwVXM7fZHQKGyDhCuuwlyoA22m 41Et0pvgwfuER92qsAxoU70= X-Google-Smtp-Source: AGHT+IFdVsA81PKZf4FRtLH0PiO7IXZFa8mq1mAD91Jfa6WQp9gC10LVIHQoICQ5+zTPsT6BvUb0LA== X-Received: by 2002:a2e:a402:0:b0:2b9:e53f:e201 with SMTP id p2-20020a2ea402000000b002b9e53fe201mr10714958ljn.31.1696736524242; Sat, 07 Oct 2023 20:42:04 -0700 (PDT) Received: from [192.168.0.101] (nat-0-0.nsk.sibset.net. [5.44.169.188]) by smtp.googlemail.com with ESMTPSA id w22-20020a2e8216000000b002bba9a4f715sm1425040ljg.11.2023.10.07.20.42.03 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 07 Oct 2023 20:42:03 -0700 (PDT) Message-ID: <245d34b5-8a93-42bd-9ad8-91f6a72bb6f3@HIDDEN> Date: Sun, 8 Oct 2023 10:42:03 +0700 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: bug#66390: `man' allows to inject arbitrary shell code Content-Language: en-US, ru-RU To: Eli Zaretskii <eliz@HIDDEN>, Michael Albinus <michael.albinus@HIDDEN> References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN> <83wmvyzir2.fsf@HIDDEN> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN> <83v8bizf9r.fsf@HIDDEN> <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN> <875y3iigua.fsf@HIDDEN> <83o7hazap7.fsf@HIDDEN> <87mswugyoq.fsf@HIDDEN> <83jzryz6op.fsf@HIDDEN> From: Maxim Nikulin <manikulin+gzh@HIDDEN> In-Reply-To: <83jzryz6op.fsf@HIDDEN> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 66390 X-Mailman-Approved-At: Sun, 08 Oct 2023 03:23:13 -0400 Cc: 66390 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) On 08/10/2023 00:24, Eli Zaretskii wrote: >> From: Michael Albinus Date: Sat, 07 Oct 2023 18:55:01 +0200 > >> The docstring of man explains already, which kind of arguments are >> expected. > > Yes, and we update that all the time, given how the systems stretch > these specs. I see some discrepancy with the declaration of stable API in "Re: Completion of links to man pages" On 06/10/2023 00:11, Eli Zaretskii wrote: > From: Ihor Radchenko <yantar92@HIDDEN> > Cc: emacs-orgmode@HIDDEN, emacs-devel@HIDDEN > Date: Thu, 05 Oct 2023 16:53:57 +0000 >> What I am asking here is to provide a stable Elisp API for the above use >> case. Currently, we have to rely on implementation details. > > From where I stand, we have already a stable API tested by years of > use. What is maybe missing is some documentation to allow its easier > use, that's all.
bug-gnu-emacs@HIDDEN
:bug#66390
; Package emacs
.
Full text available.Received: (at 66390) by debbugs.gnu.org; 8 Oct 2023 05:28:39 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sun Oct 08 01:28:39 2023 Received: from localhost ([127.0.0.1]:56159 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1qpMLG-0005CJ-Uo for submit <at> debbugs.gnu.org; Sun, 08 Oct 2023 01:28:39 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:34266) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <eliz@HIDDEN>) id 1qpMLF-0005C3-M9 for 66390 <at> debbugs.gnu.org; Sun, 08 Oct 2023 01:28:38 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <eliz@HIDDEN>) id 1qpMKq-0006c3-90; Sun, 08 Oct 2023 01:28:12 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date: mime-version; bh=FbsC3Lvb4QvyOXnYGMG78UTZ0S0zdMth7soLVjPBWuE=; b=NqcPuaKnO4EU 0vQjyHkAVLK4ZtxLZ3BqiD5vqYAupkKT4wCrsXmIsJPaBkzNVLOD8ZMLvgEQd/CM8TVDeGa+qnIB0 iBr+WFIG5gIBxmbu9aFbjY3qeJMbaRxFhkrufgj7tcDdkTgjc/EFbfVl4pFmjXpvQYh3Mz6aNtpqj vP+6K9rGuMNb+DXThaXu1HROBystlJlpSkOUxEELZGJKWfiRZsu5xeUzqujZ2/yFRdobluj6m20Rw il/r0goucse8Rh+EEkL3ZxdB0ZXCi0OCxE8TyH3+G7QaXPszIYIoRRu3XiRMQr6Ba2v4PxWtuan8m bgQL0mND5NF7x4d5G8Wpxg==; Date: Sun, 08 Oct 2023 08:28:00 +0300 Message-Id: <831qe5znrz.fsf@HIDDEN> From: Eli Zaretskii <eliz@HIDDEN> To: Max Nikulin <manikulin@HIDDEN> In-Reply-To: <aaeb5c4f-2ae0-449e-9a8b-aa5155998e49@HIDDEN> (message from Max Nikulin on Sun, 8 Oct 2023 10:37:33 +0700) Subject: Re: bug#66390: `man' allows to inject arbitrary shell code References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN> <83wmvyzir2.fsf@HIDDEN> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN> <83v8bizf9r.fsf@HIDDEN> <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN> <875y3iigua.fsf@HIDDEN> <83o7hazap7.fsf@HIDDEN> <87mswugyoq.fsf@HIDDEN> <83jzryz6op.fsf@HIDDEN> <87a5sugwcx.fsf@HIDDEN> <83h6n2z3tr.fsf@HIDDEN> <aaeb5c4f-2ae0-449e-9a8b-aa5155998e49@HIDDEN> X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 66390 Cc: 66390 <at> debbugs.gnu.org, michael.albinus@HIDDEN X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) > Date: Sun, 8 Oct 2023 10:37:33 +0700 > Cc: 66390 <at> debbugs.gnu.org > From: Max Nikulin <manikulin@HIDDEN> > > On 08/10/2023 01:26, Eli Zaretskii wrote: > > > > So the problem _is_ with the shell? If so, the best way of avoiding > > these problems is not invoke 'man' via the shell, but via call-process > > and its ilk instead. > > It will be great if it is possible to avoid shell in the middle. However > - man.el uses pipes with sed and awk to post-process output of man > executable. > - if support of remote man files is considered then it is even more hard > to avoid shell. SSH assumes shell commands. Even if sometimes the shell cannot be avoided (which has yet to be established, AFAIU), it's not an argument against avoiding it where possible, because that solves any security issues, definitely those you brought up. > I had in mind using at least `shell-quote-argument'. That doesn't work with 'man', which has its own ideas about quoting, besides shell-related quoting. > The issues of sanitizing outputs in callers > - If there was a safe function in man.el then callers code would be more > simple, so it would be less probable to introduce bugs in such code. > - behavior of the `man' emacs command is *underspecified*, so it is hard > to provide safe argument for it. Some parenthesis are allowed as in > "man(1)" others may be interpreted by shell. > - `shell-quote-argument' in callers would rely on man.el implementation > details at best or may even lead to undefined behavior since I see have > no way to bypass some processing of the argument of the `man' emacs command. Reiterating what you already said doesn't help to have a productive discussion. > Execution a part of `man' emacs command argument by shell is a surprise > to the user any case. Ideally elisp code should prevent it and man.el > should emit an error. IMO, this ideal cannot be reached in practice, let alone kept for any length of time. Systems are adding strangely-named man pages all the time. We had quite a few bug reports about that during the recent years. > Attempts to call of `man' from other packages is an open door for > security vulnerabilities. Then perhaps those other packages shouldn't call 'man'.
bug-gnu-emacs@HIDDEN
:bug#66390
; Package emacs
.
