GNU bug report logs - #66390
`man' allows to inject arbitrary shell code

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Package: emacs; Reported by: Maxim Nikulin <m.a.nikulin@HIDDEN>; dated Sat, 7 Oct 2023 12:48:02 UTC; Maintainer for emacs is bug-gnu-emacs@HIDDEN.

Message received at 66390 <at> debbugs.gnu.org:


Received: (at 66390) by debbugs.gnu.org; 21 Oct 2023 09:19:44 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Oct 21 05:19:44 2023
Received: from localhost ([127.0.0.1]:42198 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1qu891-00048w-Vl
	for submit <at> debbugs.gnu.org; Sat, 21 Oct 2023 05:19:44 -0400
Received: from mail-lj1-x230.google.com ([2a00:1450:4864:20::230]:60872)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <stefankangas@HIDDEN>) id 1qu88z-00048j-V6
 for 66390 <at> debbugs.gnu.org; Sat, 21 Oct 2023 05:19:42 -0400
Received: by mail-lj1-x230.google.com with SMTP id
 38308e7fff4ca-2bfed7c4e6dso23993381fa.1
 for <66390 <at> debbugs.gnu.org>; Sat, 21 Oct 2023 02:19:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1697879948; x=1698484748; darn=debbugs.gnu.org;
 h=cc:to:subject:message-id:date:mime-version:references:in-reply-to
 :from:from:to:cc:subject:date:message-id:reply-to;
 bh=sRZP2f0nlvZc7hHVzHi2yZY933CeBSa5fPrqZiatct4=;
 b=DGY2GOU4VzfnGSE4GH9XxoR7GaXnzwbkAQ2EFF/Iul3hGUGz03DuMHLLSjh+zBnD/T
 dEZZ0+lywp9sgekSI09+bvLr0sV2wd2/Joe7NRGmmJfeu+XEfGWk7t8mBk9nqHIFcJEJ
 1GEoCy2fwcSYLqOV+VdQeaZ8XactvHSwi1IQk/fVjyI5NdepAqEd3o+mHpYzb1iboHtH
 YctH0MQferRuQSe+fT5bfkU9n5ZUZwa35cAnVyX66FLNK9DqynSlz1+Gt4zT3dcmzREW
 QBjBWxgyn3MAw9Xq65Cn/peztxIueMxaTt0Zz8V0XgVCkKuxJCiMkwS1ZBuQyaT96HV+
 F4kA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1697879948; x=1698484748;
 h=cc:to:subject:message-id:date:mime-version:references:in-reply-to
 :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=sRZP2f0nlvZc7hHVzHi2yZY933CeBSa5fPrqZiatct4=;
 b=oWJCALG9EHKYA1Mefh7jspN06bXFlM3RE1eR2XSigxEvIKrfz75yCSNyiXk2rL+/iw
 cMqzNBmi5BHWQ3bvLuwVrRa/zAXHN5aa15fVEjc2Yx9GCldxR3kbCejZK6rQuso9tr3z
 ASQKgQYkrDLkzuGsuyOlvFZipJqPCxJeEkjOwLQMX2WmGOfbUaoUizpbKDHt/+qxNNDN
 TIcI/mbmaWtx4FolB3TeKQismNPL7NwoJR/iMfxmpG79s2KKet51ApG2zST77UiAAx8o
 PSO4ZEvML6z6kdQ/1gT08EFGwi5hweTrspkbpDEa+0ubt6eGANPGL/9wsyLW1x1AtTIL
 YCzg==
X-Gm-Message-State: AOJu0YzHtxfT7bTBbzDaRprNJToLsXQyF/b/+T0zjRayY970lQvsHyK4
 tygtPwBrJW5L8iZptW6PFElfH3Z48IxlWRJdPWI=
X-Google-Smtp-Source: AGHT+IFsG32OaVr3CBhMsuY5YYkzmwpto43c996bje4HpSvBOoWF/sLXi5oToOZdKkRdDP7GOelNQi7nVailobkoXsQ=
X-Received: by 2002:a2e:b790:0:b0:2c2:a337:5ea with SMTP id
 n16-20020a2eb790000000b002c2a33705eamr2937056ljo.27.1697879948145; Sat, 21
 Oct 2023 02:19:08 -0700 (PDT)
Received: from 753933720722 named unknown by gmailapi.google.com with
 HTTPREST; Sat, 21 Oct 2023 02:19:07 -0700
From: Stefan Kangas <stefankangas@HIDDEN>
In-Reply-To: <838r7ws9kt.fsf@HIDDEN>
References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN>
 <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN> <83v8bizf9r.fsf@HIDDEN>
 <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN> <875y3iigua.fsf@HIDDEN>
 <83o7hazap7.fsf@HIDDEN> <87mswugyoq.fsf@HIDDEN> <83jzryz6op.fsf@HIDDEN>
 <87a5sugwcx.fsf@HIDDEN> <83h6n2z3tr.fsf@HIDDEN>
 <aaeb5c4f-2ae0-449e-9a8b-aa5155998e49@HIDDEN>
 <831qe5znrz.fsf@HIDDEN> <tencent_2EBCD42CDD9DC80B87AB06BB70EACCF8D60A@HIDDEN>
 <262ed9fe-b92b-489d-b1f0-5202bfdb088b@HIDDEN>
 <tencent_3C358C354C777BF23EE1D3C1839C3F331C08@HIDDEN>
 <87il7e78j5.fsf@HIDDEN>
 <tencent_B89C8F336F35EB3562777DF226E178C19708@HIDDEN>
 <CADwFkmk4y0H3pEyErqeKBrc8Evb8qMmAK-Vi1o37Ab0T8h7GHg@HIDDEN>
 <83h6mksaqp.fsf@HIDDEN> <87jzrgxwad.fsf@HIDDEN>
 <838r7ws9kt.fsf@HIDDEN>
MIME-Version: 1.0
Date: Sat, 21 Oct 2023 02:19:07 -0700
Message-ID: <CADwFkmmCC2wHhKE+LGBmVK6w5xqOqHJ3XrL1MRhA-c-+yKZhfQ@HIDDEN>
Subject: Re: bug#66390: `man' allows to inject arbitrary shell code
To: Eli Zaretskii <eliz@HIDDEN>, Andreas Schwab <schwab@HIDDEN>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 66390
Cc: lx@HIDDEN, manikulin@HIDDEN, 66390 <at> debbugs.gnu.org,
 michael.albinus@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Eli Zaretskii <eliz@HIDDEN> writes:

> That's true, but neither are ':' or '[', and AFAIK we already have
> man-page file names which use those two.

Perhaps we should add tests for man pages with such characters.
Information forwarded to bug-gnu-emacs@HIDDEN:
bug#66390; Package emacs. Full text available.

Message received at 66390 <at> debbugs.gnu.org:


Received: (at 66390) by debbugs.gnu.org; 21 Oct 2023 07:45:48 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Oct 21 03:45:48 2023
Received: from localhost ([127.0.0.1]:42128 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1qu6g7-00070P-T1
	for submit <at> debbugs.gnu.org; Sat, 21 Oct 2023 03:45:48 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:58348)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eliz@HIDDEN>) id 1qu6g5-000708-An
 for 66390 <at> debbugs.gnu.org; Sat, 21 Oct 2023 03:45:46 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@HIDDEN>)
 id 1qu6fW-0006jj-7B; Sat, 21 Oct 2023 03:45:10 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date:
 mime-version; bh=017hl7QYPGLK9BR/jga3eRZd5YliB/ciuESZPTgsMIg=; b=Q+yaPn78H23q
 QWofrTmOY1xwPJ06Ttukjd2Bt9GNXfLyWajJDfrXeyl6S8cSTXdyotxYFIuWf6u58BgdqtDp4bd/7
 v7JAU31nb6PMRPpJEYz5TI53Rsy6oDjrNj62emaoJg9geARIzZtfE9OMJQzqwkfumKGWZrJJytE4U
 9rHV9A5BCYyA5e2LedE1LW1NiEsHfuB73b6YhaKlRo1DkOG8tE+mtG7WkwEigxzxX4oyvxnc3HBeS
 pw0qJCSJ7EeEvrgDzhRS7xEBLVVk9dewmtfMBcOWix8DrZz+rcBmYnt92REzMhJg9NsiM+GEDSFj7
 cp6mfeocffRClf5oJ84qkA==;
Date: Sat, 21 Oct 2023 10:45:06 +0300
Message-Id: <838r7ws9kt.fsf@HIDDEN>
From: Eli Zaretskii <eliz@HIDDEN>
To: Andreas Schwab <schwab@HIDDEN>
In-Reply-To: <87jzrgxwad.fsf@HIDDEN> (message from Andreas Schwab on
 Sat, 21 Oct 2023 09:35:38 +0200)
Subject: Re: bug#66390: `man' allows to inject arbitrary shell code
References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN>
 <83wmvyzir2.fsf@HIDDEN>
 <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN>
 <83v8bizf9r.fsf@HIDDEN>
 <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN>
 <875y3iigua.fsf@HIDDEN> <83o7hazap7.fsf@HIDDEN>
 <87mswugyoq.fsf@HIDDEN> <83jzryz6op.fsf@HIDDEN>
 <87a5sugwcx.fsf@HIDDEN> <83h6n2z3tr.fsf@HIDDEN>
 <aaeb5c4f-2ae0-449e-9a8b-aa5155998e49@HIDDEN>
 <831qe5znrz.fsf@HIDDEN>
 <tencent_2EBCD42CDD9DC80B87AB06BB70EACCF8D60A@HIDDEN>
 <262ed9fe-b92b-489d-b1f0-5202bfdb088b@HIDDEN>
 <tencent_3C358C354C777BF23EE1D3C1839C3F331C08@HIDDEN>
 <87il7e78j5.fsf@HIDDEN>
 <tencent_B89C8F336F35EB3562777DF226E178C19708@HIDDEN>
 <CADwFkmk4y0H3pEyErqeKBrc8Evb8qMmAK-Vi1o37Ab0T8h7GHg@HIDDEN>
 <83h6mksaqp.fsf@HIDDEN> <87jzrgxwad.fsf@HIDDEN>
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 66390
Cc: lx@HIDDEN, manikulin@HIDDEN, 66390 <at> debbugs.gnu.org,
 michael.albinus@HIDDEN, stefankangas@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> From: Andreas Schwab <schwab@HIDDEN>
> Cc: Stefan Kangas <stefankangas@HIDDEN>,  lx@HIDDEN,
>   manikulin@HIDDEN,  66390 <at> debbugs.gnu.org,  michael.albinus@HIDDEN
> Date: Sat, 21 Oct 2023 09:35:38 +0200
> 
> On Okt 21 2023, Eli Zaretskii wrote:
> 
> > found in file names).  In particular, who can guarantee that ';' will
> > not be part of some man page some day? it's a valid file-name
> > character on Posix hosts, isn't it?
> 
> It's not part of the Portable Filename Character Set.

That's true, but neither are ':' or '[', and AFAIK we already have
man-page file names which use those two.
Information forwarded to bug-gnu-emacs@HIDDEN:
bug#66390; Package emacs. Full text available.

Message received at 66390 <at> debbugs.gnu.org:


Received: (at 66390) by debbugs.gnu.org; 21 Oct 2023 07:36:20 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Oct 21 03:36:20 2023
Received: from localhost ([127.0.0.1]:42119 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1qu6Wu-0006lu-Mu
	for submit <at> debbugs.gnu.org; Sat, 21 Oct 2023 03:36:20 -0400
Received: from mail-out.m-online.net ([212.18.0.9]:37878)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <whitebox@HIDDEN>) id 1qu6Wo-0006le-47
 for 66390 <at> debbugs.gnu.org; Sat, 21 Oct 2023 03:36:14 -0400
Received: from frontend01.mail.m-online.net (unknown [192.168.8.182])
 by mail-out.m-online.net (Postfix) with ESMTP id 4SCCt41Mbcz1r3dk;
 Sat, 21 Oct 2023 09:35:39 +0200 (CEST)
Received: from localhost (dynscan1.mnet-online.de [192.168.6.68])
 by mail.m-online.net (Postfix) with ESMTP id 4SCCt35bfZz1qqlS;
 Sat, 21 Oct 2023 09:35:39 +0200 (CEST)
X-Virus-Scanned: amavis at mnet-online.de
Received: from mail.mnet-online.de ([192.168.8.182])
 by localhost (dynscan1.mail.m-online.net [192.168.6.68]) (amavis, port 10024)
 with ESMTP id f_FE8MafSjEE; Sat, 21 Oct 2023 09:35:38 +0200 (CEST)
X-Auth-Info: V3262t4IGodv4Jy6lRE+NIUHlKsm6eCoQboIylSa65fAlf+c2wXv/vAhJ5Rp2lmj
Received: from tiger.home (aftr-62-216-205-183.dynamic.mnet-online.de
 [62.216.205.183])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 by mail.mnet-online.de (Postfix) with ESMTPSA;
 Sat, 21 Oct 2023 09:35:38 +0200 (CEST)
Received: by tiger.home (Postfix, from userid 1000)
 id 7CC13214534; Sat, 21 Oct 2023 09:35:38 +0200 (CEST)
From: Andreas Schwab <schwab@HIDDEN>
To: Eli Zaretskii <eliz@HIDDEN>
Subject: Re: bug#66390: `man' allows to inject arbitrary shell code
In-Reply-To: <83h6mksaqp.fsf@HIDDEN> (Eli Zaretskii's message of "Sat, 21 Oct
 2023 10:19:58 +0300")
References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN>
 <83wmvyzir2.fsf@HIDDEN>
 <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN>
 <83v8bizf9r.fsf@HIDDEN>
 <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN>
 <875y3iigua.fsf@HIDDEN> <83o7hazap7.fsf@HIDDEN>
 <87mswugyoq.fsf@HIDDEN> <83jzryz6op.fsf@HIDDEN>
 <87a5sugwcx.fsf@HIDDEN> <83h6n2z3tr.fsf@HIDDEN>
 <aaeb5c4f-2ae0-449e-9a8b-aa5155998e49@HIDDEN>
 <831qe5znrz.fsf@HIDDEN>
 <tencent_2EBCD42CDD9DC80B87AB06BB70EACCF8D60A@HIDDEN>
 <262ed9fe-b92b-489d-b1f0-5202bfdb088b@HIDDEN>
 <tencent_3C358C354C777BF23EE1D3C1839C3F331C08@HIDDEN>
 <87il7e78j5.fsf@HIDDEN>
 <tencent_B89C8F336F35EB3562777DF226E178C19708@HIDDEN>
 <CADwFkmk4y0H3pEyErqeKBrc8Evb8qMmAK-Vi1o37Ab0T8h7GHg@HIDDEN>
 <83h6mksaqp.fsf@HIDDEN>
X-Yow: ..  Once upon a time, four AMPHIBIOUS HOG CALLERS attacked a family
 of DEFENSELESS, SENSITIVE COIN COLLECTORS and brought DOWN their
 PROPERTY VALUES!!
Date: Sat, 21 Oct 2023 09:35:38 +0200
Message-ID: <87jzrgxwad.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: -0.4 (/)
X-Debbugs-Envelope-To: 66390
Cc: lx@HIDDEN, manikulin@HIDDEN, 66390 <at> debbugs.gnu.org,
 michael.albinus@HIDDEN, Stefan Kangas <stefankangas@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.4 (-)

On Okt 21 2023, Eli Zaretskii wrote:

> found in file names).  In particular, who can guarantee that ';' will
> not be part of some man page some day? it's a valid file-name
> character on Posix hosts, isn't it?