Full text available.Received: (at 66390) by debbugs.gnu.org; 8 Oct 2023 05:20:50 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sun Oct 08 01:20:50 2023 Received: from localhost ([127.0.0.1]:56154 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1qpMDi-0004zz-11 for submit <at> debbugs.gnu.org; Sun, 08 Oct 2023 01:20:50 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:47732) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <eliz@HIDDEN>) id 1qpMDf-0004zl-Sw for 66390 <at> debbugs.gnu.org; Sun, 08 Oct 2023 01:20:48 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <eliz@HIDDEN>) id 1qpMDF-000485-GX; Sun, 08 Oct 2023 01:20:22 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date: mime-version; bh=LScC/TTtdMKJm8cIEcdjU/Mp1KhudsVIPyZ+1DzdzTk=; b=Ah0M4dyZG6tr KoABr/XtnvUU8hWKTk8WpEpahF0LF4uYPWFSWK1IYiwC7/pDl4bHfjKpPgO3iqBsX5JQTH/39nByU Dcf8p/JTs2yQDPe5i8izVWqJ6fQ5dd5HCxKwV/1voMrv0bZNtQOB0/0GVhmlYgJA28Z+njq+FQVru vhvyExlz5wgHSci4wADcMaj1s9nRwjmTDQ2q9kgiALembBgcTDYfpmgkaLmgkrgC9UNiI/qs+B4UC O78TBt1xSLHcFnWiyYfjbpZFiUZD1W2+yURbV0vtHghGNnKo6BgaVGANTRyj9xdOC6uGD3uFxIwcY gKQTeudZoYPY5TGgMxrIjQ==; Date: Sun, 08 Oct 2023 08:20:09 +0300 Message-Id: <8334ylzo52.fsf@HIDDEN> From: Eli Zaretskii <eliz@HIDDEN> To: Maxim Nikulin <manikulin+gzh@HIDDEN> In-Reply-To: <245d34b5-8a93-42bd-9ad8-91f6a72bb6f3@HIDDEN> (message from Maxim Nikulin on Sun, 8 Oct 2023 10:42:03 +0700) Subject: Re: bug#66390: `man' allows to inject arbitrary shell code References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN> <83wmvyzir2.fsf@HIDDEN> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN> <83v8bizf9r.fsf@HIDDEN> <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN> <875y3iigua.fsf@HIDDEN> <83o7hazap7.fsf@HIDDEN> <87mswugyoq.fsf@HIDDEN> <83jzryz6op.fsf@HIDDEN> <245d34b5-8a93-42bd-9ad8-91f6a72bb6f3@HIDDEN> X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 66390 Cc: 66390 <at> debbugs.gnu.org, michael.albinus@HIDDEN X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) > Date: Sun, 8 Oct 2023 10:42:03 +0700 > Cc: 66390 <at> debbugs.gnu.org > From: Maxim Nikulin <manikulin+gzh@HIDDEN> > > On 08/10/2023 00:24, Eli Zaretskii wrote: > >> From: Michael Albinus Date: Sat, 07 Oct 2023 18:55:01 +0200 > > > >> The docstring of man explains already, which kind of arguments are > >> expected. > > > > Yes, and we update that all the time, given how the systems stretch > > these specs. > > I see some discrepancy with the declaration of stable API in "Re: > Completion of links to man pages" IMO, you see something that doesn't exist. The quoted message was talking about Lisp API for completing names of 'man' pages, not about the spec of 'man' arguments.
bug-gnu-emacs@HIDDEN
:bug#66390
; Package emacs
.
Full text available.Received: (at 66390) by debbugs.gnu.org; 8 Oct 2023 03:38:05 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sat Oct 07 23:38:05 2023 Received: from localhost ([127.0.0.1]:56115 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1qpKcG-00020i-MH for submit <at> debbugs.gnu.org; Sat, 07 Oct 2023 23:38:04 -0400 Received: from mail-lj1-x234.google.com ([2a00:1450:4864:20::234]:51409) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <manikulin@HIDDEN>) id 1qpKcE-000209-7z for 66390 <at> debbugs.gnu.org; Sat, 07 Oct 2023 23:38:02 -0400 Received: by mail-lj1-x234.google.com with SMTP id 38308e7fff4ca-2c038a1e2e6so40096741fa.2 for <66390 <at> debbugs.gnu.org>; Sat, 07 Oct 2023 20:37:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1696736256; x=1697341056; darn=debbugs.gnu.org; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :sender:from:to:cc:subject:date:message-id:reply-to; bh=FrlOfTzL5iTJK4HK8o0kk50IbNpz3zMXKXM8ceq4es0=; b=b1xy7Er22CY0uyLBJFS75X+qF08DnaV9ICcxkItkfu/tEoCXkDkxl8pBft8WWCWnU4 PJbep9lk0nAwdCXNQlHSbhrkNKP3bR9vxFyGbmaJbKWiPwSmQIvWg2PdtKveeYj+vMD6 CBIWDJapXRgBMDMQdZnGEHPuGzzT5ahN75MpR5izJy/y5TV6kN24s/HZwd5q2VvGrhaT l4pPZJm+oEOk+1PoxhkqplRJ0OsKzX2skrs7E9TZ9+ivzt1l/TDmbGREdCZgVPdKVeCX W1IxeWlVRJovFTx1hbfJwlXKWlWLZ7kI+VRbybCQR7Gqw13w3sq4wQ7KBdTudpbzvK7n u/bQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696736256; x=1697341056; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :sender:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=FrlOfTzL5iTJK4HK8o0kk50IbNpz3zMXKXM8ceq4es0=; b=Udgm0JWVj4xaHF5is6ZKIhbW5t61GnqoNd13+lA9aNpdKooBvQeVok4n9S9H7ZdMkM rC56SSdatiqzThTy0MBeoAs6W13465S3bX3XvI2rNGb//r9OV8tm8vn8Rns781dJTD0x LAqvKYX2/kx/33JU2gitRXKzQBO1oS/BWHRVP0f/EQqiy70BVTyBjoU9HkLhOCKtTDb5 bq5KBONadRm901TthU0PESFR7VDMPoU0Gn/Issl/UlU+L4T8INSAfZMECd9SDENb7SX+ 03uU+7nhiKbfDKVlmLTyL8kTzx0PBQW/nwBNGjRwXkPto+XnP9AshCLciXQihDOImf/1 Z5Mg== X-Gm-Message-State: AOJu0Yy39tY2wEq5h60wTj8o5fk9PMVd5X+kVH/G8SGobtbIW+z+Pq8l Wi3RGHFlInwPB/QmgDJr8fo= X-Google-Smtp-Source: AGHT+IEWXZEXrjJ+JqYCjlaYogIudKo4xbP1GdS2G1Dnv0F0j+sSHfDb180b67/qnykJzJsmu3Q0ew== X-Received: by 2002:a2e:8310:0:b0:2c0:a99:68e7 with SMTP id a16-20020a2e8310000000b002c00a9968e7mr10782764ljh.19.1696736255661; Sat, 07 Oct 2023 20:37:35 -0700 (PDT) Received: from [192.168.0.101] (nat-0-0.nsk.sibset.net. [5.44.169.188]) by smtp.googlemail.com with ESMTPSA id o18-20020a2e7312000000b002ba586d27a2sm1421419ljc.26.2023.10.07.20.37.34 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 07 Oct 2023 20:37:35 -0700 (PDT) Message-ID: <aaeb5c4f-2ae0-449e-9a8b-aa5155998e49@HIDDEN> Date: Sun, 8 Oct 2023 10:37:33 +0700 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: bug#66390: `man' allows to inject arbitrary shell code Content-Language: en-US, ru-RU To: Eli Zaretskii <eliz@HIDDEN>, Michael Albinus <michael.albinus@HIDDEN> References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN> <83wmvyzir2.fsf@HIDDEN> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN> <83v8bizf9r.fsf@HIDDEN> <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN> <875y3iigua.fsf@HIDDEN> <83o7hazap7.fsf@HIDDEN> <87mswugyoq.fsf@HIDDEN> <83jzryz6op.fsf@HIDDEN> <87a5sugwcx.fsf@HIDDEN> <83h6n2z3tr.fsf@HIDDEN> From: Max Nikulin <manikulin@HIDDEN> In-Reply-To: <83h6n2z3tr.fsf@HIDDEN> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 66390 Cc: 66390 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) On 08/10/2023 01:26, Eli Zaretskii wrote: > > So the problem _is_ with the shell? If so, the best way of avoiding > these problems is not invoke 'man' via the shell, but via call-process > and its ilk instead. It will be great if it is possible to avoid shell in the middle. However - man.el uses pipes with sed and awk to post-process output of man executable. - if support of remote man files is considered then it is even more hard to avoid shell. SSH assumes shell commands. I had in mind using at least `shell-quote-argument'. The issues of sanitizing outputs in callers - If there was a safe function in man.el then callers code would be more simple, so it would be less probable to introduce bugs in such code. - behavior of the `man' emacs command is *underspecified*, so it is hard to provide safe argument for it. Some parenthesis are allowed as in "man(1)" others may be interpreted by shell. - `shell-quote-argument' in callers would rely on man.el implementation details at best or may even lead to undefined behavior since I see have no way to bypass some processing of the argument of the `man' emacs command. Execution a part of `man' emacs command argument by shell is a surprise to the user any case. Ideally elisp code should prevent it and man.el should emit an error. Attempts to call of `man' from other packages is an open door for security vulnerabilities. I was really surprised when I noticed that various Linux distributions patched and updated emacs even in stable releases in response to https://security-tracker.debian.org/tracker/CVE-2023-28617 Formally the score of this CVE was high.
bug-gnu-emacs@HIDDEN
:bug#66390
; Package emacs
.
Full text available.Received: (at 66390) by debbugs.gnu.org; 7 Oct 2023 18:26:54 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sat Oct 07 14:26:54 2023 Received: from localhost ([127.0.0.1]:55889 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1qpC0s-0001Z0-Ek for submit <at> debbugs.gnu.org; Sat, 07 Oct 2023 14:26:54 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:60276) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <eliz@HIDDEN>) id 1qpC0q-0001Ym-OT for 66390 <at> debbugs.gnu.org; Sat, 07 Oct 2023 14:26:53 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <eliz@HIDDEN>) id 1qpC0R-000119-3U; Sat, 07 Oct 2023 14:26:27 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date: mime-version; bh=HxUROOchoDnaMe84tG6yRqOqKVQRhu2sjndfMYBY8NY=; b=VkViglzx4u5B Cr0clyR4yt8hDYIbjq1C6yL5SxIM5jwYmQQ1tHWdA1q/yXNpeTEV3CaOCE4IKmlicAbhMWyM4Ndp2 PLdk5eu6z6lvwQmQ2A0mlQf/TiNDIZXKlQtAPMBxp1IrQny94i6078qTYA10BzLHqFOCMseU3JUMu g6e7imWk+eHwIzb/mWIouovvb4Y14F25HFm2dUZihgW6/A1sgb3jhrCZAHCnMbmxUKub8KQXIoXZM znx50J87IbB4XEgkHOYeMFwACLi3VQnabq8i4X3Lfo+0Umt0sZHl8eY8/bFmd8x5yulLfZIjkNbVe Cqzvq87aCKefo5xaHiq43g==; Date: Sat, 07 Oct 2023 21:26:40 +0300 Message-Id: <83h6n2z3tr.fsf@HIDDEN> From: Eli Zaretskii <eliz@HIDDEN> To: Michael Albinus <michael.albinus@HIDDEN> In-Reply-To: <87a5sugwcx.fsf@HIDDEN> (message from Michael Albinus on Sat, 07 Oct 2023 19:45:18 +0200) Subject: Re: bug#66390: `man' allows to inject arbitrary shell code References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN> <83wmvyzir2.fsf@HIDDEN> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN> <83v8bizf9r.fsf@HIDDEN> <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN> <875y3iigua.fsf@HIDDEN> <83o7hazap7.fsf@HIDDEN> <87mswugyoq.fsf@HIDDEN> <83jzryz6op.fsf@HIDDEN> <87a5sugwcx.fsf@HIDDEN> X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 66390 Cc: manikulin@HIDDEN, 66390 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) > From: Michael Albinus <michael.albinus@HIDDEN> > Cc: manikulin@HIDDEN, 66390 <at> debbugs.gnu.org > Date: Sat, 07 Oct 2023 19:45:18 +0200 > > Eli Zaretskii <eliz@HIDDEN> writes: > > >> > And what kind of shell would we assume when rejecting that? > >> > >> It isn't a problem of the shell. Man-translate-references manipulates > >> the arguments such a way that no shell quoting is neded. > > > > Then there's no problem to begin with, since the OP claims the problem > > is with the shell? > > The OP claims that the arguments could be misused, bypassing exotic > strings which would do terrific work in the shell man is using. So the problem _is_ with the shell? If so, the best way of avoiding these problems is not invoke 'man' via the shell, but via call-process and its ilk instead. > > There's only madness down that road. > > Well, if you still believe there's nothing to do for us I will be quiet. We can do something, just not the way it was suggested: avoid using the shell.
bug-gnu-emacs@HIDDEN
:bug#66390
; Package emacs
.
Full text available.Received: (at 66390) by debbugs.gnu.org; 7 Oct 2023 17:45:48 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sat Oct 07 13:45:48 2023 Received: from localhost ([127.0.0.1]:55862 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1qpBN6-00006F-Aa for submit <at> debbugs.gnu.org; Sat, 07 Oct 2023 13:45:48 -0400 Received: from mout.gmx.net ([212.227.15.19]:54581) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <michael.albinus@HIDDEN>) id 1qpBN3-00005b-AJ for 66390 <at> debbugs.gnu.org; Sat, 07 Oct 2023 13:45:46 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.de; s=s31663417; t=1696700719; x=1697305519; i=michael.albinus@HIDDEN; bh=skKkp0seRFoizDhkvC516DrzZ5Yj5TyX3PU1fL0Cxs0=; h=X-UI-Sender-Class:From:To:Cc:Subject:In-Reply-To:References:Date; b=HDLWaIGvfCYZEokRXzbUjnehWJp6EPqGBnd3JTv0jq3NRoMLTc+cVRhLkpyMrOIInKtnhm513HB UQjwRtihrDlj0INuDCixF+5+ojhUExUEMTtmTLvPouko/aa22IHQPzSn5I0vFtUUgSdoiG9+9KFQ3 4vzszp9F6K0XXGG/yAKaZI0mm7CKEqFhdu+B7soV/5V0cPpeSs2qgs7BJ4XLXKQKhnSH7xDpeYKRu e/IMgIcvYMytHFvALjm91bWI+UVc7q715Jt7TGlxoc86gwHYncPgAGnWK2m0Mpe061IN20uWBXkW1 XiiQaZlr79qYW/6VSW0Mb6kOvQG7JMTcltCg== X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Received: from gandalf.gmx.de ([185.89.39.30]) by mail.gmx.net (mrgmx005 [212.227.17.190]) with ESMTPSA (Nemesis) id 1MWASe-1r5D8e3RPO-00XdEY; Sat, 07 Oct 2023 19:45:18 +0200 From: Michael Albinus <michael.albinus@HIDDEN> To: Eli Zaretskii <eliz@HIDDEN> Subject: Re: bug#66390: `man' allows to inject arbitrary shell code In-Reply-To: <83jzryz6op.fsf@HIDDEN> (Eli Zaretskii's message of "Sat, 07 Oct 2023 20:24:54 +0300") References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN> <83wmvyzir2.fsf@HIDDEN> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN> <83v8bizf9r.fsf@HIDDEN> <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN> <875y3iigua.fsf@HIDDEN> <83o7hazap7.fsf@HIDDEN> <87mswugyoq.fsf@HIDDEN> <83jzryz6op.fsf@HIDDEN> Date: Sat, 07 Oct 2023 19:45:18 +0200 Message-ID: <87a5sugwcx.fsf@HIDDEN> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain X-Provags-ID: V03:K1:wz4lze4LeE3MMAyaW5FauJ2/gCc7LKeAt5Coo0n5MmTumLzY7qp IHsVZEjNGdpWvv2OobFQl74oUL+JEQF3Pieen/JChWy3wEAx3GfCJC7MfBofbQaud+5gHK0 2cV5cAqO3ffRu9kKCFe1K2nvGjluIapaUvXHCOxt5Y6BWRJBE+ojMS28XLdH0SJzQvGsRM3 iwQ0y2jpkr+UTsHcBBXIA== X-Spam-Flag: NO UI-OutboundReport: notjunk:1;M01:P0:vGbXLoYhKZA=;yJ8PWt2J22uMtZhmI5JVX/bParc 5OBKwAOyzEP+UbBmxyEw6Pce7HnD/Aywsu6k9mf4jMQ5bqovvI2vUpz4d/YXkIovycAMoCEQn PaUG/w5F6XwkQaCRwDN6M/5RhUL7wf7DMQ8noCTB5iPy8v45fIgur0SFaXdgK9SevERsQvQ0r rkm/OaGZvTx5/fMiBn+PS1ZRs5pJ3Aox0nCZfVuBzD68sjJIkCXCeiK7ffUpp3vLXd5esVDyW aYFEyqUgqg/ZL8OhykPKXV3U+ivWa+7qVCq7FrU8IOScBuCXDy+LocuvE7k2RKuidD3cIOnU8 FCjsJS9lizZyyv0kxu402bqsvn7+HR7GYHdSuN6WEG743OTv93D/afaqLnGCkvuU0EZKb99Y8 uGKlOFRWZ9IFX8JjyqbfoMRoghCu0z9Xdox5BYi0XrduzZPouqcYjIr7FhzYmocUXDooWfLOT Y03FEJ8/BwgPPvXlHXFWD4jeOfZoaq9ak/YS7fk5MXFJThMMz9hBGYACpfLDwvlJk+dTckv8i V66vMvswT0fOD8EAy801o+rCxzGMUYF222DahHAW2CHCvrXRMZCmW5+7RE/u3H5BCPXwBFBbh U+E4hjuIE3RQwmiYkH5RblR82FONSds6tzGZyWtaBzaAdTa7kKiMMiwDYILfeO3uLTqPOfSIE LUUU8jypKHJF0OR3vPHBiwqT3IcZa6bE8+N/QwnQJOu7uMcaP2TBR8qKt9ukLcBbyzeNIjLY5 lOQQRDHF4LS+gh7dMmM992P1UFUyStnCDad8QB+KUgsEUu7kvkFCUddPHnhbsg4YfQxBnObWx SotTvnxvfjIjX3eetHWFJ0ocYwA91VAHBuLLna8giqcYx+fR7eeluWvy+9nch7WpmjXnb96HS raiYwMnudquHNK30OYNSVUaBsjN8e+zDMLGkN+LmMsZwmXPRE5ehPWhDMiKsTPm5NBwpnQDQA 3IvUtSkbQ/rJGmATYFKTlAab2I0= Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 66390 Cc: manikulin@HIDDEN, 66390 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.7 (-) Eli Zaretskii <eliz@HIDDEN> writes: Hi Eli, >> On argument syntax for man. It is documented. > > For what versions of 'man'? There are a lot of different versions; I > myself wrote a clone, for example. I haven't written such a thing, so you will always beat me. And if you oppose my proposals, I will happily accept it. >> > And what kind of shell would we assume when rejecting that? >> >> It isn't a problem of the shell. Man-translate-references manipulates >> the arguments such a way that no shell quoting is neded. > > Then there's no problem to begin with, since the OP claims the problem > is with the shell? The OP claims that the arguments could be misused, bypassing exotic strings which would do terrific work in the shell man is using. >> > Once again, interactive invocations should let the user type whatever >> > she wants, and if that fails in strange ways, it's on the user, not o= n >> > us. >> >> Yes, if the user types nonsense it shall fail. The point is where to >> fail. I believe it shall fail already in Man-translate-references, and >> not from the man invocation with a shell. > > We cannot do that, unless we implement the entire behavior of 'man' in > Emacs. > >> The docstring of man explains already, which kind of arguments are >> expected. > > Yes, and we update that all the time, given how the systems stretch > these specs. No, the docstring speaks about -a, -k and -l. That's what we shall do. > There's only madness down that road. Well, if you still believe there's nothing to do for us I will be quiet. Best regards, Michael.
bug-gnu-emacs@HIDDEN
:bug#66390
; Package emacs
.