It's not part of the Portable Filename Character Set.

-- 
Andreas Schwab, schwab@HIDDEN
GPG Key fingerprint = 7578 EB47 D4E5 4D69 2510  2552 DF73 E780 A9DA AEC1
"And now for something completely different."
Information forwarded to bug-gnu-emacs@HIDDEN:
bug#66390; Package emacs. Full text available.

Message received at 66390 <at> debbugs.gnu.org:


Received: (at 66390) by debbugs.gnu.org; 21 Oct 2023 07:20:50 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Oct 21 03:20:50 2023
Received: from localhost ([127.0.0.1]:42104 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1qu6Hu-0006FG-1J
	for submit <at> debbugs.gnu.org; Sat, 21 Oct 2023 03:20:50 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:58872)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eliz@HIDDEN>) id 1qu6Ho-0006Ev-18
 for 66390 <at> debbugs.gnu.org; Sat, 21 Oct 2023 03:20:44 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@HIDDEN>)
 id 1qu6HD-0002D4-Gq; Sat, 21 Oct 2023 03:20:03 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=MIME-version:References:Subject:In-Reply-To:To:From:
 Date; bh=myV6a3H5Mu87j5Jlnrib63pkVoeAkLxWFlYQVO6Y8+s=; b=X7Oxt50aKrOhsObzSDku
 Zairy+eN2d3PowF9IUB5S4k0+ypyoCvzDmtdmYZT91x6IUNze/E2Y8cG2UolG3OrVLkIH/9zgRGqh
 iYT6/+gk5ivz7Wj++QZn58YQnbtcEvjY0mJMbFGKfPSTcyyAt5kTjQikmlrD6Zj3S7KKKVwBX1kOp
 yPcCyreioIEPNNz06ttlfdhehVBswLdOmdki0Y1abn+8QqqFXxp363dj5NeAsL9GhEFvZUaU4bZTj
 257azlE6GoMpqMIGn/XcDAj8GeTKGvL8E+HcfacVGecDm9LoGTyl/k8NwjIQQK4EtsSly29eRkw5D
 9qLybFbkBAmZFw==;
Date: Sat, 21 Oct 2023 10:19:58 +0300
Message-Id: <83h6mksaqp.fsf@HIDDEN>
From: Eli Zaretskii <eliz@HIDDEN>
To: Stefan Kangas <stefankangas@HIDDEN>
In-Reply-To: <CADwFkmk4y0H3pEyErqeKBrc8Evb8qMmAK-Vi1o37Ab0T8h7GHg@HIDDEN>
 (message from Stefan Kangas on Fri, 20 Oct 2023 14:00:50 -0700)
Subject: Re: bug#66390: `man' allows to inject arbitrary shell code
References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN>
 <83wmvyzir2.fsf@HIDDEN> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN>
 <83v8bizf9r.fsf@HIDDEN> <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN>
 <875y3iigua.fsf@HIDDEN> <83o7hazap7.fsf@HIDDEN> <87mswugyoq.fsf@HIDDEN>
 <83jzryz6op.fsf@HIDDEN> <87a5sugwcx.fsf@HIDDEN> <83h6n2z3tr.fsf@HIDDEN>
 <aaeb5c4f-2ae0-449e-9a8b-aa5155998e49@HIDDEN> <831qe5znrz.fsf@HIDDEN>
 <tencent_2EBCD42CDD9DC80B87AB06BB70EACCF8D60A@HIDDEN>
 <262ed9fe-b92b-489d-b1f0-5202bfdb088b@HIDDEN>
 <tencent_3C358C354C777BF23EE1D3C1839C3F331C08@HIDDEN>
 <87il7e78j5.fsf@HIDDEN>
 <tencent_B89C8F336F35EB3562777DF226E178C19708@HIDDEN>
 <CADwFkmk4y0H3pEyErqeKBrc8Evb8qMmAK-Vi1o37Ab0T8h7GHg@HIDDEN>
MIME-version: 1.0
Content-type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 66390
Cc: lx@HIDDEN, manikulin@HIDDEN, 66390 <at> debbugs.gnu.org,
 schwab@HIDDEN, michael.albinus@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> From: Stefan Kangas <stefankangas@HIDDEN>
> Date: Fri, 20 Oct 2023 14:00:50 -0700
> Cc: Max Nikulin <manikulin@HIDDEN>, 66390 <at> debbugs.gnu.org, michael.albinus@HIDDEN, 
> 	Eli Zaretskii <eliz@HIDDEN>
> 
> lux <lx@HIDDEN> writes:
> 
> > On Tue, 2023-10-10 at 18:21 +0200, Andreas Schwab wrote:
> >> On Okt 10 2023, lux wrote:
> >>
> >> > +        ;; see Bug#66390
> >> > +	(mapconcat 'identity
> >> > +                   (mapcar #'shell-quote-argument
> >> > +                           (split-string ref " "))
> >>
> >> You need to split on arbitrary sequences of whitespace to not introduce
> >> spurious empty arguments.
> >>
> >
> > Thanks, I've modified it to (split-string ref "\\s-+").
> 
> I lost track of this discussion a little bit, but I think we should
> try to have this fixed in Emacs 29.2.

If we have a reliable solution (a hard-to-satisfy condition, see
below), yes.

> Is the below patch acceptable?

I'm not sure it is reliable enough.  man.el is an extremely tricky
package wrt the weird file names it must support (because many man
pages have weird names and include characters that are not normally
found in file names).  In particular, who can guarantee that ';' will
not be part of some man page some day? it's a valid file-name
character on Posix hosts, isn't it?

So I would be happier with installing this on master instead.
Distros which consider this a serious vulnerability can always
cherry-pick the change in their Emacs 29 distributions.
Information forwarded to bug-gnu-emacs@HIDDEN:
bug#66390; Package emacs. Full text available.

Message received at 66390 <at> debbugs.gnu.org:


Received: (at 66390) by debbugs.gnu.org; 20 Oct 2023 21:01:26 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Oct 20 17:01:26 2023
Received: from localhost ([127.0.0.1]:41747 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1qtwcY-0005z6-E2
	for submit <at> debbugs.gnu.org; Fri, 20 Oct 2023 17:01:26 -0400
Received: from mail-lj1-x231.google.com ([2a00:1450:4864:20::231]:51310)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <stefankangas@HIDDEN>) id 1qtwcW-0005yt-DW
 for 66390 <at> debbugs.gnu.org; Fri, 20 Oct 2023 17:01:25 -0400
Received: by mail-lj1-x231.google.com with SMTP id
 38308e7fff4ca-2c50cd16f3bso18275631fa.2
 for <66390 <at> debbugs.gnu.org>; Fri, 20 Oct 2023 14:00:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1697835651; x=1698440451; darn=debbugs.gnu.org;
 h=content-transfer-encoding:cc:to:subject:message-id:date
 :mime-version:references:in-reply-to:from:from:to:cc:subject:date
 :message-id:reply-to;
 bh=YWC5HGdci8HtfWESn98zSc+ThdVeoudm4wIs94D7h5s=;
 b=bmVug3ewkPFWATKjWL6qKCGs6DdF1X63h/n9Q/tTLONdfg5q2/+v0pqIwSO+AFZvs5
 MhBcBEcw0O8LCXp7UJ0hPlbKOhTcDxszzpMlyiwDFA5bVE3kLxWbXjEJOvnAr8+3TwY9
 8sn8Z3NeAJyBMwyZrsnMoyjETvCdqMMX7OmgdM3+aJWKd79zj1JtmMs4W39jBwFHZu5L
 KdUm2UHq479HyOnAymSubqVma2kIWTytaWxxgUlhIKqN9yA69S5gteKWCltBijakdELP
 oV+NyDp4wGTNhSp6vTKgeHsVhgwG24mIfQmknvEUTw/M8lnAMt8eX7fgx+wblf9AbNRr
 2Aew==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1697835651; x=1698440451;
 h=content-transfer-encoding:cc:to:subject:message-id:date
 :mime-version:references:in-reply-to:from:x-gm-message-state:from:to
 :cc:subject:date:message-id:reply-to;
 bh=YWC5HGdci8HtfWESn98zSc+ThdVeoudm4wIs94D7h5s=;
 b=gaZDk3QOvCQOtZ40JY/LuRnQumUPvNYhp0T5+WVrCMzH+Tmb3xChSyKpnXsUvtgDM6
 9elbBawYyRmh48gs2BjejrVuA6uKOYaoh1LMysOwwDjw6xNX94/Y6ob9YR+1N/HIL6SJ
 eyXV4D+/vwg6WikpIjYz3IiQqQroRw0OBoSzkAWDJvkg+lZH/aIp3qoHaSeL63I0+bv3
 gDVNE8RREP6eVusko2ggOHnICCWeLCPvt1vgqTAn7WAUBaQv6v5K5lvD45RgJDJfc+Y0
 74Z8+jmN1fuUorsQHXWpACpM91DXFM9AuqN0Uf7K/fkFMkbDHyAMS4BWiHkGY6jxTzkW
 zJVg==
X-Gm-Message-State: AOJu0YwvGoxasHwuKtekH6ID+FnbsYWdaHgoD/8tdmhyO3Zsa72MsKFr
 D4AJwHnQrl5qlsopgDp9tHnrId3+TtyGdcOgqlU=
X-Google-Smtp-Source: AGHT+IEhl8E9wgdFTHoVKcUqL5DjNB+dRHmXpMjB1dUmSxnZvEdu/H0j8f6PS8hbaQDAVjEsBoP0oRNAjlznkIKU4Uo=
X-Received: by 2002:a2e:a7cc:0:b0:2c5:fb9:49b6 with SMTP id
 x12-20020a2ea7cc000000b002c50fb949b6mr3217244ljp.10.1697835650808; Fri, 20
 Oct 2023 14:00:50 -0700 (PDT)
Received: from 753933720722 named unknown by gmailapi.google.com with
 HTTPREST; Fri, 20 Oct 2023 14:00:50 -0700
From: Stefan Kangas <stefankangas@HIDDEN>
In-Reply-To: <tencent_B89C8F336F35EB3562777DF226E178C19708@HIDDEN>
References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN>
 <83wmvyzir2.fsf@HIDDEN> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN>
 <83v8bizf9r.fsf@HIDDEN> <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN>
 <875y3iigua.fsf@HIDDEN> <83o7hazap7.fsf@HIDDEN> <87mswugyoq.fsf@HIDDEN>
 <83jzryz6op.fsf@HIDDEN> <87a5sugwcx.fsf@HIDDEN> <83h6n2z3tr.fsf@HIDDEN>
 <aaeb5c4f-2ae0-449e-9a8b-aa5155998e49@HIDDEN> <831qe5znrz.fsf@HIDDEN>
 <tencent_2EBCD42CDD9DC80B87AB06BB70EACCF8D60A@HIDDEN>
 <262ed9fe-b92b-489d-b1f0-5202bfdb088b@HIDDEN>
 <tencent_3C358C354C777BF23EE1D3C1839C3F331C08@HIDDEN>
 <87il7e78j5.fsf@HIDDEN>
 <tencent_B89C8F336F35EB3562777DF226E178C19708@HIDDEN>
MIME-Version: 1.0
Date: Fri, 20 Oct 2023 14:00:50 -0700
Message-ID: <CADwFkmk4y0H3pEyErqeKBrc8Evb8qMmAK-Vi1o37Ab0T8h7GHg@HIDDEN>
Subject: Re: bug#66390: `man' allows to inject arbitrary shell code
To: lux <lx@HIDDEN>, Andreas Schwab <schwab@HIDDEN>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 66390
Cc: Max Nikulin <manikulin@HIDDEN>, 66390 <at> debbugs.gnu.org,
 michael.albinus@HIDDEN, Eli Zaretskii <eliz@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

lux <lx@HIDDEN> writes:

> On Tue, 2023-10-10 at 18:21 +0200, Andreas Schwab wrote:
>> On Okt 10 2023, lux wrote:
>>
>> > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ;; see Bug#66390
>> > +	(mapconcat 'identity
>> > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 (mapcar #'shell-quote-argument
>> > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 (split-string ref " "))
>>
>> You need to split on arbitrary sequences of whitespace to not introduce
>> spurious empty arguments.
>>
>
> Thanks, I've modified it to (split-string ref "\\s-+").

I lost track of this discussion a little bit, but I think we should
try to have this fixed in Emacs 29.2.

Is the below patch acceptable?

> From faa49ba78a203d47740280e5c6fd0e075628b507 Mon Sep 17 00:00:00 2001
> From: Xi Lu <lx@HIDDEN>
> Date: Tue, 10 Oct 2023 22:20:05 +0800
> Subject: [PATCH] Fix man.el code injection vulnerability.
>
> * lisp/man.el (Man-translate-references): Fix code injection.
> * test/lisp/man-tests.el (man-tests-Man-translate-references): New.
> ---
>  lisp/man.el            |  6 +++++-
>  test/lisp/man-tests.el | 12 ++++++++++++
>  2 files changed, 17 insertions(+), 1 deletion(-)
>
> diff --git a/lisp/man.el b/lisp/man.el
> index 506d6060269..a95435c7ea0 100644
> --- a/lisp/man.el
> +++ b/lisp/man.el
> @@ -692,7 +692,11 @@ Man-translate-references
>        (setq name (match-string 2 ref)
>  	    section (match-string 1 ref))))
>      (if (string=3D name "")
> -	ref				; Return the reference as is
> +        ;; see Bug#66390
> +	(mapconcat 'identity
> +                   (mapcar #'shell-quote-argument
> +                           (split-string ref "\\s-+"))
> +                   " ")                 ; Return the reference as is
>        (if Man-downcase-section-letters-flag
>  	  (setq section (downcase section)))
>        (while slist
> diff --git a/test/lisp/man-tests.el b/test/lisp/man-tests.el
> index e3657d7df8a..1c6dcb63a5c 100644
> --- a/test/lisp/man-tests.el
> +++ b/test/lisp/man-tests.el
> @@ -161,6 +161,18 @@ man-bgproc-filter-buttonize-includes
>            (let ((button (button-at (match-beginning 0))))
>              (should (and button (eq 'Man-xref-header-file (button-type b=
utton))))))))))
>
> +(ert-deftest man-tests-Man-translate-references ()
> +  (should (equal (Man-translate-references "basename")
> +                 "basename"))
> +  (should (equal (Man-translate-references "basename(3)")
> +                 "3 basename"))
> +  (should (equal (Man-translate-references "basename(3v)")
> +                 "3v basename"))
> +  (should (equal (Man-translate-references ";id")
> +                 "\\;id"))
> +  (should (equal (Man-translate-references "-k basename")
> +                 "-k basename")))
> +
>  (provide 'man-tests)
>
>  ;;; man-tests.el ends here
> --
> 2.42.0
Information forwarded to bug-gnu-emacs@HIDDEN:
bug#66390; Package emacs. Full text available.

Message received at 66390 <at> debbugs.gnu.org:


Received: (at 66390) by debbugs.gnu.org; 11 Oct 2023 10:56:47 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Oct 11 06:56:47 2023
Received: from localhost ([127.0.0.1]:37638 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1qqWtT-0003lT-CP
	for submit <at> debbugs.gnu.org; Wed, 11 Oct 2023 06:56:47 -0400
Received: from mail-lf1-x12c.google.com ([2a00:1450:4864:20::12c]:52688)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <manikulin@HIDDEN>) id 1qqWtM-0003l9-SJ
 for 66390 <at> debbugs.gnu.org; Wed, 11 Oct 2023 06:56:46 -0400
Received: by mail-lf1-x12c.google.com with SMTP id
 2adb3069b0e04-5042bfb4fe9so8213061e87.1
 for <66390 <at> debbugs.gnu.org>; Wed, 11 Oct 2023 03:56:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1697021773; x=1697626573; darn=debbugs.gnu.org;
 h=content-transfer-encoding:in-reply-to:from:references:cc:to
 :content-language:subject:user-agent:mime-version:date:message-id
 :sender:from:to:cc:subject:date:message-id:reply-to;
 bh=WagCzv9i6BPbxxkAcIz8qNpbdHOrYSts3aEz0Y5tuEE=;
 b=KBrYFDVsFwCctGWi0A/t4CPAY9oavjwrL1D0qLFuatI/HGj0FzwHlTXNx7eMOTCnGn
 l2KAVJRjG5uurl5RMXF/fm1lFQSpMAO03mXU2/W/d6mhjig161Nse+1+b9LuyHa5ffZH
 3aX3A373CNK+zzmk4IdNPc021maQ9G/r8J7ZCAWpQI93ldXqUVZUJ+3ByAMgMbRwANqh
 Hr302rIruhwIFHg1+RnsTjo+ESb+2sGmwjPxNItj5A5BJagN1tHvoKV6O6x1oEPW9LE6
 3X1VYMgY7xb+m1B87tfG+bsiSRzs5f77S0V9h4NH0o+OEPkP8f7aVcpKrqq6eqUZR3zJ
 w1Qw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1697021773; x=1697626573;
 h=content-transfer-encoding:in-reply-to:from:references:cc:to
 :content-language:subject:user-agent:mime-version:date:message-id
 :sender:x-gm-message-state:from:to:cc:subject:date:message-id
 :reply-to;
 bh=WagCzv9i6BPbxxkAcIz8qNpbdHOrYSts3aEz0Y5tuEE=;
 b=cYqDS0W2D2C1e6ReysPNL2hNInrEvxfkhaUnW1c4nWrlkA0g82OHrRL8WMBiOJfqu4
 zNxBD18Z2FwxkJSa6lG7Ww55FK8YIijCRjimodaMOCBulwvIpK+vNM7ER2VWjSpKK0lO
 Z+71qqjZmuoKy/qTJIDBJW/DB1/NRCrz9bNYeJwXCrIM78o6b1Y+QjfxQBH56eb5xBAm
 dpvDZChnNKcRDJFBiYIYWaj3Qz6h86uMoJH+hy3nHjcjvoUkiKGqneuMrL7diLncji18
 Er8/Gs8hV9RRbIKenQ905VxXZNRj4IaYDVeAOveuK6vkDLAy08QHAvJgZhi5LYyQoqsS
 YSbg==
X-Gm-Message-State: AOJu0YyL+V83mPgXxS02Vccy+iC3g6S1hRU19M3izp+79QQNPhS1vJLF
 HoxvXCfIbzHixAZv2p6XNH5BuIZxPg9mTg==
X-Google-Smtp-Source: AGHT+IHnOFmHqFEK1W5lDmIjTNFgrvFKoEeBdy83eK2eQBM2V7xMrR1i1VqSUUehWcT7yD1y0zaY1w==
X-Received: by 2002:ac2:5f55:0:b0:502:ffff:feff with SMTP id
 21-20020ac25f55000000b00502fffffeffmr15318211lfz.58.1697021772497; 
 Wed, 11 Oct 2023 03:56:12 -0700 (PDT)
Received: from [192.168.0.101] (nat-0-0.nsk.sibset.net. [5.44.169.188])
 by smtp.googlemail.com with ESMTPSA id
 p7-20020a19f007000000b004ff8631d6c0sm2195927lfc.278.2023.10.11.03.56.11
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
 Wed, 11 Oct 2023 03:56:12 -0700 (PDT)
Message-ID: <0aec81ba-4467-43ca-8a0c-f17f11ae7d76@HIDDEN>
Date: Wed, 11 Oct 2023 17:56:11 +0700
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: bug#66390: `man' allows to inject arbitrary shell code
Content-Language: en-US, ru-RU
To: rms@HIDDEN, Eli Zaretskii <eliz@HIDDEN>
References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN>
 <83wmvyzir2.fsf@HIDDEN> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN>
 <83v8bizf9r.fsf@HIDDEN> <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN>
 <875y3iigua.fsf@HIDDEN> <83o7hazap7.fsf@HIDDEN> <87mswugyoq.fsf@HIDDEN>
 <83jzryz6op.fsf@HIDDEN> <87a5sugwcx.fsf@HIDDEN> <83h6n2z3tr.fsf@HIDDEN>
 <E1qpg8N-0004yH-3Y@HIDDEN> <83ttr0vyyi.fsf@HIDDEN>
 <E1qqBLk-0005VF-9r@HIDDEN>
From: Max Nikulin <manikulin@HIDDEN>
In-Reply-To: <E1qqBLk-0005VF-9r@HIDDEN>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 66390
Cc: 66390 <at> debbugs.gnu.org, michael.albinus@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

On 10/10/2023 18:56, Richard Stallman wrote:
> In general, that is a reasonable policy -- but maybe a serious security 
> problem, which this eesms to be, calls for special treatment.

I would not consider this particular issue as a serious security problem 
despite if reported as a CVE it may get high score. However, I believe, 
it should be addressed.

ol-man is not loaded by default.

Enough features for Org mode are convenient in case of trusted files, 
but close to dangerous when a user walks through a malicious file. There 
are some issues that requires significant amount of efforts to fix 
without ruining usability.
Information forwarded to bug-gnu-emacs@HIDDEN:
bug#66390; Package emacs. Full text available.

Message received at 66390 <at> debbugs.gnu.org:


Received: (at 66390) by debbugs.gnu.org; 11 Oct 2023 10:46:56 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Oct 11 06:46:56 2023
Received: from localhost ([127.0.0.1]:37634 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1qqWjw-0003Nh-91
	for submit <at> debbugs.gnu.org; Wed, 11 Oct 2023 06:46:56 -0400
Received: from mail-lf1-x12d.google.com ([2a00:1450:4864:20::12d]:58480)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <manikulin@HIDDEN>) id 1qqWjq-0003NN-Hi
 for 66390 <at> debbugs.gnu.org; Wed, 11 Oct 2023 06:46:55 -0400
Received: by mail-lf1-x12d.google.com with SMTP id
 2adb3069b0e04-50325ce89e9so8832217e87.0
 for <66390 <at> debbugs.gnu.org>; Wed, 11 Oct 2023 03:46:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1697021182; x=1697625982; darn=debbugs.gnu.org;
 h=content-transfer-encoding:in-reply-to:from:references:cc:to
 :content-language:subject:user-agent:mime-version:date:message-id
 :sender:from:to:cc:subject:date:message-id:reply-to;
 bh=vSYt4lYW5TD3dyzc9rO/R5JcDYwV1aCnK/Tw+9zlZ8I=;
 b=IzJoOMlqaLjCupCQhC9sF4iGg5EjqSRIymVxlws0czE4pA+JKbuzu/TCxwrSsf1X7z
 ACNZvFklr0Lu2pV0PLCus/OoZs6u9NNJfKnkPZZe2XyA8XT7juZB55Tu+GI+LwzsX67o
 nwq7q0+tf9V7yUn3v7pc3oF/OPziXk9h5PsyKchTsZYPnsjZGA6cOm8Mw2Jy3NBKAVlx
 J/vSY0EKTdarodUCUQtn2/xngBLdKB0apVTZ/XX2fpYhKn0Lsb93A1LkTURqxq2/WWKx
 5sxDWaTwylfRgT2jUIUrko5WBRqbYTHneyMylPeJfR4rYGci6Sx9vhTPOiHGFg3NwsmF
 E9LQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1697021182; x=1697625982;
 h=content-transfer-encoding:in-reply-to:from:references:cc:to
 :content-language:subject:user-agent:mime-version:date:message-id
 :sender:x-gm-message-state:from:to:cc:subject:date:message-id
 :reply-to;
 bh=vSYt4lYW5TD3dyzc9rO/R5JcDYwV1aCnK/Tw+9zlZ8I=;
 b=ltrTloHr7Eg6ezcBCBmmce6EcYRu/yy91BqpSzziOv5M1/oZvNAbZQzBfDRd9iR26L
 MYqKszHA1MJX5WusKmfsvWHzJkTwgfdbR9ZeCit528+LWW/CrMqC10sLelKsjPQ+9Onh
 V+4lR2eRz3tmupt2Lc5JSJWJDTjqHvL8Zu+cNFwiXwKM6OQiq8MTmLzuNe7m1uQgwuGM
 PsjRbMYmIZBHQU2kzTi2YCNSvSsJ38oCRJTkEpEXqM7GmGHo/kkr6Hy+9/C3vO3ypmZ0
 10yZkpPoDN3+5fEOSH7S5FsrQYaJTUX+nans4rO3KXLm2P7Ri2v+m32Gr/8zHvikCZEu
 Q0SA==
X-Gm-Message-State: AOJu0YzLEdVXr6Ru0AEkkIAU37UG79F9/7meZ5iPom9t2kc+RHzMWRrX
 zXb00A5PgUNgJU62CKMAP6w=
X-Google-Smtp-Source: AGHT+IH1SODhVTcBe/dmZcKJ6tnLswRldpUPoVSDRBCZoh38ITBGhCqpWO8JNwESKY6hc6bzIb2a9A==
X-Received: by 2002:a05:6512:ea9:b0:500:b2f6:592 with SMTP id
 bi41-20020a0565120ea900b00500b2f60592mr22108119lfb.50.1697021182086; 
 Wed, 11 Oct 2023 03:46:22 -0700 (PDT)
Received: from [192.168.0.101] (nat-0-0.nsk.sibset.net. [5.44.169.188])
 by smtp.googlemail.com with ESMTPSA id
 t26-20020ac243ba000000b0050296068a12sm2205782lfl.30.2023.10.11.03.46.21
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
 Wed, 11 Oct 2023 03:46:21 -0700 (PDT)
Message-ID: <b8f58d43-be03-4bf3-b494-97a88153448f@HIDDEN>
Date: Wed, 11 Oct 2023 17:46:20 +0700
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: bug#66390: `man' allows to inject arbitrary shell code
Content-Language: en-US, ru-RU
To: lux <lx@HIDDEN>, Andreas Schwab <schwab@HIDDEN>
References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN>
 <83wmvyzir2.fsf@HIDDEN> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN>
 <83v8bizf9r.fsf@HIDDEN> <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN>
 <875y3iigua.fsf@HIDDEN> <83o7hazap7.fsf@HIDDEN> <87mswugyoq.fsf@HIDDEN>
 <83jzryz6op.fsf@HIDDEN> <87a5sugwcx.fsf@HIDDEN> <83h6n2z3tr.fsf@HIDDEN>
 <aaeb5c4f-2ae0-449e-9a8b-aa5155998e49@HIDDEN> <831qe5znrz.fsf@HIDDEN>
 <tencent_2EBCD42CDD9DC80B87AB06BB70EACCF8D60A@HIDDEN>
 <262ed9fe-b92b-489d-b1f0-5202bfdb088b@HIDDEN>
 <tencent_3C358C354C777BF23EE1D3C1839C3F331C08@HIDDEN>
 <87il7e78j5.fsf@HIDDEN>
 <tencent_B89C8F336F35EB3562777DF226E178C19708@HIDDEN>
From: Max Nikulin <manikulin@HIDDEN>
In-Reply-To: <tencent_B89C8F336F35EB3562777DF226E178C19708@HIDDEN>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 66390
Cc: Eli Zaretskii <eliz@HIDDEN>, 66390 <at> debbugs.gnu.org, michael.albinus@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

On 11/10/2023 10:08, lux wrote:
> On Tue, 2023-10-10 at 18:21 +0200, Andreas Schwab wrote:
>> On Okt 10 2023, lux wrote:
>>
>>> +        ;; see Bug#66390
>>> +	(mapconcat 'identity
>>> +                   (mapcar #'shell-quote-argument
>>> +                           (split-string ref " "))
>>
>> You need to split on arbitrary sequences of whitespace to not introduce
>> spurious empty arguments.
> 
> Thanks, I've modified it to (split-string ref "\\s-+").