Full text available.Received: (at 66390) by debbugs.gnu.org; 7 Oct 2023 17:25:17 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sat Oct 07 13:25:17 2023 Received: from localhost ([127.0.0.1]:55853 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1qpB3E-0007z4-Sv for submit <at> debbugs.gnu.org; Sat, 07 Oct 2023 13:25:17 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:37232) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <eliz@HIDDEN>) id 1qpB3D-0007yq-AV for 66390 <at> debbugs.gnu.org; Sat, 07 Oct 2023 13:25:16 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <eliz@HIDDEN>) id 1qpB2o-0007ND-D3; Sat, 07 Oct 2023 13:24:50 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date: mime-version; bh=WVQ9oUa87IKAx5v7LYP0EgiameK/vg1PlnfKZY9NmzA=; b=kH9TVbWmWwzE bWVD6Hp53fAATQfpCykt9dVx6HkBSdISutk2sSimziYx+WvnFyXWuCAutO6LIECQbr9UngAGl8ZeP X70jCkk6/taxGhBrO+LrPUkCmfxfuym5SxD4XtT00sC6iXIu3zH01QMtzW5Si6/PUKu+27Rb5RAWN wSeEQCFZg+OAdrTZoPikRf8n6uA412pEKeWzUjzxpPH3RFfRh9uEDNZxnvw5be7/NSlNntF8qp39O kF/1Aq9OU4bGMEky4deirByN8nS34nfbUeOOMtbNagbVKYvB5HPnB5aeVkOOnWbAB1g50kBApqbwm elj3FIqCJ2sDMVQF4+tJmQ==; Date: Sat, 07 Oct 2023 20:24:54 +0300 Message-Id: <83jzryz6op.fsf@HIDDEN> From: Eli Zaretskii <eliz@HIDDEN> To: Michael Albinus <michael.albinus@HIDDEN> In-Reply-To: <87mswugyoq.fsf@HIDDEN> (message from Michael Albinus on Sat, 07 Oct 2023 18:55:01 +0200) Subject: Re: bug#66390: `man' allows to inject arbitrary shell code References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN> <83wmvyzir2.fsf@HIDDEN> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN> <83v8bizf9r.fsf@HIDDEN> <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN> <875y3iigua.fsf@HIDDEN> <83o7hazap7.fsf@HIDDEN> <87mswugyoq.fsf@HIDDEN> X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 66390 Cc: manikulin@HIDDEN, 66390 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) > From: Michael Albinus <michael.albinus@HIDDEN> > Cc: manikulin@HIDDEN, 66390 <at> debbugs.gnu.org > Date: Sat, 07 Oct 2023 18:55:01 +0200 > > Eli Zaretskii <eliz@HIDDEN> writes: > > Hi Eli, > > >> The function `Man-translate-references' tries to do it. For example, it > >> translates the argument "cat(1)" into "1 cat", which doesn't pose a > >> problem. The function should check stronger, and it should reject > >> arguments like "File:\\:UserDirs(3pm)". > > > > Based on what would we reject such arguments? > > On argument syntax for man. It is documented. For what versions of 'man'? There are a lot of different versions; I myself wrote a clone, for example. > > And what kind of shell would we assume when rejecting that? > > It isn't a problem of the shell. Man-translate-references manipulates > the arguments such a way that no shell quoting is neded. Then there's no problem to begin with, since the OP claims the problem is with the shell? > > Once again, interactive invocations should let the user type whatever > > she wants, and if that fails in strange ways, it's on the user, not on > > us. > > Yes, if the user types nonsense it shall fail. The point is where to > fail. I believe it shall fail already in Man-translate-references, and > not from the man invocation with a shell. We cannot do that, unless we implement the entire behavior of 'man' in Emacs. > The docstring of man explains already, which kind of arguments are > expected. Yes, and we update that all the time, given how the systems stretch these specs. There's only madness down that road.
bug-gnu-emacs@HIDDEN
:bug#66390
; Package emacs
.
Full text available.Received: (at 66390) by debbugs.gnu.org; 7 Oct 2023 16:55:30 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sat Oct 07 12:55:30 2023 Received: from localhost ([127.0.0.1]:55825 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1qpAaQ-0006rd-81 for submit <at> debbugs.gnu.org; Sat, 07 Oct 2023 12:55:30 -0400 Received: from mout.gmx.net ([212.227.17.22]:41733) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <michael.albinus@HIDDEN>) id 1qpAaO-0006rM-Ce for 66390 <at> debbugs.gnu.org; Sat, 07 Oct 2023 12:55:29 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.de; s=s31663417; t=1696697702; x=1697302502; i=michael.albinus@HIDDEN; bh=z/CkIqllwI8AHKTEnwJsgXAn98JCF9Eom5d55E63it4=; h=X-UI-Sender-Class:From:To:Cc:Subject:In-Reply-To:References:Date; b=PNngtl/vv3Fdiwx+nUMGvIbVnt1uzvV4aw6edPxxWEpDrf0Phq3GGj6Xs70+nwMvuVBuQReTLhX n5oQXImQLgE4e7ZugOA5wDtfGwdZNPyI8DaFE5OGCrDwuCRxfE7HEt6esjUOUR+4cghMo4J8/8BT0 gCVAVD2NC9gSm1iTaEzSHs5Jq5eGtCnKDcgoMjgeRokfewNeeL16eYF/UMz1SsJXfVYSwDVvJ1ByV FxXDcq581J7Mr837gQ3HN83z3L6NgPHclds+TLHbnjc3lf7M229cXpEb+dWBzdla3F+k6+kGcC8uc iHVwuPF/fN1LRe8ZodlB4Q1LJ+zbg84dMKew== X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Received: from gandalf.gmx.de ([185.89.39.30]) by mail.gmx.net (mrgmx105 [212.227.17.168]) with ESMTPSA (Nemesis) id 1MOREc-1rF5pI1uZC-00PusO; Sat, 07 Oct 2023 18:55:02 +0200 From: Michael Albinus <michael.albinus@HIDDEN> To: Eli Zaretskii <eliz@HIDDEN> Subject: Re: bug#66390: `man' allows to inject arbitrary shell code In-Reply-To: <83o7hazap7.fsf@HIDDEN> (Eli Zaretskii's message of "Sat, 07 Oct 2023 18:58:12 +0300") References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN> <83wmvyzir2.fsf@HIDDEN> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN> <83v8bizf9r.fsf@HIDDEN> <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN> <875y3iigua.fsf@HIDDEN> <83o7hazap7.fsf@HIDDEN> Date: Sat, 07 Oct 2023 18:55:01 +0200 Message-ID: <87mswugyoq.fsf@HIDDEN> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain X-Provags-ID: V03:K1:+fjlMYo2TLT4zWuBnSPg8eEJt9ctdIHRx2URoWxZcaelwYEl0Td p4gBKgqvF3v7sPjEnVa1yU2CFrpW3bC9kWt6pVaSN3lC486rdrzSbkinxW0juzil1krR2Vr 7KtUvmMh6HjTDHkZpnCTytqj2c6AUC5ZURhSIuRG19l0XWynVTKtm1WcoV7jByiCagfWN4R Pd7AdthyROjb01KUx0I+A== X-Spam-Flag: NO UI-OutboundReport: notjunk:1;M01:P0:bgkuVHH4sis=;sWgg8QeNk2KRExQLbNG2a+fwVrI LfckgBXOibMOxuckdbFudh72waSDgIR7V8NRu4yoDy/ho6kisq7Si9GKUUeDzLnUigRYwBcvO uVh96nG4nMu9w6uGAafVbMVHo7AdO1I+IGYkgheQYZFpGTqzC1hXmc65pqCow2psLS9w2iR1p NBadStzqEdjuAB+eLp734zpio/Hv/uNF9LhmBAOHGz8i5wlWka2IyKuWhOYE2PxwtMVwvAKma +iyU9E//zHmk0sU4TLHj8poD2CSn3UYgPZqXRrgjF9otiPWuvVRhd8Yo23tD6usy4IizDpSjJ ec6u4hjWfd8Q/9OIRh0x5X998qwdibGJHCQFeoSxjjYwuzFUJw6GiHPWxgNoJ7emfoP/m36wA rVmqv9Gi5qtfKuiU+lw3OjWbtGcKLrSuMvC3HMv3+aZvAghdXefruecHB33SI4Dz7Z1cobCwR Qhu7v/vFuE6YGzkUWrnFW1Bfa7SwZ6HLuQ1CyNgn863RgHbsben9WVXntH09Ddgy6fouf0Em9 bswGX+wv9mPB2IMOK43AkZRWC923cPtme7whqK5zOlVa4ZUT7gucqQpQUEGW6CK0eDjFxKwEA rIHQzoYL5zZBIzmoFZ/B6/sn5M/bRfqJoJ1pRK2n3PZsTC9DIhPCLchA7DLlSP0rAJQlVa/u4 mg1jmmv5AwPaGpBwvpebvWjIptY4iSqP0KgWAw6ZEHLkJVK9CYBQ0y26S3wBB4QUmk8r31+bP 8fkl0HbVN7j/m9Z6m9PtpPGUAg5VQ/kRiFwxWZm2dbNR0QL8gMT7HUjehwCOblv5fWcxtkxnF REBFB0zGUHcyWk5DyPVwhMXkvppVe8kkN/OI4BLHeTL0depVdq0A5uDt2dRuxfxp/k3NwUmzT UCgNMuk3D4Jdr6QbVq2Prp58+EjAaxuxNhvT5QjbWdiOsKutw0hih/Gz58znhWXIvtETisM2i 7VFPkbuTXSrDi9XQXbEW2Tjk7yY= X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 66390 Cc: manikulin@HIDDEN, 66390 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.7 (-) Eli Zaretskii <eliz@HIDDEN> writes: Hi Eli, >> The function `Man-translate-references' tries to do it. For example, it >> translates the argument "cat(1)" into "1 cat", which doesn't pose a >> problem. The function should check stronger, and it should reject >> arguments like "File:\\:UserDirs(3pm)". > > Based on what would we reject such arguments? On argument syntax for man. It is documented. > And what kind of shell would we assume when rejecting that? It isn't a problem of the shell. Man-translate-references manipulates the arguments such a way that no shell quoting is neded. > Once again, interactive invocations should let the user type whatever > she wants, and if that fails in strange ways, it's on the user, not on > us. Yes, if the user types nonsense it shall fail. The point is where to fail. I believe it shall fail already in Man-translate-references, and not from the man invocation with a shell. The docstring of man explains already, which kind of arguments are expected. Whe should simply follow with the implementation. "File:\\:UserDirs(3pm)" is not a valid argument, and shall be rejected on Lisp level. Best regards, Michael.