At this point spaces are supposed to be already normalized by the a bit 
buggy `Man-translate-cleanup' function.

I can not provide an example that is not handled by the suggested patch. 
I am not still feeling comfortable since it affects rather specific code 
path. Even the last line of this function might be more suitable.

Other considerations:

The patch changes behavior. Earler users had to escape characters to get 
reliable result, but it will break searches (I am in doubts if enough 
people will notice it):

    (man "-k \\[a-z\\]dparm")

Buffer names will have backslashes.

I do not like that tests for `system-type' are not the same in 
`shell-quote-argument' and in `Man-getpage-in-background'. I am afraid 
that in some cases improper style of escaping may be applied.

 From my point of view, code that performs quoting should be close to 
the code that invokes shell otherwise risk of inconsistent changes 
increases. I admit, it requires more work than quick plumbing at the 
place where a minimal patch fixes the issue.
Information forwarded to bug-gnu-emacs@HIDDEN:
bug#66390; Package emacs. Full text available.

Message received at 66390 <at> debbugs.gnu.org:


Received: (at 66390) by debbugs.gnu.org; 11 Oct 2023 03:09:18 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Oct 10 23:09:18 2023
Received: from localhost ([127.0.0.1]:37276 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1qqPb3-0004de-BP
	for submit <at> debbugs.gnu.org; Tue, 10 Oct 2023 23:09:18 -0400
Received: from out203-205-221-149.mail.qq.com ([203.205.221.149]:38580)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <lx@HIDDEN>) id 1qqPav-0004cr-0d
 for 66390 <at> debbugs.gnu.org; Tue, 10 Oct 2023 23:09:15 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512;
 t=1696993718; bh=zdlVdBI4PebMZyILknuts+WrwrrJqynhgy8x57gQfXI=;
 h=Subject:From:To:Cc:Date:In-Reply-To:References;
 b=pfqy0f4yAy5PEsyHi7iJh//pjF203pqQjpJmsZ+qzsqz0cpVW44hYBQXE+1dCupK6
 Utq1LsiZm+xecc9stWfc26JXGDmNIj1wwH12rjY8rIVzLLnY+nCkIce4X1h8h02nFr
 bPWbowHeVmJOyPc3MaMwkbjJge1UL4Q6oqNAbVSQ=
Received: from [10.8.192.150] ([140.210.194.131])
 by newxmesmtplogicsvrszc2-1.qq.com (NewEsmtp) with SMTP
 id 222A2AAA; Wed, 11 Oct 2023 11:08:34 +0800
X-QQ-mid: xmsmtpt1696993714tpiw3w65w
Message-ID: <tencent_B89C8F336F35EB3562777DF226E178C19708@HIDDEN>
X-QQ-XMAILINFO: N3l5ASPewLWqBsmGmx0o2aLB/Zcggyzg5J5xClVz2aA6x8CtwLDuyT/QHy2OOI
 f0dylzqea83G3WHiHkFIzxN7j26arpbaQC403zSpDGC73rrMhobFz1BaYbdNgsBr8YiWJVjbPaWB
 7dcT/erE07YW9DOOLxetXNw9y7FyhlOKbVVwCLYXnfzVPpfvycW6rrniODJXgBXQUKre5eQgvcLd
 nUoPcePvdoipiBI7bnc6Dstm5QC4ywKIxK1DFXEuwExed0VypnRtv+4tNII9dCzvChn7rXBWRgB9
 aDepoIiOuBWiK4Zvj6xROedR+fNIFqBcFPG95U3xKbXrxFkX9ZQxZYhkPBHFpbcW+Movv+cf7vVa
 09qa81MYKe4aBaXDnkT4suyaSnblTDeFLjTXoaqUr2o+He0Taz4yUpmuYbDypSSluWcu20Y0K744
 FdFH/WYItCxB3luS1Xe9bqFNkDcx/YIlw+5qAxfHi0v8roBOFG7GiM71IEdms4bO8lOzOeNUyzLx
 zITv1VordeB2HX+TmSwSLSLNb5zd7UOif9dv7W3JiTznt/jRQsynEqRJoyALewNXGt9VEVt/0Ov1
 Uro+Epk98kVkhfrzVi6H6MYwIs08w5Myoso9o1ugf8zUpTNQmHYhfEOXZwL67DBIqe4thHu/LdN9
 KG/K0oggV5/Y1m8iGZ0TIkiFQGfG9vcjjDl/TerwCxbvDmWkQ8SukfGQejrJ0InOXeIogF/wJSij
 u9jlK2welHluuqKxcjEveBf87nj0L3+9F2E/u7lCTN23OxTUh252Dgt8eGZ/21ihGsoSS3FLLM8P
 EuWNgdsPrenj8I7sARAPYdauDA102AZ9O5KsGKMCdfmMRNOtkgjnlGuR0TMmhoj8stuUjT1OuXYY
 uFm8AX/4SkvUeKPUya/4en8cwMqJYWJOhV2n4v6LQwXA4RbC5dxteboq7agf6RoWkw6iJW4JUkR3
 hDtV9Ryis=
X-QQ-XMRINFO: MPJ6Tf5t3I/ycC2BItcBVIA=
X-OQ-MSGID: <4231edb7920ea7ba394fddf82d153ac1c819ee61.camel@HIDDEN>
Subject: Re: bug#66390: `man' allows to inject arbitrary shell code
From: lux <lx@HIDDEN>
To: Andreas Schwab <schwab@HIDDEN>
Date: Wed, 11 Oct 2023 11:08:34 +0800
In-Reply-To: <87il7e78j5.fsf@HIDDEN>
References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN>
 <83wmvyzir2.fsf@HIDDEN> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN>
 <83v8bizf9r.fsf@HIDDEN> <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN>
 <875y3iigua.fsf@HIDDEN> <83o7hazap7.fsf@HIDDEN> <87mswugyoq.fsf@HIDDEN>
 <83jzryz6op.fsf@HIDDEN> <87a5sugwcx.fsf@HIDDEN> <83h6n2z3tr.fsf@HIDDEN>
 <aaeb5c4f-2ae0-449e-9a8b-aa5155998e49@HIDDEN> <831qe5znrz.fsf@HIDDEN>
 <tencent_2EBCD42CDD9DC80B87AB06BB70EACCF8D60A@HIDDEN>
 <262ed9fe-b92b-489d-b1f0-5202bfdb088b@HIDDEN>
 <tencent_3C358C354C777BF23EE1D3C1839C3F331C08@HIDDEN>
 <87il7e78j5.fsf@HIDDEN>
Autocrypt: addr=lx@HIDDEN; prefer-encrypt=mutual;
 keydata=mQENBF9ZlQQBCADp/JGo1JwVC86MQCSKI9Z2zeUOU2nItnuhfNfGLF3xueuL3QojOfPiBDdk14PqxXoZI6r2dS/YY2Nsr1iYch/ldkA1m9D8siwIzuWdkxntmuP56dtJVt6zGnMf+aijN4diRYPCmcENcdIly4aRPqcQZcftJRpLhsu+zDOT8LC+vCP9A5IEfqv1oFAbxt0pE/Lwymn/jzuqRnaEV5TA2+c+fMNhzfhaMp0FxrpO6sZIqU+c7r/d9ZJ98k3g8eq9MkK2s6ZQRnZUbngZ9p2c3zYB0BwHWovzDsGCl8pmUiUHEhGLhu6N2OGnQdUUuSU/Fdoq/zVsDfMz70II00pxSYOJABEBAAG0GWx1NG54IDxseEBzaGVsbGNvZGVzLm9yZz6JAU4EEwEIADgWIQSwvd/kky9UAikm2YRcdI5fNjiBRQUCX1mVBAIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRBcdI5fNjiBRTVbCAC510aF/8rpCzyAlBdxRlBzcz5FLw8ZS2VHn6FwxZbdk9USQPlnbtPSMzWRk7KLdzkUvvdRE8C8Z4JwnWOuNp3oDob5UEfLHQfL1+o/yHQqo2n5Wf9BFjIgvB2UThd2nxk1lW0yAnPsUrWX1Dy63hHtyAbpSMOXEjrn//EIH7If7BRTT5VYUEnhqMogWYWX8mE/ZrfFFY3LVyelHK86iYnIgW18Efg7g8k+Kys66tCSOdz19jhsxjbOKMrCISs5aQH5TNO0mqZq2eOdEi+nc6yLu1FLfUYeTXhIwA8jujSYdqswNU+2OU/JazMBFBK4duhHo5YqvneGwAt7Ksc4bRP7uQENBF9ZlQQBCADCAmMMp+tCYA32TIBRT+5yZjUeePgFkh7b+fvxfShyzgcsCFpFVzt+9YE7UjKMnb9fc3nAq2tHvphEDDreKN+FJKshzoziTriLvAnq9vV9QZmTbJ93R7io5i2EmnvB8
 356kgVTl5RwZtX3DjTZ+rv4Wn0qAowa/S3NZq8U87AuQ1z9s3Q2Jm8g1QCTJ3sFIKmg+hYAyaS3RvbKjGeOUOykrg5vRPqDl41Ra4jSiVQfFX+iD/k2grbUnHfn6kpDLQgBFPB4nJfkjj0e4MEg8PIqHs7n/MglJeKQ9ReExwhv4w7zpVgaE9Wv0ONJMyi+PAODCEq4w650KFJ3Yi4p+JSLABEBAAGJATYEGAEIACAWIQSwvd/kky9UAikm2YRcdI5fNjiBRQUCX1mVBAIbDAAKCRBcdI5fNjiBReafCADUXswXiE5Gov2GfQTvBjEpFKNG9AirE3l0mSIUj6+ch+GhTv9bTt2ozZb9t3RGq+BifCO9EVu98fjvAIwg9bHnU54Q+IGevnjUK61I80Not0Kq05o5yMOpK0cB7I9dWpo0Pmtx781ioWqWON4gcPYYGFhTyj7DE7Y0F4+7XSb8Aeuu6y8i1Oxsrh4MwdcNp48lbM/+AZice/f+K1i+oGg037Qal1CykNBfvE0ujPagDbxExZxKtjnrC0yUmj1y09YP+Z0WOpyAdSCSiwMh3zHJUvXnacX+ZlhUwsVEPlrYKtps2DrtgIo9tR/csSfsOOD+1gnedaLM7OfT6vCdwiFtmQINBGUPDqUBEADSEqnlY9wh+avEI1T40IlNg6/hMi5lTHg9KKeF4cEU/XYhh1POIuyZMJbeFyGTCOAN64emcDEhDZqgc007YX5rbdA7juyOjnCkAeezJJl7yuHdhkvOv56qpoLbrqXNXrCPWHYnIffpp2ovmvndgPr++EXXrzxIposgY+PXDekj/EnToNn+iCb4z7Mh4vYIxc8m4CDeoCf4Y/77o4XT84SNfuKMqdld9ktjzkP5thLJ6N2hH6YnXYfwrh7UVP6Pg+dVM/hEmSUJFwvRpDxkErVzkaIqqtv94BOqPHVifOUXIq++SuMSqDqkH4irLBRVXqAVs+0nnKYAk5Fjjn16MF5DI0
 kDjqyLJ18pWJFiegy+bBT837oNlPqdTFfG3pYlOC0mN5mYMFU2S2CsRujevBOnO2anQEdAv6T+PNu7LXfD1/Z9AgRn0NzHTkJWlAJ+PT8T0QFrVVW2H6T7WmpXP3FqFyeYbEedJyHbVm3Yd9HtdWJCUHSbTjJYcfhlWc8IeeHtna87Zjn8Ql1RFIo3kV2Pd3dk+IsOq1S3QZUiTTtwgRPP9fsx9OVB0v6k09R5PuvvFYzrccfuwdMvP8lWBNA+1XHX97JFC6nTPGeaPJLxYgcxhcRgXN+kaD8rFXva0YkyvkNgW+GismWimOrpsKgDdyxXzgK87OWL093xWjRlgwARAQABtBlYaSBMdSA8bHhAc2hlbGxjb2Rlcy5vcmc+iQJOBBMBCgA4FiEEdJQucETGhxqWHw3/SCoXYcbax74FAmUPDqUCGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQSCoXYcbax77pjQ/8CUsISqqy7CnbyVxAcarTHL8aw1cymaaqhni/rW2QDslaxmrp/h5NpWXE8TLPu0DH3BgJVztVjAUyx9wKpuSPntb+KwzeFO3SlaKlJyzcF/qKz0TisoGhpgn/BDCswrQyFV3bBtucLovdF6bjQ2JpamD+fOewas4/llU6ChtgRuT7J8wIJx6XfquO8jYcgDCHf9q3F2LF639hnadBaHxye4TEQ6VCWFDn/3kr0dnKSwb7TfeBeLt7wfdjM+AjQiyu1UF618poDp/1AzXHvxV0p9PcgCyHYIo+jjYOnvwYMbx4u0iUfHKwKSLUfgOiyAhRpOou0H3veC7vByDOyGEDhlP3rHD8d664PJMvG1hmp/OAhf7BhBRvvkvSGRSYI+vs5TyC72LLMlR8dx7XCc0ziRrWtmt6XFpDaIHftfGPcR4PEyTsnNFBll6+1EaX0U/oD3yNp4uTW7M5ShUqVBwrHviEiVyiluzEl6csJU4hreoDZ7NRovxDloBttiW
 tZ+TLgbbBOGHDeUbv7bSJ8+cR7nnL0FOeJwF3IRONDyZz6nQtd0aHbVg9Zpgl/JwQcXuTZrDz8E6qcZGjYtSlA/q8cwpDsen70rjg5S3GCnRfQQDwo1E6LOi3pEuCMy40iFJ/JEHtgxCHHeJ0i5jA+5zuEv02BndqllQkeyT4kkLSXcq5Ag0EZRAa8gEQAMF+frOpFPotOeC9OutnMyZY6jK8LjjqlHmZEFemBxUH8r6eY2P2+cChx6jwfkz9KMzM132gZAVAlE0nBhbiDJodPMGiYblNvs8thvxh2szLmErqWh7GcOF0feCvfY7QWjKwdtDJg1kUIxvgjrhE44k0/H7cvu/d4qWLsULAk0RsTzTLAZDmEBlEN5UlCXgDcjq5c5Lo52QAkWivWqg37k3PaFqmOKH0HKdRYAOgS/P9tdlgC/WDybxZy5tRsvi/d9NBza42WmvGU3PFvd7WDwhSQ7HwSfbMYFb3mSBfC3FR1796WeGAuMOesMCHp8TkaMtHZfUfbqF9VHhRyQf/r6GjTqYKtU5kjrg39gX1/5Ys5KFriNQLM/2cdLRqxBZ89u+Fi/VvnCJQ07NncqILwLmPcrtk8qH35aPOdxBf38/n9TAH44n/msmewjmVosprAfD8qwQjrwKkr8TausrBPrAkic7Vi8VFAyME6kUG77ctUDIv3jxqR08NrSiR1Ftt0AraQHWNUcLg6XVClR5GxVkkx4o+yefpukninIQlYwq3Sy/ZNsFkD2dYub/6OJhnWJxVVRDpVJsdKz9E7vBtgwcx2OPjG695w7L8RKl9qkIoRsKYDQ74Svxiw8vcdkz4O6FLFSayvsLTZgfsY3Krvuens2iFNWHnsBgIWVU+IW91ABEBAAGJAjYEGAEKACAWIQR0lC5wRMaHGpYfDf9IKhdhxtrHvgUCZRAa8gIbDAAKCRBIKhdhxtrHvvpLEADRSTXN0Fm/tdeQMVLy63fcTw8wjxEUelr0bDBzBeEc
 k328UqFrPDMOMWlREQ4GB/vHbTIvPYbOiCngH5WCPwRWVS/ycY4gCHHbPLlo24Or9NNvPRbkGYSEhP9ezcZD7F29/XCwi8+VfCNzcL6l7+V0BJNUly6Gwy3O4kUwgHlhpJn3cuKvMdSHe/JaJYx/BXu553vSh2s75XFJOMOlI0IC2lzzd2ohrwLEOwhCrFSkSRKXx63zt/uZL6oF2zIzHspGygtRR+KScnx/Gklp0nCGYMAenuRuixVICyaiB0Hkarwxm8kKpDzP6pD+5Zzdhzg3Sqj0RR5oqfqOWkh0hxJ+gblapLFBSXnGQqTT1gHrTHyIOBoBBVOxlaXb95sotfCwSU8VcoN0BexVwCsUFVR0jINlmJqMIpy2N0RNjU35bAnPgeGe5z+Zs5GPcEBK6XX4rQeTwWmVltQccWuM3+oca3sOcQsWD3ZACUWjGZboxTCMwiHkrm0VTxP4kO0CRILM5Ln3cisS/GdikCAv6O8K6jhckLEml1sFB6jCVK6EAInXKFzZGol281nGRPKzeI3V9BpDZmXplqdhe4R0FBGUbu5ffw3b/vNV770xhXLI7aOp0dlkGDh4In4Li5cBRgR8FTrIBEH9+I0l4EjliVr6k/skqVPYK2rKtwx/kjhzAA==
Content-Type: multipart/mixed; boundary="=-rLVAPJWRAGvwcNQqiOFF"
User-Agent: Evolution 3.50.0-1 
MIME-Version: 1.0
X-Spam-Score: 3.6 (+++)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 
 Content preview:  On Tue, 2023-10-10 at 18:21 +0200, Andreas Schwab wrote: >
    On Okt 10 2023, lux wrote: > > > +        ;; see Bug#66390 > > + (mapconcat
    'identity > > +                   (mapca [...] 
 