bug-gnu-emacs@HIDDEN
:bug#66390
; Package emacs
.
Full text available.Received: (at 66390) by debbugs.gnu.org; 7 Oct 2023 15:58:26 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sat Oct 07 11:58:26 2023 Received: from localhost ([127.0.0.1]:55721 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1qp9hC-0002Q6-BV for submit <at> debbugs.gnu.org; Sat, 07 Oct 2023 11:58:26 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:40664) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <eliz@HIDDEN>) id 1qp9hA-0002Pt-Ot for 66390 <at> debbugs.gnu.org; Sat, 07 Oct 2023 11:58:25 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <eliz@HIDDEN>) id 1qp9gl-0000th-QV; Sat, 07 Oct 2023 11:57:59 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date: mime-version; bh=0ZSADVPzyKmzFAsiy4hBl6q37m048vl4rGqqqdBFjYU=; b=jfAyUWMeLkOm 2H3WQkUiFNISDYuCGX0Muop7P8lqOKFeXlezyerhIK7BsL5Qfr8UMQRHPod9VUVrbTFM/MyK9oPTH Hz8OOvI5KukwkJSaCni+CaKQm1pzKkckSOVNjCAjX3d+JUT1MhEZ6fdUjuMEtQbtLKcEUq6oZEjyC ZjjXfGWfq0gN46cDfZmwGe29lzNijmWfB9Ev8CenzN6XiarvGvkxggs6i2GNvUsmd9T14yNyER/Ax y6nT26QsAgiWzA2yacIPFltAEvsTgz0JEhE58mcEstJSc8x2PJroRAxflvV4jLEZXT2EN+JtdiT5c et9bSYvnoMA2wX/BzpkUiQ==; Date: Sat, 07 Oct 2023 18:58:12 +0300 Message-Id: <83o7hazap7.fsf@HIDDEN> From: Eli Zaretskii <eliz@HIDDEN> To: Michael Albinus <michael.albinus@HIDDEN> In-Reply-To: <875y3iigua.fsf@HIDDEN> (message from Michael Albinus on Sat, 07 Oct 2023 17:37:33 +0200) Subject: Re: bug#66390: `man' allows to inject arbitrary shell code References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN> <83wmvyzir2.fsf@HIDDEN> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN> <83v8bizf9r.fsf@HIDDEN> <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN> <875y3iigua.fsf@HIDDEN> X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 66390 Cc: manikulin@HIDDEN, 66390 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) > From: Michael Albinus <michael.albinus@HIDDEN> > Cc: Eli Zaretskii <eliz@HIDDEN>, 66390 <at> debbugs.gnu.org > Date: Sat, 07 Oct 2023 17:37:33 +0200 > > The function `Man-translate-references' tries to do it. For example, it > translates the argument "cat(1)" into "1 cat", which doesn't pose a > problem. The function should check stronger, and it should reject > arguments like "File:\\:UserDirs(3pm)". Based on what would we reject such arguments? And what kind of shell would we assume when rejecting that? Once again, interactive invocations should let the user type whatever she wants, and if that fails in strange ways, it's on the user, not on us.
bug-gnu-emacs@HIDDEN
:bug#66390
; Package emacs
.
Full text available.Received: (at 66390) by debbugs.gnu.org; 7 Oct 2023 15:38:03 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sat Oct 07 11:38:03 2023 Received: from localhost ([127.0.0.1]:55691 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1qp9NS-0001hm-Q6 for submit <at> debbugs.gnu.org; Sat, 07 Oct 2023 11:38:03 -0400 Received: from mout.gmx.net ([212.227.17.20]:37391) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <michael.albinus@HIDDEN>) id 1qp9NQ-0001hD-NA for 66390 <at> debbugs.gnu.org; Sat, 07 Oct 2023 11:38:01 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.de; s=s31663417; t=1696693054; x=1697297854; i=michael.albinus@HIDDEN; bh=wDih6mQ2gTn4wUByERnnqtH/ZzxiA3NzzdrieOpntU4=; h=X-UI-Sender-Class:From:To:Cc:Subject:In-Reply-To:References:Date; b=kEuZ8sekTquqwjitHzsdSML4qjFZ2wgIlCX9Kz96PW3WQkA2vFayOMogJMEa1RBejrpRr3HqfSM jJkY8FhG1RMW7HkMCgdewD4P8/m7aAWBvKw8Pa5mG9IYmhXkIaVS1SMtlqRnuRnR4Ba5ykhJ2W/v8 QEmEmZbc9znaoGbMG3bXS5SAkSSrWc9us677xO8qNO3TxhQ1ps1lasnPKMaNIS8vHSOGVrW7IKXnY 4VQykBitLcOJenDK+uCfPhnHnZI/V9eCjbA1Uc8v8FJY5d0LdORDmuCJxaX1AzobwAqDPdtt988qH TY9b+N/pwl68HcKBfLqhAmevaSGjENImF5Zw== X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Received: from gandalf.gmx.de ([185.89.39.30]) by mail.gmx.net (mrgmx104 [212.227.17.168]) with ESMTPSA (Nemesis) id 1MWzjt-1r490J1fSL-00XI8L; Sat, 07 Oct 2023 17:37:34 +0200 From: Michael Albinus <michael.albinus@HIDDEN> To: Max Nikulin <manikulin@HIDDEN> Subject: Re: bug#66390: `man' allows to inject arbitrary shell code In-Reply-To: <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN> (Max Nikulin's message of "Sat, 7 Oct 2023 21:29:12 +0700") References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN> <83wmvyzir2.fsf@HIDDEN> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN> <83v8bizf9r.fsf@HIDDEN> <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN> Date: Sat, 07 Oct 2023 17:37:33 +0200 Message-ID: <875y3iigua.fsf@HIDDEN> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain X-Provags-ID: V03:K1:3Jl4KJ0ftrxgcGJ1r9eVz1l4JrsG1+7QTCAoXmg+JGySUb98r1q 0WJDpyoUJ8rl3wETaNmWOKj6/axuPmRumJQovyLRSXlYobsV2WdXlEvV5lgUkAx64bd5UUh 9WTpzm1/Ugsf8GNHJWBm2LsVvdxxZhqE9AeTMh9Im87I84ftLVKHoETsZkQlDymJBsaM754 eH+cKqBNZEsU1vYsxsXgA== X-Spam-Flag: NO UI-OutboundReport: notjunk:1;M01:P0:fDtAC9PJ8qE=;B+bmJw+zEfHlUMo2sUHgzYaE2V6 rO0pIrJUZ9Kwj8wt/5y1flpfkwYCpE3F6S/dcsii1F+c1ZcH2Ue7QPZqefcBXD/OuTF1o7YCA Wk0an8x4wsyoWtBhIfowM8tMvbcXDBudDCiKVrrO72ic/Qq6T7TWUPsA6MSgwJpqDRq3uf9+x Q5Y3e3KIimePVkcMZMeFqasOLvQLxIHpMi8Xx3fhEhMTNxLzA296IXvmg1tuAOaNvBvVtLsI4 J36wuMp9KwdGfgdE5wyW4ChNVjjD4KPSCqh2elUgktjNHVq0i4HDZIe3mvl1sgNC9JLe3P7c1 ylvKfopRJSxLz2fld7ldvCbzNFwljFl82qXishdcjHsN83LsqQ8Ag0+9TpAjPnwTiqBphizhv lF/+4QMLHKKECu7lFZdtrRic40r1kWxzILTZvYCfv4VXsc+ljeh3DgkMUF/jSCFX+fccPW3P5 OqfDdfwIqoZMBrs+x/01HTrp9bakaBGfALMU62qgJWA4xvAtzJ+tJaFYNAB7KS56eotUZytPt FAmjkJgSmSpcFzOngj/6hv2/Y05HLjtgRjP3NNM3ZgEcnx+V2QhFwaKb7XXN5UReNVOfumj56 3LjaHYM3aUOna4vS14KK437FTRWbJP/WmUwUYaJpPHmkqnQRgoIEtdDZxuVeJ6RneF2JmITp2 KQiBVttdJCtEV1JlfQtX4jfOeBJQsW1/9wGieE7ACNudwE0wDxQbToOHOUI5bxmypCJP6EWhM 4nRdEnKUmRZmlNxlr9PHPQtq3CW6R+BSdaD6nDVQ5k4uuJMlmjVSPYNEYhWq8ZC/COE00Pq0U PB+YrCllJ4s80now9EacUVGqkiQrC0pQVDzKrcF9fob389uT1IKEi3vsuI0yLfNjtjUrVH105 YG/IOp4mNk0hz+ecO+rFk41deZ3MCnhfGlXobx6c0dyJC8EoRLddqwVAhRoo6xxv19INwgdqg ed6CA7ZbQfnigCxwJzxIuwxMRr0= X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 66390 Cc: Eli Zaretskii <eliz@HIDDEN>, 66390 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.7 (-) Max Nikulin <manikulin@HIDDEN> writes: Hi, >> Sorry, I disagree. 'man' is an interactive command, so it should >> not >> second-guess the user who invokes it. Commands that call 'man' >> non-interactively should make sure they call 'man' with a valid >> argument, especially when the argument comes from some file. > > Does man.el provide a function that opens references to man pages, but > that is safe in respect to shell specials? > > Calling of shell commands belongs to implementation details of man.el > and effectively you require that callers must be aware of it. I tend to agree with both :-) The caller of a shell command (`man ARGS') is responsible for proper quoting of the arguments. The function `Man-translate-references' tries to do it. For example, it translates the argument "cat(1)" into "1 cat", which doesn't pose a problem. The function should check stronger, and it should reject arguments like "File:\\:UserDirs(3pm)". ol-man.el should be busy to offer only valid arguments to `man' according to the man page man(1). Oh man ... Best regards, Michael.