 Content analysis details:   (3.6 points, 10.0 required)
 
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
  0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
  0.0 SPF_NONE               SPF: sender does not publish an SPF Record
 -0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at https://www.dnswl.org/,
                              no trust
                             [203.205.221.149 listed in list.dnswl.org]
  0.4 RDNS_DYNAMIC           Delivered to internal network by host with
                             dynamic-looking rDNS
  3.2 HELO_DYNAMIC_IPADDR    Relay HELO'd using suspicious hostname (IP
                             addr 1)
X-Debbugs-Envelope-To: 66390
Cc: Max Nikulin <manikulin@HIDDEN>, 66390 <at> debbugs.gnu.org,
 michael.albinus@HIDDEN, Eli Zaretskii <eliz@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: 2.6 (++)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 
 Content preview:  On Tue, 2023-10-10 at 18:21 +0200, Andreas Schwab wrote: >
    On Okt 10 2023, lux wrote: > > > +        ;; see Bug#66390 > > + (mapconcat
    'identity > > +                   (mapca [...] 
 
 Content analysis details:   (2.6 points, 10.0 required)
 
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
 -0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at https://www.dnswl.org/,
                              no trust
                             [203.205.221.149 listed in list.dnswl.org]
  0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
  0.0 SPF_NONE               SPF: sender does not publish an SPF Record
  0.4 RDNS_DYNAMIC           Delivered to internal network by host with
                             dynamic-looking rDNS
 -1.0 MAILING_LIST_MULTI     Multiple indicators imply a widely-seen list
                             manager
  3.2 HELO_DYNAMIC_IPADDR    Relay HELO'd using suspicious hostname (IP
                             addr 1)

--=-rLVAPJWRAGvwcNQqiOFF
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: base64

T24gVHVlLCAyMDIzLTEwLTEwIGF0IDE4OjIxICswMjAwLCBBbmRyZWFzIFNjaHdhYiB3cm90ZToK
PiBPbiBPa3QgMTAgMjAyMywgbHV4IHdyb3RlOgo+IAo+ID4gK8KgwqDCoMKgwqDCoMKgIDs7IHNl
ZSBCdWcjNjYzOTAKPiA+ICsJKG1hcGNvbmNhdCAnaWRlbnRpdHkKPiA+ICvCoMKgwqDCoMKgwqDC
oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqAgKG1hcGNhciAjJ3NoZWxsLXF1b3RlLWFyZ3VtZW50Cj4g
PiArwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoCAo
c3BsaXQtc3RyaW5nIHJlZiAiICIpKQo+IAo+IFlvdSBuZWVkIHRvIHNwbGl0IG9uIGFyYml0cmFy
eSBzZXF1ZW5jZXMgb2Ygd2hpdGVzcGFjZSB0byBub3QgaW50cm9kdWNlCj4gc3B1cmlvdXMgZW1w
dHkgYXJndW1lbnRzLgo+IAoKVGhhbmtzLCBJJ3ZlIG1vZGlmaWVkIGl0IHRvIChzcGxpdC1zdHJp
bmcgcmVmICJcXHMtKyIpLgoKCg==


--=-rLVAPJWRAGvwcNQqiOFF
Content-Disposition: attachment; filename="0001-Fix-man.el-code-injection-vulnerability.patch"
Content-Transfer-Encoding: base64
Content-Type: text/x-patch; name="0001-Fix-man.el-code-injection-vulnerability.patch";
	charset="UTF-8"

RnJvbSBmYWE0OWJhNzhhMjAzZDQ3NzQwMjgwZTVjNmZkMGUwNzU2MjhiNTA3IE1vbiBTZXAgMTcg
MDA6MDA6MDAgMjAwMQpGcm9tOiBYaSBMdSA8bHhAc2hlbGxjb2Rlcy5vcmc+CkRhdGU6IFR1ZSwg
MTAgT2N0IDIwMjMgMjI6MjA6MDUgKzA4MDAKU3ViamVjdDogW1BBVENIXSBGaXggbWFuLmVsIGNv
ZGUgaW5qZWN0aW9uIHZ1bG5lcmFiaWxpdHkuCgoqIGxpc3AvbWFuLmVsIChNYW4tdHJhbnNsYXRl
LXJlZmVyZW5jZXMpOiBGaXggY29kZSBpbmplY3Rpb24uCiogdGVzdC9saXNwL21hbi10ZXN0cy5l
bCAobWFuLXRlc3RzLU1hbi10cmFuc2xhdGUtcmVmZXJlbmNlcyk6IE5ldy4KLS0tCiBsaXNwL21h
bi5lbCAgICAgICAgICAgIHwgIDYgKysrKystCiB0ZXN0L2xpc3AvbWFuLXRlc3RzLmVsIHwgMTIg
KysrKysrKysrKysrCiAyIGZpbGVzIGNoYW5nZWQsIDE3IGluc2VydGlvbnMoKyksIDEgZGVsZXRp
b24oLSkKCmRpZmYgLS1naXQgYS9saXNwL21hbi5lbCBiL2xpc3AvbWFuLmVsCmluZGV4IDUwNmQ2
MDYwMjY5Li5hOTU0MzVjN2VhMCAxMDA2NDQKLS0tIGEvbGlzcC9tYW4uZWwKKysrIGIvbGlzcC9t
YW4uZWwKQEAgLTY5Miw3ICs2OTIsMTEgQEAgTWFuLXRyYW5zbGF0ZS1yZWZlcmVuY2VzCiAgICAg
ICAoc2V0cSBuYW1lIChtYXRjaC1zdHJpbmcgMiByZWYpCiAJICAgIHNlY3Rpb24gKG1hdGNoLXN0
cmluZyAxIHJlZikpKSkKICAgICAoaWYgKHN0cmluZz0gbmFtZSAiIikKLQlyZWYJCQkJOyBSZXR1
cm4gdGhlIHJlZmVyZW5jZSBhcyBpcworICAgICAgICA7OyBzZWUgQnVnIzY2MzkwCisJKG1hcGNv
bmNhdCAnaWRlbnRpdHkKKyAgICAgICAgICAgICAgICAgICAobWFwY2FyICMnc2hlbGwtcXVvdGUt
YXJndW1lbnQKKyAgICAgICAgICAgICAgICAgICAgICAgICAgIChzcGxpdC1zdHJpbmcgcmVmICJc
XHMtKyIpKQorICAgICAgICAgICAgICAgICAgICIgIikgICAgICAgICAgICAgICAgIDsgUmV0dXJu
IHRoZSByZWZlcmVuY2UgYXMgaXMKICAgICAgIChpZiBNYW4tZG93bmNhc2Utc2VjdGlvbi1sZXR0
ZXJzLWZsYWcKIAkgIChzZXRxIHNlY3Rpb24gKGRvd25jYXNlIHNlY3Rpb24pKSkKICAgICAgICh3
aGlsZSBzbGlzdApkaWZmIC0tZ2l0IGEvdGVzdC9saXNwL21hbi10ZXN0cy5lbCBiL3Rlc3QvbGlz
cC9tYW4tdGVzdHMuZWwKaW5kZXggZTM2NTdkN2RmOGEuLjFjNmRjYjYzYTVjIDEwMDY0NAotLS0g
YS90ZXN0L2xpc3AvbWFuLXRlc3RzLmVsCisrKyBiL3Rlc3QvbGlzcC9tYW4tdGVzdHMuZWwKQEAg
LTE2MSw2ICsxNjEsMTggQEAgbWFuLWJncHJvYy1maWx0ZXItYnV0dG9uaXplLWluY2x1ZGVzCiAg
ICAgICAgICAgKGxldCAoKGJ1dHRvbiAoYnV0dG9uLWF0IChtYXRjaC1iZWdpbm5pbmcgMCkpKSkK
ICAgICAgICAgICAgIChzaG91bGQgKGFuZCBidXR0b24gKGVxICdNYW4teHJlZi1oZWFkZXItZmls
ZSAoYnV0dG9uLXR5cGUgYnV0dG9uKSkpKSkpKSkpKQogCisoZXJ0LWRlZnRlc3QgbWFuLXRlc3Rz
LU1hbi10cmFuc2xhdGUtcmVmZXJlbmNlcyAoKQorICAoc2hvdWxkIChlcXVhbCAoTWFuLXRyYW5z
bGF0ZS1yZWZlcmVuY2VzICJiYXNlbmFtZSIpCisgICAgICAgICAgICAgICAgICJiYXNlbmFtZSIp
KQorICAoc2hvdWxkIChlcXVhbCAoTWFuLXRyYW5zbGF0ZS1yZWZlcmVuY2VzICJiYXNlbmFtZSgz
KSIpCisgICAgICAgICAgICAgICAgICIzIGJhc2VuYW1lIikpCisgIChzaG91bGQgKGVxdWFsIChN
YW4tdHJhbnNsYXRlLXJlZmVyZW5jZXMgImJhc2VuYW1lKDN2KSIpCisgICAgICAgICAgICAgICAg
ICIzdiBiYXNlbmFtZSIpKQorICAoc2hvdWxkIChlcXVhbCAoTWFuLXRyYW5zbGF0ZS1yZWZlcmVu
Y2VzICI7aWQiKQorICAgICAgICAgICAgICAgICAiXFw7aWQiKSkKKyAgKHNob3VsZCAoZXF1YWwg
KE1hbi10cmFuc2xhdGUtcmVmZXJlbmNlcyAiLWsgYmFzZW5hbWUiKQorICAgICAgICAgICAgICAg
ICAiLWsgYmFzZW5hbWUiKSkpCisKIChwcm92aWRlICdtYW4tdGVzdHMpCiAKIDs7OyBtYW4tdGVz
dHMuZWwgZW5kcyBoZXJlCi0tIAoyLjQyLjAKCg==


--=-rLVAPJWRAGvwcNQqiOFF--
Information forwarded to bug-gnu-emacs@HIDDEN:
bug#66390; Package emacs. Full text available.

Message received at 66390 <at> debbugs.gnu.org:


Received: (at 66390) by debbugs.gnu.org; 10 Oct 2023 16:22:02 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Oct 10 12:22:02 2023
Received: from localhost ([127.0.0.1]:36802 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1qqFUg-0007dn-3H
	for submit <at> debbugs.gnu.org; Tue, 10 Oct 2023 12:22:02 -0400
Received: from mail-out.m-online.net ([212.18.0.9]:44139)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <whitebox@HIDDEN>) id 1qqFUd-0007dL-Uu
 for 66390 <at> debbugs.gnu.org; Tue, 10 Oct 2023 12:22:01 -0400
Received: from frontend01.mail.m-online.net (unknown [192.168.8.182])
 by mail-out.m-online.net (Postfix) with ESMTP id 4S4h3z4vRRz1r3FC;
 Tue, 10 Oct 2023 18:21:35 +0200 (CEST)
Received: from localhost (dynscan1.mnet-online.de [192.168.6.68])
 by mail.m-online.net (Postfix) with ESMTP id 4S4h3z2XQcz1qqlW;
 Tue, 10 Oct 2023 18:21:35 +0200 (CEST)
X-Virus-Scanned: amavis at mnet-online.de
Received: from mail.mnet-online.de ([192.168.8.182])
 by localhost (dynscan1.mail.m-online.net [192.168.6.68]) (amavis, port 10024)
 with ESMTP id yXJ0GzLZtvBd; Tue, 10 Oct 2023 18:21:34 +0200 (CEST)
X-Auth-Info: E7BQoBmjgSDdzp18KP3zAVKH306EZWhz7ayK8MElbY9atyLx3dsWCg/AFCynCJaR
Received: from igel.home (aftr-62-216-205-95.dynamic.mnet-online.de
 [62.216.205.95])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 by mail.mnet-online.de (Postfix) with ESMTPSA;
 Tue, 10 Oct 2023 18:21:34 +0200 (CEST)
Received: by igel.home (Postfix, from userid 1000)
 id 202BC2C151C; Tue, 10 Oct 2023 18:21:34 +0200 (CEST)
From: Andreas Schwab <schwab@HIDDEN>
To: lux <lx@HIDDEN>
Subject: Re: bug#66390: `man' allows to inject arbitrary shell code
In-Reply-To: <tencent_3C358C354C777BF23EE1D3C1839C3F331C08@HIDDEN> (lux's
 message of "Tue, 10 Oct 2023 22:30:03 +0800")
References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN>
 <83wmvyzir2.fsf@HIDDEN>
 <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN>
 <83v8bizf9r.fsf@HIDDEN>
 <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN>
 <875y3iigua.fsf@HIDDEN> <83o7hazap7.fsf@HIDDEN>
 <87mswugyoq.fsf@HIDDEN> <83jzryz6op.fsf@HIDDEN>
 <87a5sugwcx.fsf@HIDDEN> <83h6n2z3tr.fsf@HIDDEN>
 <aaeb5c4f-2ae0-449e-9a8b-aa5155998e49@HIDDEN>
 <831qe5znrz.fsf@HIDDEN>
 <tencent_2EBCD42CDD9DC80B87AB06BB70EACCF8D60A@HIDDEN>
 <262ed9fe-b92b-489d-b1f0-5202bfdb088b@HIDDEN>
 <tencent_3C358C354C777BF23EE1D3C1839C3F331C08@HIDDEN>
X-Yow: I'm QUIETLY reading the latest issue of ``BOWLING WORLD''
 while my wife and two children stand QUIETLY BY..
Date: Tue, 10 Oct 2023 18:21:34 +0200
Message-ID: <87il7e78j5.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: -0.4 (/)
X-Debbugs-Envelope-To: 66390
Cc: Max Nikulin <manikulin@HIDDEN>, 66390 <at> debbugs.gnu.org,
 michael.albinus@HIDDEN, Eli Zaretskii <eliz@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.4 (-)

On Okt 10 2023, lux wrote:

> +        ;; see Bug#66390
> +	(mapconcat 'identity
> +                   (mapcar #'shell-quote-argument
> +                           (split-string ref " "))

You need to split on arbitrary sequences of whitespace to not introduce
spurious empty arguments.

-- 
Andreas Schwab, schwab@HIDDEN
GPG Key fingerprint = 7578 EB47 D4E5 4D69 2510  2552 DF73 E780 A9DA AEC1
"And now for something completely different."
Information forwarded to bug-gnu-emacs@HIDDEN:
bug#66390; Package emacs. Full text available.

Message received at 66390 <at> debbugs.gnu.org:


Received: (at 66390) by debbugs.gnu.org; 10 Oct 2023 14:31:05 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Oct 10 10:31:05 2023
Received: from localhost ([127.0.0.1]:36687 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1qqDlJ-0000uw-6U
	for submit <at> debbugs.gnu.org; Tue, 10 Oct 2023 10:31:05 -0400
Received: from out203-205-221-239.mail.qq.com ([203.205.221.239]:45052)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <lx@HIDDEN>) id 1qqDlD-0000uE-Kh
 for 66390 <at> debbugs.gnu.org; Tue, 10 Oct 2023 10:31:04 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512;
 t=1696948226; bh=tFg3bARd2TZVDKIzpVishAMuEpt3wohH7dGeXB8YRqE=;
 h=Subject:From:To:Cc:Date:In-Reply-To:References;
 b=uxinFPykOLUwMxsldH2LO/rzwr2DrBfCIsoVIRN19dDcioM0jkuF8nJdVPghxBrFe
 aTvj7NGB70oZ948JizfbKEZJOry0zU7dbe5C5QvSzoTgsoytNGhiI0XeFlFr7pC3hE
 OKFGdoO/mEaM1ARMebDNJ7BlFH53K2erH7GSpTOw=
Received: from [IPv6:240e:399:e6f:ee32:d16f:6236:55f6:6273]
 ([240e:399:e6f:ee32:d16f:6236:55f6:6273])
 by newxmesmtplogicsvrsza7-0.qq.com (NewEsmtp) with SMTP
 id 783B02E5; Tue, 10 Oct 2023 22:30:03 +0800
X-QQ-mid: xmsmtpt1696948203t5jrf5cly
Message-ID: <tencent_3C358C354C777BF23EE1D3C1839C3F331C08@HIDDEN>
X-QQ-XMAILINFO: MRMtjO3A6C9XcUkATALXaKMURMr92/xsgL56X/jBXD5QBoFxC2j7zPrXqhe4SR
 px4ya/EGocKnPHMoVvOErPio1VKs6rRQ1xPQ7ufyJaBQyc0kY18SIHX9oYe30Yp1w+ngOT99u36n
 YsDppQXdLbnD6dzX3VtFUjIFXNLAoBIrEMQWZx3UM+qlKF7yxTErCBxqLlHTOTkaUyML1d+F6+fa
 5tr10evisCV6d5NEvazVD5XD8reKh3UqXzumD7mP/KcSqkKkF/xDhcJZq5165uewOtIvjRIRoYn/
 gR66ZfnYchqdkzQrgo3XH8/8BZe8Sp7XBJivfZ20dDuSVnnRzmbyO5uSqwGFeKcqkxPMqMb+Ujgt
 cszYw837GavkeWMByJJre1D9oJhe1XGBgxRClFkbqc/EfM3vKRHYzvctO53v7U16kQQOh1cGVLqv
 DNin/Szv6p6twIbHTZ+ayLzlrvppg08kLtoUu0PZOALUaxZGCsRGVzbPLncYFO+eon0bsCtl9H4A
 Iw+r4wP7BRneqDPiEsx79ugu5cBIzMtKIiCtCNV7f1icAv/y4sIOp4Akm7Qi1eIqeli16M0EK6Ns
 vnLb/SHjExPYiVsgzrYtiarn/V2b4dsavnWiajDlFkEqGEfg8bI9vJAbreoY9xsDu016tYexcjIr
 4pVC9Ieliy/bNxH6t3MdzxS0yNWjNTCV9cIBxV3wljdNpmaQv4kFjyTGBjKDF/bF5wGuBEeEhtVU
 7sKYUEk9vUwLyjyzWvvkMCAL+LeNp3wwqhiyKr23jFLHrvp7otuUIKljETV6uyAmr5QAIoM37WTc
 wiyh9Zcbu74FJIuJ26NufT9AjXxZmvU+3xvfGHB4f2lSsvAHCe7MnGgVA9+Tcoes/LAMd9bcYwZN
 553KgafhrRRWTkDnC/NJi8K8vVY4Bywq0KGgupWghY+L8xhGHv0p/8iiweSPqFeGPX+jrAh3Duab
 xLTaigJMAzfXH+1wsTGgSLfvPkmsFx2GXeV/Ekag+hcmDLqKoBXYEzQoSPwL46kGcJrzVdQyQBCJ
 uJ3U4yAnj4PQMtQluhm4dzGWyAefTOYuH1wJPgIg==
X-QQ-XMRINFO: MSVp+SPm3vtS1Vd6Y4Mggwc=
X-OQ-MSGID: <b67b17c315433cecd33da782ffad8534597d3dc0.camel@HIDDEN>
Subject: Re: bug#66390: `man' allows to inject arbitrary shell code
From: lux <lx@HIDDEN>
To: Max Nikulin <manikulin@HIDDEN>, Eli Zaretskii <eliz@HIDDEN>
Date: Tue, 10 Oct 2023 22:30:03 +0800
In-Reply-To: <262ed9fe-b92b-489d-b1f0-5202bfdb088b@HIDDEN>
References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN>
 <83wmvyzir2.fsf@HIDDEN> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN>
 <83v8bizf9r.fsf@HIDDEN> <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN>
 <875y3iigua.fsf@HIDDEN> <83o7hazap7.fsf@HIDDEN> <87mswugyoq.fsf@HIDDEN>
 <83jzryz6op.fsf@HIDDEN> <87a5sugwcx.fsf@HIDDEN> <83h6n2z3tr.fsf@HIDDEN>
 <aaeb5c4f-2ae0-449e-9a8b-aa5155998e49@HIDDEN> <831qe5znrz.fsf@HIDDEN>
 <tencent_2EBCD42CDD9DC80B87AB06BB70EACCF8D60A@HIDDEN>
 <262ed9fe-b92b-489d-b1f0-5202bfdb088b@HIDDEN>
Autocrypt: addr=lx@HIDDEN; prefer-encrypt=mutual;
 keydata=mQENBF9ZlQQBCADp/JGo1JwVC86MQCSKI9Z2zeUOU2nItnuhfNfGLF3xueuL3QojOfPiBDdk14PqxXoZI6r2dS/YY2Nsr1iYch/ldkA1m9D8siwIzuWdkxntmuP56dtJVt6zGnMf+aijN4diRYPCmcENcdIly4aRPqcQZcftJRpLhsu+zDOT8LC+vCP9A5IEfqv1oFAbxt0pE/Lwymn/jzuqRnaEV5TA2+c+fMNhzfhaMp0FxrpO6sZIqU+c7r/d9ZJ98k3g8eq9MkK2s6ZQRnZUbngZ9p2c3zYB0BwHWovzDsGCl8pmUiUHEhGLhu6N2OGnQdUUuSU/Fdoq/zVsDfMz70II00pxSYOJABEBAAG0GWx1NG54IDxseEBzaGVsbGNvZGVzLm9yZz6JAU4EEwEIADgWIQSwvd/kky9UAikm2YRcdI5fNjiBRQUCX1mVBAIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRBcdI5fNjiBRTVbCAC510aF/8rpCzyAlBdxRlBzcz5FLw8ZS2VHn6FwxZbdk9USQPlnbtPSMzWRk7KLdzkUvvdRE8C8Z4JwnWOuNp3oDob5UEfLHQfL1+o/yHQqo2n5Wf9BFjIgvB2UThd2nxk1lW0yAnPsUrWX1Dy63hHtyAbpSMOXEjrn//EIH7If7BRTT5VYUEnhqMogWYWX8mE/ZrfFFY3LVyelHK86iYnIgW18Efg7g8k+Kys66tCSOdz19jhsxjbOKMrCISs5aQH5TNO0mqZq2eOdEi+nc6yLu1FLfUYeTXhIwA8jujSYdqswNU+2OU/JazMBFBK4duhHo5YqvneGwAt7Ksc4bRP7uQENBF9ZlQQBCADCAmMMp+tCYA32TIBRT+5yZjUeePgFkh7b+fvxfShyzgcsCFpFVzt+9YE7UjKMnb9fc3nAq2tHvphEDDreKN+FJKshzoziTriLvAnq9vV9QZmTbJ93R7io5i2EmnvB8
 356kgVTl5RwZtX3DjTZ+rv4Wn0qAowa/S3NZq8U87AuQ1z9s3Q2Jm8g1QCTJ3sFIKmg+hYAyaS3RvbKjGeOUOykrg5vRPqDl41Ra4jSiVQfFX+iD/k2grbUnHfn6kpDLQgBFPB4nJfkjj0e4MEg8PIqHs7n/MglJeKQ9ReExwhv4w7zpVgaE9Wv0ONJMyi+PAODCEq4w650KFJ3Yi4p+JSLABEBAAGJATYEGAEIACAWIQSwvd/kky9UAikm2YRcdI5fNjiBRQUCX1mVBAIbDAAKCRBcdI5fNjiBReafCADUXswXiE5Gov2GfQTvBjEpFKNG9AirE3l0mSIUj6+ch+GhTv9bTt2ozZb9t3RGq+BifCO9EVu98fjvAIwg9bHnU54Q+IGevnjUK61I80Not0Kq05o5yMOpK0cB7I9dWpo0Pmtx781ioWqWON4gcPYYGFhTyj7DE7Y0F4+7XSb8Aeuu6y8i1Oxsrh4MwdcNp48lbM/+AZice/f+K1i+oGg037Qal1CykNBfvE0ujPagDbxExZxKtjnrC0yUmj1y09YP+Z0WOpyAdSCSiwMh3zHJUvXnacX+ZlhUwsVEPlrYKtps2DrtgIo9tR/csSfsOOD+1gnedaLM7OfT6vCdwiFtmQINBGUPDqUBEADSEqnlY9wh+avEI1T40IlNg6/hMi5lTHg9KKeF4cEU/XYhh1POIuyZMJbeFyGTCOAN64emcDEhDZqgc007YX5rbdA7juyOjnCkAeezJJl7yuHdhkvOv56qpoLbrqXNXrCPWHYnIffpp2ovmvndgPr++EXXrzxIposgY+PXDekj/EnToNn+iCb4z7Mh4vYIxc8m4CDeoCf4Y/77o4XT84SNfuKMqdld9ktjzkP5thLJ6N2hH6YnXYfwrh7UVP6Pg+dVM/hEmSUJFwvRpDxkErVzkaIqqtv94BOqPHVifOUXIq++SuMSqDqkH4irLBRVXqAVs+0nnKYAk5Fjjn16MF5DI0
 kDjqyLJ18pWJFiegy+bBT837oNlPqdTFfG3pYlOC0mN5mYMFU2S2CsRujevBOnO2anQEdAv6T+PNu7LXfD1/Z9AgRn0NzHTkJWlAJ+PT8T0QFrVVW2H6T7WmpXP3FqFyeYbEedJyHbVm3Yd9HtdWJCUHSbTjJYcfhlWc8IeeHtna87Zjn8Ql1RFIo3kV2Pd3dk+IsOq1S3QZUiTTtwgRPP9fsx9OVB0v6k09R5PuvvFYzrccfuwdMvP8lWBNA+1XHX97JFC6nTPGeaPJLxYgcxhcRgXN+kaD8rFXva0YkyvkNgW+GismWimOrpsKgDdyxXzgK87OWL093xWjRlgwARAQABtBlYaSBMdSA8bHhAc2hlbGxjb2Rlcy5vcmc+iQJOBBMBCgA4FiEEdJQucETGhxqWHw3/SCoXYcbax74FAmUPDqUCGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQSCoXYcbax77pjQ/8CUsISqqy7CnbyVxAcarTHL8aw1cymaaqhni/rW2QDslaxmrp/h5NpWXE8TLPu0DH3BgJVztVjAUyx9wKpuSPntb+KwzeFO3SlaKlJyzcF/qKz0TisoGhpgn/BDCswrQyFV3bBtucLovdF6bjQ2JpamD+fOewas4/llU6ChtgRuT7J8wIJx6XfquO8jYcgDCHf9q3F2LF639hnadBaHxye4TEQ6VCWFDn/3kr0dnKSwb7TfeBeLt7wfdjM+AjQiyu1UF618poDp/1AzXHvxV0p9PcgCyHYIo+jjYOnvwYMbx4u0iUfHKwKSLUfgOiyAhRpOou0H3veC7vByDOyGEDhlP3rHD8d664PJMvG1hmp/OAhf7BhBRvvkvSGRSYI+vs5TyC72LLMlR8dx7XCc0ziRrWtmt6XFpDaIHftfGPcR4PEyTsnNFBll6+1EaX0U/oD3yNp4uTW7M5ShUqVBwrHviEiVyiluzEl6csJU4hreoDZ7NRovxDloBttiW
 tZ+TLgbbBOGHDeUbv7bSJ8+cR7nnL0FOeJwF3IRONDyZz6nQtd0aHbVg9Zpgl/JwQcXuTZrDz8E6qcZGjYtSlA/q8cwpDsen70rjg5S3GCnRfQQDwo1E6LOi3pEuCMy40iFJ/JEHtgxCHHeJ0i5jA+5zuEv02BndqllQkeyT4kkLSXcq5Ag0EZRAa8gEQAMF+frOpFPotOeC9OutnMyZY6jK8LjjqlHmZEFemBxUH8r6eY2P2+cChx6jwfkz9KMzM132gZAVAlE0nBhbiDJodPMGiYblNvs8thvxh2szLmErqWh7GcOF0feCvfY7QWjKwdtDJg1kUIxvgjrhE44k0/H7cvu/d4qWLsULAk0RsTzTLAZDmEBlEN5UlCXgDcjq5c5Lo52QAkWivWqg37k3PaFqmOKH0HKdRYAOgS/P9tdlgC/WDybxZy5tRsvi/d9NBza42WmvGU3PFvd7WDwhSQ7HwSfbMYFb3mSBfC3FR1796WeGAuMOesMCHp8TkaMtHZfUfbqF9VHhRyQf/r6GjTqYKtU5kjrg39gX1/5Ys5KFriNQLM/2cdLRqxBZ89u+Fi/VvnCJQ07NncqILwLmPcrtk8qH35aPOdxBf38/n9TAH44n/msmewjmVosprAfD8qwQjrwKkr8TausrBPrAkic7Vi8VFAyME6kUG77ctUDIv3jxqR08NrSiR1Ftt0AraQHWNUcLg6XVClR5GxVkkx4o+yefpukninIQlYwq3Sy/ZNsFkD2dYub/6OJhnWJxVVRDpVJsdKz9E7vBtgwcx2OPjG695w7L8RKl9qkIoRsKYDQ74Svxiw8vcdkz4O6FLFSayvsLTZgfsY3Krvuens2iFNWHnsBgIWVU+IW91ABEBAAGJAjYEGAEKACAWIQR0lC5wRMaHGpYfDf9IKhdhxtrHvgUCZRAa8gIbDAAKCRBIKhdhxtrHvvpLEADRSTXN0Fm/tdeQMVLy63fcTw8wjxEUelr0bDBzBeEc
 k328UqFrPDMOMWlREQ4GB/vHbTIvPYbOiCngH5WCPwRWVS/ycY4gCHHbPLlo24Or9NNvPRbkGYSEhP9ezcZD7F29/XCwi8+VfCNzcL6l7+V0BJNUly6Gwy3O4kUwgHlhpJn3cuKvMdSHe/JaJYx/BXu553vSh2s75XFJOMOlI0IC2lzzd2ohrwLEOwhCrFSkSRKXx63zt/uZL6oF2zIzHspGygtRR+KScnx/Gklp0nCGYMAenuRuixVICyaiB0Hkarwxm8kKpDzP6pD+5Zzdhzg3Sqj0RR5oqfqOWkh0hxJ+gblapLFBSXnGQqTT1gHrTHyIOBoBBVOxlaXb95sotfCwSU8VcoN0BexVwCsUFVR0jINlmJqMIpy2N0RNjU35bAnPgeGe5z+Zs5GPcEBK6XX4rQeTwWmVltQccWuM3+oca3sOcQsWD3ZACUWjGZboxTCMwiHkrm0VTxP4kO0CRILM5Ln3cisS/GdikCAv6O8K6jhckLEml1sFB6jCVK6EAInXKFzZGol281nGRPKzeI3V9BpDZmXplqdhe4R0FBGUbu5ffw3b/vNV770xhXLI7aOp0dlkGDh4In4Li5cBRgR8FTrIBEH9+I0l4EjliVr6k/skqVPYK2rKtwx/kjhzAA==
Content-Type: multipart/mixed; boundary="=-dHXcW2HU6s+HOY92wqUK"
User-Agent: Evolution 3.50.0-1 
MIME-Version: 1.0
X-Spam-Score: 3.6 (+++)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  On Tue, 2023-10-10 at 17:54 +0700, Max Nikulin wrote: > On
 09/10/2023 23:30, lux wrote: > > > > Here's my patch and the test cases.
 > > Thank you for your attempt to fix the issue. Unfortunately the p [...]
 Content analysis details:   (3.6 points, 10.0 required)
 pts rule name              description
 ---- ---------------------- --------------------------------------------------
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 0.0 SPF_NONE               SPF: sender does not publish an SPF Record
 -0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at https://www.dnswl.org/,
 no trust [203.205.221.239 listed in list.dnswl.org]
 0.4 RDNS_DYNAMIC           Delivered to internal network by host with
 dynamic-looking rDNS
 3.2 HELO_DYNAMIC_IPADDR    Relay HELO'd using suspicious hostname (IP
 addr 1)
X-Debbugs-Envelope-To: 66390
Cc: 66390 <at> debbugs.gnu.org, michael.albinus@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: 2.6 (++)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 
 Content preview:  On Tue, 2023-10-10 at 17:54 +0700, Max Nikulin wrote: > On
    09/10/2023 23:30, lux wrote: > > > > Here's my patch and the test cases.
   > > Thank you for your attempt to fix the issue. Unfortunately the p [...]
    
 
 Content analysis details:   (2.6 points, 10.0 required)
 
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
 -0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at https://www.dnswl.org/,
                              no trust
                             [203.205.221.239 listed in list.dnswl.org]
  0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
  0.0 SPF_NONE               SPF: sender does not publish an SPF Record
  0.4 RDNS_DYNAMIC           Delivered to internal network by host with
                             dynamic-looking rDNS
 -1.0 MAILING_LIST_MULTI     Multiple indicators imply a widely-seen list
                             manager
  3.2 HELO_DYNAMIC_IPADDR    Relay HELO'd using suspicious hostname (IP
                             addr 1)

--=-dHXcW2HU6s+HOY92wqUK
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Tue, 2023-10-10 at 17:54 +0700, Max Nikulin wrote:
> On 09/10/2023 23:30, lux wrote:
> >=20
> > Here's my patch and the test cases.
>=20
> Thank you for your attempt to fix the issue. Unfortunately the proposed=
=20
> patch breaks the following case
>=20
> =C2=A0=C2=A0=C2=A0 M-x man RET -k man RET
>=20
> That is why I wrote that each word should escaped independently.
>=20
> I am unsure if (man "-k man") should be supported as call with argument.
>=20
>=20
>=20

Thanks for the correction :-)

I am fix my patch, and test on Emacs 30.0.50 it's ok.

Stefan, Max, can you test it again?

--=-dHXcW2HU6s+HOY92wqUK
Content-Disposition: attachment; filename="0001-Fix-man.el-code-injection-vulnerability.patch"
Content-Type: text/x-patch; name="0001-Fix-man.el-code-injection-vulnerability.patch";
	charset="UTF-8"
Content-Transfer-Encoding: base64