bug-gnu-emacs@HIDDEN
:bug#66390
; Package emacs
.
Full text available.Received: (at 66390) by debbugs.gnu.org; 7 Oct 2023 15:10:52 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sat Oct 07 11:10:52 2023 Received: from localhost ([127.0.0.1]:55659 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1qp8xA-0006eT-Et for submit <at> debbugs.gnu.org; Sat, 07 Oct 2023 11:10:52 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:58060) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <eliz@HIDDEN>) id 1qp8x8-0006eF-46 for 66390 <at> debbugs.gnu.org; Sat, 07 Oct 2023 11:10:50 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <eliz@HIDDEN>) id 1qp8wj-00010X-C8; Sat, 07 Oct 2023 11:10:25 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date: mime-version; bh=pfBG008920iZqFRvdLwbuEJ/JGDgmA1KfKeRu+HWlFY=; b=W9KtxMA+DUE/ zuvrmR9zeHQg9CZFcP6YIlOyVxhfZ5qbqSCdlt3Z+naEsD2c/NP0vsm3VJU3bhDi7FNdAy3pC/ldU Q7X1Ha9Wrhq1Oo5g8MOmQnnLPUV5RssWxLq0jNIQInQPduBCP0Cix+DCs6i/Jd+qh4g4aOToI+hfC MawGVKpBPlrnc1gzjgeQTshNrYDhpVdM2kgO80mi+nDDyZrFVXQ7sCAfKCgRwfVldyyiixZtLJL+5 u9Q7vz0wIa6zIraxoIL5mLM2XLLqlZ/nds550/V2fWFc5uJz2k8XNPuhDDHou17cc8/8lb7dUQ1d9 3TFJ7V2KAqrJmI30YYro2w==; Date: Sat, 07 Oct 2023 18:10:36 +0300 Message-Id: <83r0m6zcwj.fsf@HIDDEN> From: Eli Zaretskii <eliz@HIDDEN> To: Max Nikulin <manikulin@HIDDEN> In-Reply-To: <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN> (message from Max Nikulin on Sat, 7 Oct 2023 21:29:12 +0700) Subject: Re: bug#66390: `man' allows to inject arbitrary shell code References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN> <83wmvyzir2.fsf@HIDDEN> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN> <83v8bizf9r.fsf@HIDDEN> <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN> X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 66390 Cc: 66390 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) > Date: Sat, 7 Oct 2023 21:29:12 +0700 > Cc: 66390 <at> debbugs.gnu.org > From: Max Nikulin <manikulin@HIDDEN> > > On 07/10/2023 21:19, Eli Zaretskii wrote: > > > > Sorry, I disagree. 'man' is an interactive command, so it should not > > second-guess the user who invokes it. Commands that call 'man' > > non-interactively should make sure they call 'man' with a valid > > argument, especially when the argument comes from some file. > > Does man.el provide a function that opens references to man pages, but > that is safe in respect to shell specials? > > Calling of shell commands belongs to implementation details of man.el > and effectively you require that callers must be aware of it. No, I just expect the callers to call 'man' with valid arguments.
bug-gnu-emacs@HIDDEN
:bug#66390
; Package emacs
.
Full text available.Received: (at 66390) by debbugs.gnu.org; 7 Oct 2023 14:29:40 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sat Oct 07 10:29:40 2023 Received: from localhost ([127.0.0.1]:55610 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1qp8JI-000528-IH for submit <at> debbugs.gnu.org; Sat, 07 Oct 2023 10:29:40 -0400 Received: from mail-lj1-x22c.google.com ([2a00:1450:4864:20::22c]:48289) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <manikulin@HIDDEN>) id 1qp8JG-00051s-Uh for 66390 <at> debbugs.gnu.org; Sat, 07 Oct 2023 10:29:39 -0400 Received: by mail-lj1-x22c.google.com with SMTP id 38308e7fff4ca-2c28e35752cso38848321fa.0 for <66390 <at> debbugs.gnu.org>; Sat, 07 Oct 2023 07:29:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1696688953; x=1697293753; darn=debbugs.gnu.org; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :sender:from:to:cc:subject:date:message-id:reply-to; bh=bWOmA/DfzlgPqsfO6iZbfb9gccLU1+S78DR+uge49no=; b=G3ptf0g2QJc8WCdnxFBUcHS4dwKiMRnpFe/3SLhWllVCmGOxaZuCf6qvlQMC4hWNuk ryzL+ZsbADbQcHYD+Y93oNxQ7xVfQb8HFSDoem65s0p1dLkGSgVdNbHHtX8AZScJYSn9 JVkcbqPYpvxXDVAghFbIZ8B5AWGAc83HLch1egnMOTe3vsFJfCzewimz3a5jPla7hJhi Bzsx9tve4/HEZFRPnHUiVoM0gxa4mmAb8ekN8pBfGgSsnjS7PUFMYEolsorAgpANPpp5 2AJNMZeTsY19dKU6EMLumKUFzo/ymtCu3YJAW7JzxG804KdbpAiNx4IVw0xG+s8VYb+x CTPA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696688953; x=1697293753; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :sender:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=bWOmA/DfzlgPqsfO6iZbfb9gccLU1+S78DR+uge49no=; b=NQdhseivwtb67UKnlrzvYdGjXKfdWxv7NaUXmL4UYBV1XNrRLbrpuY+uH1qV5P2Oud EgRZt6NNsKMncbMEBlJSUuBDaaSRDEU1QSqeS8D4ZaEGU2AQ2GgAUeGylzrXoF/F4G7f n1WMYXtXU6N8fxkoQq5Pb2xKfDtbgs6vW+mD1QVpwXW4OQNMimJU4svvSAorqcdJstGG Jb5vWN1zoBM+B29unMi+Kg8dZJDELu2HsBE3elzzp9KeF/DMFgQj9dKun1jIHOY3/EX8 Xjto9DJZp2sJ1B4J/3faBfgmzYe7Edr/MHGGwtHL6FYzsArTV/mcZ6XeoHcogEUIjRvq SSoA== X-Gm-Message-State: AOJu0Ywt36mFWFwxrSCjNgHtVl6n+DK3zA7gcq+83my+lV4/MhHFh6MM f/0zpZJOhs+KIMyuSH/ZNrs= X-Google-Smtp-Source: AGHT+IGcRXTH5FBgubyk7xe5XrkrCV6K3yaMtdc94E5G/uROQZgqka1KE+auicMB/9Wlv3RsLTQVFA== X-Received: by 2002:a2e:87d7:0:b0:2bc:c750:d9be with SMTP id v23-20020a2e87d7000000b002bcc750d9bemr9716682ljj.29.1696688953305; Sat, 07 Oct 2023 07:29:13 -0700 (PDT) Received: from [192.168.0.101] (nat-0-0.nsk.sibset.net. [5.44.169.188]) by smtp.googlemail.com with ESMTPSA id u15-20020a2e9b0f000000b002b9f1214394sm1208989lji.13.2023.10.07.07.29.12 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 07 Oct 2023 07:29:13 -0700 (PDT) Message-ID: <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN> Date: Sat, 7 Oct 2023 21:29:12 +0700 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: bug#66390: `man' allows to inject arbitrary shell code Content-Language: en-US, ru-RU To: Eli Zaretskii <eliz@HIDDEN> References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN> <83wmvyzir2.fsf@HIDDEN> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN> <83v8bizf9r.fsf@HIDDEN> From: Max Nikulin <manikulin@HIDDEN> In-Reply-To: <83v8bizf9r.fsf@HIDDEN> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 66390 Cc: 66390 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) On 07/10/2023 21:19, Eli Zaretskii wrote: > > Sorry, I disagree. 'man' is an interactive command, so it should not > second-guess the user who invokes it. Commands that call 'man' > non-interactively should make sure they call 'man' with a valid > argument, especially when the argument comes from some file. Does man.el provide a function that opens references to man pages, but that is safe in respect to shell specials? Calling of shell commands belongs to implementation details of man.el and effectively you require that callers must be aware of it.
bug-gnu-emacs@HIDDEN
:bug#66390
; Package emacs
.
Full text available.Received: (at 66390) by debbugs.gnu.org; 7 Oct 2023 14:19:43 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sat Oct 07 10:19:43 2023 Received: from localhost ([127.0.0.1]:55586 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1qp89e-0004ju-Qq for submit <at> debbugs.gnu.org; Sat, 07 Oct 2023 10:19:43 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:46676) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <eliz@HIDDEN>) id 1qp89c-0004jg-LP for 66390 <at> debbugs.gnu.org; Sat, 07 Oct 2023 10:19:41 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <eliz@HIDDEN>) id 1qp89D-0000Lh-Nd; Sat, 07 Oct 2023 10:19:15 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date: mime-version; bh=9vydu0Kr3EhqU0vWxlgSXyAtUoFpRPe/nlfyZfqpAXQ=; b=Edvck+A+H655 w3GRTg4aA1GGiK9XLMQJVaRIq9KwiwlLVt7sAAD5p5ERJ9EldKzWa+WtmUky/QsGzlfhNGeFpK5SF Z9FWroK8a5zJfxYU7hm42rUb98tkbAW1L34pxJtY51ZBiqnDdLwkqWNUTelV66w3rpC32RHpavkfW LMGkrUzmiJjhLXGzMX5i4Qtt/SRR8SaH0kJXwb2lv3RM/183b7vCe035OYUeZV62xN/PYK1TpCSKI QtDldvs4PsbHlG30nQR/AW52IRG9gf7e7PflJ9YdTva+YqI2y49MooCgIhbA1pb4JKXWGqMl3OAI+ NTuqxMLbYx8WYOus81D26Q==; Date: Sat, 07 Oct 2023 17:19:28 +0300 Message-Id: <83v8bizf9r.fsf@HIDDEN> From: Eli Zaretskii <eliz@HIDDEN> To: Max Nikulin <manikulin@HIDDEN> In-Reply-To: <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN> (message from Max Nikulin on Sat, 7 Oct 2023 21:12:54 +0700) Subject: Re: bug#66390: `man' allows to inject arbitrary shell code References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN> <83wmvyzir2.fsf@HIDDEN> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN> X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 66390 Cc: 66390 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) > Date: Sat, 7 Oct 2023 21:12:54 +0700 > Cc: 66390 <at> debbugs.gnu.org > From: Max Nikulin <manikulin@HIDDEN> > > On 07/10/2023 20:04, Eli Zaretskii wrote: > >> From: Maxim Nikulin > >> Date: Sat, 7 Oct 2023 19:47:04 +0700 > > > >> man.el should prevent substitution of shell specials literally from > >> `man' arguments into shell commands. > > > > I think callers of 'man' should prevent that instead. > > If it is fixed in man.el then it is fixed for all callers. Otherwise > every caller must have notion of structure of references to man pages > instead of just treating them as opaque sequence of characters. Sorry, I disagree. 'man' is an interactive command, so it should not second-guess the user who invokes it. Commands that call 'man' non-interactively should make sure they call 'man' with a valid argument, especially when the argument comes from some file.
bug-gnu-emacs@HIDDEN
:bug#66390
; Package emacs
.
Full text available.Received: (at 66390) by debbugs.gnu.org; 7 Oct 2023 14:13:23 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sat Oct 07 10:13:23 2023 Received: from localhost ([127.0.0.1]:55577 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1qp83X-0001zj-Hl for submit <at> debbugs.gnu.org; Sat, 07 Oct 2023 10:13:23 -0400 Received: from mail-lf1-x133.google.com ([2a00:1450:4864:20::133]:56487) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <manikulin@HIDDEN>) id 1qp83V-0001zT-Lu for 66390 <at> debbugs.gnu.org; Sat, 07 Oct 2023 10:13:22 -0400 Received: by mail-lf1-x133.google.com with SMTP id 2adb3069b0e04-5041335fb9cso3950587e87.0 for <66390 <at> debbugs.gnu.org>; Sat, 07 Oct 2023 07:13:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1696687976; x=1697292776; darn=debbugs.gnu.org; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :sender:from:to:cc:subject:date:message-id:reply-to; bh=GIv+SKdFh8qOIySPg4fktCQD5N310AT3D9MZg4HW+ZU=; b=WWnPuekfQ84dsdLxucwNoJlET2XzF+GdxkgyCrP7Tq/Mcg41qMT7+trzNyt2djqrRK 8/8IkJcBpzzkirsFoTC2cD7qY9DikzDGy7HRHpfYfvB/l82JvYfv9TSiTntscsN80hrh wfDX1QVe32ICEwAE4pjn+PMZTD8uK84Surqe/UpCtyqWFbt14ICSuKGs2IdUmAs81YBR 3ePI76y5zyQhhFLs5LhRblvMsd31ttSqeq8o8gN6kjpBQiqIqP+XqFMYrfpxAaPRe1aA xQipvykgE9tTv/clazyDT9XfxSBUHk4Uos25VVTQdFO+8P9G9GG4MNUqglH0/fCR5OTi z4eQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696687976; x=1697292776; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :sender:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=GIv+SKdFh8qOIySPg4fktCQD5N310AT3D9MZg4HW+ZU=; b=rJQVk9ozznm3GDOmmdtnX9aZ08zGPKJNsznbPadc1rTghgAsSa9N9KXCeYc37W94qh B+K+IuOd1bxgeB2ssUc9yPk2s9WxMkczaY2akXW7+/VrbEaR0Ni5n6b513wtbx9a3twX Z9Qx+QfNgPCMJrXiKakknAMOdLec847fpOsmjpvwECBcLBQsv4iit3aAQET/dCiA731t P/azTJ8NoMH3QeHj9bTHamHJ6oDwnGsZLTSrFXyKhYlGdC59Vx5fZGxj+DT4xlbQZum9 BcOuXwORPPzf9IiLbVONOrdK7VL3mflxEss4tnNsrsbl/5NZKs5K+Yx72fehSIchWB9v JeWQ== X-Gm-Message-State: AOJu0Yy5QXV5hWjdVVLyj1+NYEFLSY/8lzcj3cvDjufM8LhDTNfa8UJB pm1COW27EQwRV1Q6BU/Yswc= X-Google-Smtp-Source: AGHT+IFQBI+HaC6Sttg83Ju6nAXGG8Ew7spwhVv9jcHKx45muVepW8YksJvreqbk4BCCEorfrygslA== X-Received: by 2002:a05:6512:318a:b0:506:8d2a:5653 with SMTP id i10-20020a056512318a00b005068d2a5653mr3351926lfe.47.1696687975984; Sat, 07 Oct 2023 07:12:55 -0700 (PDT) Received: from [192.168.0.101] (nat-0-0.nsk.sibset.net. [5.44.169.188]) by smtp.googlemail.com with ESMTPSA id c28-20020ac2531c000000b00504230b7ae9sm701067lfh.148.2023.10.07.07.12.55 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 07 Oct 2023 07:12:55 -0700 (PDT) Message-ID: <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN> Date: Sat, 7 Oct 2023 21:12:54 +0700 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: bug#66390: `man' allows to inject arbitrary shell code Content-Language: en-US, ru-RU To: Eli Zaretskii <eliz@HIDDEN> References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN> <83wmvyzir2.fsf@HIDDEN> From: Max Nikulin <manikulin@HIDDEN> In-Reply-To: <83wmvyzir2.fsf@HIDDEN> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 66390 Cc: 66390 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) On 07/10/2023 20:04, Eli Zaretskii wrote: >> From: Maxim Nikulin >> Date: Sat, 7 Oct 2023 19:47:04 +0700 > >> man.el should prevent substitution of shell specials literally from >> `man' arguments into shell commands. > > I think callers of 'man' should prevent that instead. If it is fixed in man.el then it is fixed for all callers. Otherwise every caller must have notion of structure of references to man pages instead of just treating them as opaque sequence of characters.
bug-gnu-emacs@HIDDEN
:bug#66390
; Package emacs
.
Full text available.Received: (at 66390) by debbugs.gnu.org; 7 Oct 2023 13:04:36 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sat Oct 07 09:04:36 2023 Received: from localhost ([127.0.0.1]:53552 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1qp6yt-0007k0-W2 for submit <at> debbugs.gnu.org; Sat, 07 Oct 2023 09:04:36 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:51478) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <eliz@HIDDEN>) id 1qp6ys-0007jn-Bz for 66390 <at> debbugs.gnu.org; Sat, 07 Oct 2023 09:04:31 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <eliz@HIDDEN>) id 1qp6yS-0001VJ-RC; Sat, 07 Oct 2023 09:04:04 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date: mime-version; bh=GyAk9k0GZTCbi+rX3+ssVE0gNUUn8u4dqjlL4xrwINk=; b=Niz19WeTZDSI 9pMvTUhT4VoBXF+gPfJzUbFjnOxRzYxA0KCm1wwq4w+M2SDkpZ/5/sQNBy71/1KcR7nMWxRFd6lez +mZHXR2uaMz/rMCJt02kTYvM+uJMT6PS8ryoG4VngxuZX3nMZxr28V4cAB5Mkihl/TVvqiF3b3lSg cwo6x56CBKQtqEtZyaIGAR90NPppJMxO/jhGUjDOihI6//MhanVH9lwgS4WNE8EbDn+xo6s/XUAF0 pyWQnhdoAQYqwU6crQtbktd2Cl/U40BR9lb+YfSb03Y0bRls1TM4/LcRnpekUivlmxpew88Iq9Ehy kuHK4DKxKpNBkeh8H2w79A==; Date: Sat, 07 Oct 2023 16:04:17 +0300 Message-Id: <83wmvyzir2.fsf@HIDDEN> From: Eli Zaretskii <eliz@HIDDEN> To: Maxim Nikulin <m.a.nikulin@HIDDEN> In-Reply-To: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN> (message from Maxim Nikulin on Sat, 7 Oct 2023 19:47:04 +0700) Subject: Re: bug#66390: `man' allows to inject arbitrary shell code References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN> X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 66390 Cc: 66390 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) > From: Maxim Nikulin <m.a.nikulin@HIDDEN> > Date: Sat, 7 Oct 2023 19:47:04 +0700 > > man.el does not escape properly shell special characters when `man' is > invoked with an argument to open particular manual page. As a result > arbitrary shell code may be executed. > > I do not consider it as a real issue when the `man' command is invoked > by a user directly. However it is a security vulnerability when other > packages calls `man' to open a specific page. > > Consider an Org mode document with the following link and ol-man is loaded > > <man:File:\:UserDirs(3pm)> > > In response to C-c C-o (`org-open-at-point') an error appears instead of > formatted manual page > > --- 8< --- > /usr/bin/sh: 1: Syntax error: "(" unexpected > > process exited abnormally with code 2 > --- >8 --- > > Alternatively just evaluate > > (man "File:\\:UserDirs(3pm)") Why isn't it a problem with the command that invokes 'man', in this case Org? > man.el should prevent substitution of shell specials literally from > `man' arguments into shell commands. I think callers of 'man' should prevent that instead.
bug-gnu-emacs@HIDDEN
:bug#66390
; Package emacs
.
Full text available.Received: (at submit) by debbugs.gnu.org; 7 Oct 2023 12:47:48 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sat Oct 07 08:47:48 2023 Received: from localhost ([127.0.0.1]:53543 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1qp6iZ-000783-K6 for submit <at> debbugs.gnu.org; Sat, 07 Oct 2023 08:47:48 -0400 Received: from lists.gnu.org ([2001:470:142::17]:47828) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <m.a.nikulin@HIDDEN>) id 1qp6iY-00077q-0Q for submit <at> debbugs.gnu.org; Sat, 07 Oct 2023 08:47:38 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <m.a.nikulin@HIDDEN>) id 1qp6i8-0006Dj-My for bug-gnu-emacs@HIDDEN; Sat, 07 Oct 2023 08:47:12 -0400 Received: from mail-lj1-x22a.google.com ([2a00:1450:4864:20::22a]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from <m.a.nikulin@HIDDEN>) id 1qp6i6-0004Yg-7Q for bug-gnu-emacs@HIDDEN; Sat, 07 Oct 2023 08:47:12 -0400 Received: by mail-lj1-x22a.google.com with SMTP id 38308e7fff4ca-2c3ca6ff5a7so12240221fa.1 for <bug-gnu-emacs@HIDDEN>; Sat, 07 Oct 2023 05:47:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1696682827; x=1697287627; darn=gnu.org; h=content-transfer-encoding:subject:content-language:to:user-agent :mime-version:date:message-id:from:from:to:cc:subject:date :message-id:reply-to; bh=euqG3k7UYagtA5HoS+b0jEmOgdMIBONg52wFJ0zBLUk=; b=NjqvIioOrcTmHXRLl7q4eSNMThGuhEgqnplXF9UsAFv48MQokv0x0ASB01gwPyvPS4 eWrTk8KawJDGBNpS/oylwvCi2g79uQxvcpAjQTRqlbo7fyPZNtiLcSIlLaTIbK8EQV7L RtTHTONZGe6DTRSEM6NT+13++iBYwQMEbahCVHeDyerLfFUw/Ao1bZJ1nDdx0dJ0HLFN /ZqHf5yRj+L1RdGtE/eQtq+3LvddBdZ8dRv3t9l1AGcXwpthK0pNT3K7FB/pTcJaiQNR Nv98uKN7BZutdHDZ8h8t5Ng+8BjyDbAee5CXuT2L9NHmP2MKJg4dKPUQGE7V0KHOuZ3Y VEsw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696682827; x=1697287627; h=content-transfer-encoding:subject:content-language:to:user-agent :mime-version:date:message-id:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=euqG3k7UYagtA5HoS+b0jEmOgdMIBONg52wFJ0zBLUk=; b=RahQFlYhHJhIPRN/gnx2WxGE2XJlBcmcHbORUPx/4YunUoMhtrS86EQx2C1gd1gHEn 8CspMPgVWPq3bFyv4gWE7ICjeH1v9j0GoMNn9N1mC071oPClIMGBk6Uo0i8wbATR4Z6B dKdJ7klw4U3PE+OwtFkhRx4myvQLgfIpNXrIAqDHL6/oQSfBW6WeLUM7pn434PSC3kOn OPOKzzjazsZm1RRRGVoztkC/mox9OJCqCbHtyuvU+I81uAww3J8Mzh2ywYZ5mMINhyDb EZGyy9+LLaFE0Qadqh07anBARZmdg2CM6UnzMIPFjtUTHyp0GVXJEf513lfrGpr+tzXR Ea3A== X-Gm-Message-State: AOJu0YzV1/1Et5Z2vGqrsu353TQN0yc6r9tVOgXQLMUTdVXQ/vd6eojQ bd3aa34GvejokZOkfip4WPVHjjsnmgk= X-Google-Smtp-Source: AGHT+IGTLn52Hk+j0Irx9z7sZWKsUXOeIMUkrK0pfrodO5BDz9sCTjtpxvNQApOatB8as5HAG5t6/A== X-Received: by 2002:a2e:8709:0:b0:2c0:af3:27db with SMTP id m9-20020a2e8709000000b002c00af327dbmr9775017lji.22.1696682826535; Sat, 07 Oct 2023 05:47:06 -0700 (PDT) Received: from [192.168.0.101] (nat-0-0.nsk.sibset.net. [5.44.169.188]) by smtp.googlemail.com with ESMTPSA id c5-20020a2ea1c5000000b002bcbb464a28sm1157206ljm.59.2023.10.07.05.47.05 for <bug-gnu-emacs@HIDDEN> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 07 Oct 2023 05:47:06 -0700 (PDT) From: Maxim Nikulin <m.a.nikulin@HIDDEN> X-Google-Original-From: Maxim Nikulin <M.A.Nikulin@HIDDEN> Message-ID: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN> Date: Sat, 7 Oct 2023 19:47:04 +0700 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird To: bug-gnu-emacs@HIDDEN Content-Language: en-US, ru-RU Subject: `man' allows to inject arbitrary shell code Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Received-SPF: pass client-ip=2a00:1450:4864:20::22a; envelope-from=m.a.nikulin@HIDDEN; helo=mail-lj1-x22a.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: 1.0 (+) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -0.0 (/) man.el does not escape properly shell special characters when `man' is invoked with an argument to open particular manual page. As a result arbitrary shell code may be executed. I do not consider it as a real issue when the `man' command is invoked by a user directly. However it is a security vulnerability when other packages calls `man' to open a specific page. Consider an Org mode document with the following link and ol-man is loaded <man:File:\:UserDirs(3pm)> In response to C-c C-o (`org-open-at-point') an error appears instead of formatted manual page --- 8< --- /usr/bin/sh: 1: Syntax error: "(" unexpected process exited abnormally with code 2 --- >8 --- Alternatively just evaluate (man "File:\\:UserDirs(3pm)") A side note: I tried to add backslash due to an issue with ol-man that is to be fixed. A workaround in this particular case is to remove "(3pm)". Though the real problem is that special characters "()" are not quoted. I would not consider the issue as a severe one unless some users who wish to open arbitrary Org files from the net https://debbugs.gnu.org/cgi/bugreport.cgi?bug=58774#34 > Org files are native to Emacs, I wish to open Org files by using EWW. man.el should prevent substitution of shell specials literally from `man' arguments into shell commands.
Maxim Nikulin <m.a.nikulin@HIDDEN>
:bug-gnu-emacs@HIDDEN
.
Full text available.bug-gnu-emacs@HIDDEN
:bug#66390
; Package emacs
.
Full text available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.