RnJvbSBjMTk4OWMxNTE3MWE0YTQwZGNmNmY5YmZiZjI5NzVjMGI3ODk1ZGQyIE1vbiBTZXAgMTcg
MDA6MDA6MDAgMjAwMQpGcm9tOiBYaSBMdSA8bHhAc2hlbGxjb2Rlcy5vcmc+CkRhdGU6IFR1ZSwg
MTAgT2N0IDIwMjMgMjI6MjA6MDUgKzA4MDAKU3ViamVjdDogW1BBVENIXSBGaXggbWFuLmVsIGNv
ZGUgaW5qZWN0aW9uIHZ1bG5lcmFiaWxpdHkuCgoqIGxpc3AvbWFuLmVsIChNYW4tdHJhbnNsYXRl
LXJlZmVyZW5jZXMpOiBGaXggY29kZSBpbmplY3Rpb24uCiogdGVzdC9saXNwL21hbi10ZXN0cy5l
bCAobWFuLXRlc3RzLU1hbi10cmFuc2xhdGUtcmVmZXJlbmNlcyk6IE5ldy4KLS0tCiBsaXNwL21h
bi5lbCAgICAgICAgICAgIHwgIDYgKysrKystCiB0ZXN0L2xpc3AvbWFuLXRlc3RzLmVsIHwgMTIg
KysrKysrKysrKysrCiAyIGZpbGVzIGNoYW5nZWQsIDE3IGluc2VydGlvbnMoKyksIDEgZGVsZXRp
b24oLSkKCmRpZmYgLS1naXQgYS9saXNwL21hbi5lbCBiL2xpc3AvbWFuLmVsCmluZGV4IDUwNmQ2
MDYwMjY5Li45ZDhiM2E2Y2YyZCAxMDA2NDQKLS0tIGEvbGlzcC9tYW4uZWwKKysrIGIvbGlzcC9t
YW4uZWwKQEAgLTY5Miw3ICs2OTIsMTEgQEAgTWFuLXRyYW5zbGF0ZS1yZWZlcmVuY2VzCiAgICAg
ICAoc2V0cSBuYW1lIChtYXRjaC1zdHJpbmcgMiByZWYpCiAJICAgIHNlY3Rpb24gKG1hdGNoLXN0
cmluZyAxIHJlZikpKSkKICAgICAoaWYgKHN0cmluZz0gbmFtZSAiIikKLQlyZWYJCQkJOyBSZXR1
cm4gdGhlIHJlZmVyZW5jZSBhcyBpcworICAgICAgICA7OyBzZWUgQnVnIzY2MzkwCisJKG1hcGNv
bmNhdCAnaWRlbnRpdHkKKyAgICAgICAgICAgICAgICAgICAobWFwY2FyICMnc2hlbGwtcXVvdGUt
YXJndW1lbnQKKyAgICAgICAgICAgICAgICAgICAgICAgICAgIChzcGxpdC1zdHJpbmcgcmVmICIg
IikpCisgICAgICAgICAgICAgICAgICAgIiAiKSAgICAgICAgICAgICAgICAgOyBSZXR1cm4gdGhl
IHJlZmVyZW5jZSBhcyBpcwogICAgICAgKGlmIE1hbi1kb3duY2FzZS1zZWN0aW9uLWxldHRlcnMt
ZmxhZwogCSAgKHNldHEgc2VjdGlvbiAoZG93bmNhc2Ugc2VjdGlvbikpKQogICAgICAgKHdoaWxl
IHNsaXN0CmRpZmYgLS1naXQgYS90ZXN0L2xpc3AvbWFuLXRlc3RzLmVsIGIvdGVzdC9saXNwL21h
bi10ZXN0cy5lbAppbmRleCBlMzY1N2Q3ZGY4YS4uMWM2ZGNiNjNhNWMgMTAwNjQ0Ci0tLSBhL3Rl
c3QvbGlzcC9tYW4tdGVzdHMuZWwKKysrIGIvdGVzdC9saXNwL21hbi10ZXN0cy5lbApAQCAtMTYx
LDYgKzE2MSwxOCBAQCBtYW4tYmdwcm9jLWZpbHRlci1idXR0b25pemUtaW5jbHVkZXMKICAgICAg
ICAgICAobGV0ICgoYnV0dG9uIChidXR0b24tYXQgKG1hdGNoLWJlZ2lubmluZyAwKSkpKQogICAg
ICAgICAgICAgKHNob3VsZCAoYW5kIGJ1dHRvbiAoZXEgJ01hbi14cmVmLWhlYWRlci1maWxlIChi
dXR0b24tdHlwZSBidXR0b24pKSkpKSkpKSkpCiAKKyhlcnQtZGVmdGVzdCBtYW4tdGVzdHMtTWFu
LXRyYW5zbGF0ZS1yZWZlcmVuY2VzICgpCisgIChzaG91bGQgKGVxdWFsIChNYW4tdHJhbnNsYXRl
LXJlZmVyZW5jZXMgImJhc2VuYW1lIikKKyAgICAgICAgICAgICAgICAgImJhc2VuYW1lIikpCisg
IChzaG91bGQgKGVxdWFsIChNYW4tdHJhbnNsYXRlLXJlZmVyZW5jZXMgImJhc2VuYW1lKDMpIikK
KyAgICAgICAgICAgICAgICAgIjMgYmFzZW5hbWUiKSkKKyAgKHNob3VsZCAoZXF1YWwgKE1hbi10
cmFuc2xhdGUtcmVmZXJlbmNlcyAiYmFzZW5hbWUoM3YpIikKKyAgICAgICAgICAgICAgICAgIjN2
IGJhc2VuYW1lIikpCisgIChzaG91bGQgKGVxdWFsIChNYW4tdHJhbnNsYXRlLXJlZmVyZW5jZXMg
IjtpZCIpCisgICAgICAgICAgICAgICAgICJcXDtpZCIpKQorICAoc2hvdWxkIChlcXVhbCAoTWFu
LXRyYW5zbGF0ZS1yZWZlcmVuY2VzICItayBiYXNlbmFtZSIpCisgICAgICAgICAgICAgICAgICIt
ayBiYXNlbmFtZSIpKSkKKwogKHByb3ZpZGUgJ21hbi10ZXN0cykKIAogOzs7IG1hbi10ZXN0cy5l
bCBlbmRzIGhlcmUKLS0gCjIuNDIuMAoK


--=-dHXcW2HU6s+HOY92wqUK--
Information forwarded to bug-gnu-emacs@HIDDEN:
bug#66390; Package emacs. Full text available.

Message received at 66390 <at> debbugs.gnu.org:


Received: (at 66390) by debbugs.gnu.org; 10 Oct 2023 12:26:16 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Oct 10 08:26:15 2023
Received: from localhost ([127.0.0.1]:34212 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1qqBoV-0007jy-F6
	for submit <at> debbugs.gnu.org; Tue, 10 Oct 2023 08:26:15 -0400
Received: from mail-lj1-x231.google.com ([2a00:1450:4864:20::231]:44116)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <stefankangas@HIDDEN>) id 1qqBoQ-0007jb-3K
 for 66390 <at> debbugs.gnu.org; Tue, 10 Oct 2023 08:26:14 -0400
Received: by mail-lj1-x231.google.com with SMTP id
 38308e7fff4ca-2c135cf2459so64913221fa.0
 for <66390 <at> debbugs.gnu.org>; Tue, 10 Oct 2023 05:25:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1696940743; x=1697545543; darn=debbugs.gnu.org;
 h=cc:to:subject:message-id:date:mime-version:references:in-reply-to
 :from:from:to:cc:subject:date:message-id:reply-to;
 bh=zDW6NnzJG7dxgYY7JzDFLL8d+YI1dE+d+umE3cVapcE=;
 b=lx4SR25gx9VxS7IwJnJziaAv+wvqjiG3TNgIoqDkC2utDSOhYdItYuuH5cZuqBJjfg
 8VkZsmHrcU9GRcpAwWOHvtLBfLOCfL8npF/zz9hi9lz0EsJNT0cTV1S8pv1iU2aY2pa+
 poRjB4i6hud9fRfSOSrmHRBztJeSfwq9l4qOdbyKlG2CIK5IOKRdyCIjbwbXp/efaHcw
 unYRo+3NSnRNWCE4x4rY9fof8X5fNJaVRNfuZy/BbzWBmutJ6cdC6C+M833z2sO06pji
 QQhoioW3OSdQNgBuEx609EDaDgnRrku6dFWrmcEJsn2qc9OM9+wSE2juSzOYJoKJ4SqY
 4o8g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1696940743; x=1697545543;
 h=cc:to:subject:message-id:date:mime-version:references:in-reply-to
 :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=zDW6NnzJG7dxgYY7JzDFLL8d+YI1dE+d+umE3cVapcE=;
 b=OGfBYT68GWKylwQdEE+DGqjLVhDSEMML00yfaElICgAO+YHDeEufcSAeZh1T6iNYpc
 ZAomAY7/DEaedIMRab3GSBhTx+3Xg2ZvKuzoRVVpXzEedq7J8tf/dE6N1f2gkuLIUJBA
 tyABI6+68YetEZ81F0hjBVWGGebpnrYPIUhkP0wE9zW5fU0H2PPKH6TrTd5fjFjHdXqV
 nixTV25ggy6Cg3qJTD5K92A5F5MEYogKqu3zV30IE9mjlcb7ImpKks0ElT5A7QPO2feq
 8NkPmDF8iJM8iQIlliQFGct+rR53cO8DFFsM70W7Xi60plDg9X1qMl7xNUPVQFzcnfkM
 5h2A==
X-Gm-Message-State: AOJu0YzET3bapn5hyo1/b8Wp1Jsu5XeD02ESsy8mEHzz+tHU+KpzHItw
 nOf3uGJaN8hTuzCNIYx3KZ4wImRUmWJfFqDGmjI=
X-Google-Smtp-Source: AGHT+IF5YUFufFtg/dk25BMDkd59atQPszoEPj9r9GZlarW2pKGkSOmEdhOOb+EBxijX3lLhi/990UZgXE9v3oTwY3Y=
X-Received: by 2002:a2e:9f10:0:b0:2ba:18e5:1063 with SMTP id
 u16-20020a2e9f10000000b002ba18e51063mr15317876ljk.50.1696940742676; Tue, 10
 Oct 2023 05:25:42 -0700 (PDT)
Received: from 753933720722 named unknown by gmailapi.google.com with
 HTTPREST; Tue, 10 Oct 2023 12:25:42 +0000
From: Stefan Kangas <stefankangas@HIDDEN>
In-Reply-To: <83mswqvfrm.fsf@HIDDEN>
References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN>
 <83wmvyzir2.fsf@HIDDEN> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN>
 <83v8bizf9r.fsf@HIDDEN> <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN>
 <875y3iigua.fsf@HIDDEN> <83o7hazap7.fsf@HIDDEN> <87mswugyoq.fsf@HIDDEN>
 <83jzryz6op.fsf@HIDDEN> <87a5sugwcx.fsf@HIDDEN> <83h6n2z3tr.fsf@HIDDEN>
 <aaeb5c4f-2ae0-449e-9a8b-aa5155998e49@HIDDEN> <831qe5znrz.fsf@HIDDEN>
 <tencent_2EBCD42CDD9DC80B87AB06BB70EACCF8D60A@HIDDEN> <834jizwxm2.fsf@HIDDEN>
 <CADwFkm=Yov5nmWB8JSJ+hNG_Hs=ayG+Efb46fLnhR5WjVA1Ukw@HIDDEN>
 <83mswqvfrm.fsf@HIDDEN>
MIME-Version: 1.0
Date: Tue, 10 Oct 2023 12:25:42 +0000
Message-ID: <CADwFkmnaBrMVnegOyEJ4j8VxSKDnd+LfZ47rz9cCHWyM-Fr41A@HIDDEN>
Subject: Re: bug#66390: `man' allows to inject arbitrary shell code
To: Eli Zaretskii <eliz@HIDDEN>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 66390
Cc: lx@HIDDEN, manikulin@HIDDEN, 66390 <at> debbugs.gnu.org,
 michael.albinus@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Eli Zaretskii <eliz@HIDDEN> writes:

> Does it also work correctly in all the scenarios described in
> bug#64795, including completion?

No, trying to complete there gives the prompt:

    Manual entry: [ [No match]

On the other hand this already seems broken in a different way in Emacs
29 on this macOS machine.  Trying to complete with:

    M-x man RET [ TAB TAB

leads to

    Manual entry: [: [Sole completion]

and RET at this point gives

    Can't find the [: manpage
Information forwarded to bug-gnu-emacs@HIDDEN:
bug#66390; Package emacs. Full text available.

Message received at 66390 <at> debbugs.gnu.org:


Received: (at 66390) by debbugs.gnu.org; 10 Oct 2023 12:12:27 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Oct 10 08:12:26 2023
Received: from localhost ([127.0.0.1]:34200 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1qqBb8-0007E4-JX
	for submit <at> debbugs.gnu.org; Tue, 10 Oct 2023 08:12:26 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:41942)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eliz@HIDDEN>) id 1qqBb7-0007Ds-1W
 for 66390 <at> debbugs.gnu.org; Tue, 10 Oct 2023 08:12:25 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@HIDDEN>)
 id 1qqBag-00047g-Ft; Tue, 10 Oct 2023 08:11:58 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=MIME-version:References:Subject:In-Reply-To:To:From:
 Date; bh=C1GaHp/Mg2hiX4/XzhvrkFHhZ1SIu1h68rRnXC2Q+HM=; b=jVcONF/E95dw3thQVa7G
 OZ8tm3v1C/4Ky5C6es3mDuuYn+vJtKTupvPIdJ8D1eKypajzXhii+GkXghNShczmQi9PRhgLa5Vr9
 Tq5ceBld2wZeIu2hfyfe52fneEsv92cIhJHHg2hEG82n/3m3x2yVkB1UqFwCLoOOscudkuaTVl7wn
 1T1KmPXUznRP1gYWU9RxpKNin1LumBaph2XWauuoHUHhrN8RCg/2e/bkoz7Eeo4v6qR5LqgHwjgmT
 zFd6wJ2SJDTSn+o1h4V0goN+hJaifBY/Gaca0IdHFFhN5TvFY7/2IEzmodaf9lf7f1KIJtjtwJoY+
 ZYMpG0493VgE0Q==;
Date: Tue, 10 Oct 2023 15:11:25 +0300
Message-Id: <83mswqvfrm.fsf@HIDDEN>
From: Eli Zaretskii <eliz@HIDDEN>
To: Stefan Kangas <stefankangas@HIDDEN>
In-Reply-To: <CADwFkm=Yov5nmWB8JSJ+hNG_Hs=ayG+Efb46fLnhR5WjVA1Ukw@HIDDEN>
 (message from Stefan Kangas on Tue, 10 Oct 2023 07:43:00 +0000)
Subject: Re: bug#66390: `man' allows to inject arbitrary shell code
References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN>
 <83wmvyzir2.fsf@HIDDEN> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN>
 <83v8bizf9r.fsf@HIDDEN> <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN>
 <875y3iigua.fsf@HIDDEN> <83o7hazap7.fsf@HIDDEN> <87mswugyoq.fsf@HIDDEN>
 <83jzryz6op.fsf@HIDDEN> <87a5sugwcx.fsf@HIDDEN> <83h6n2z3tr.fsf@HIDDEN>
 <aaeb5c4f-2ae0-449e-9a8b-aa5155998e49@HIDDEN> <831qe5znrz.fsf@HIDDEN>
 <tencent_2EBCD42CDD9DC80B87AB06BB70EACCF8D60A@HIDDEN> <834jizwxm2.fsf@HIDDEN>
 <CADwFkm=Yov5nmWB8JSJ+hNG_Hs=ayG+Efb46fLnhR5WjVA1Ukw@HIDDEN>
MIME-version: 1.0
Content-type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 66390
Cc: lx@HIDDEN, manikulin@HIDDEN, 66390 <at> debbugs.gnu.org,
 michael.albinus@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> From: Stefan Kangas <stefankangas@HIDDEN>
> Date: Tue, 10 Oct 2023 07:43:00 +0000
> Cc: manikulin@HIDDEN, 66390 <at> debbugs.gnu.org, michael.albinus@HIDDEN
> 
> Eli Zaretskii <eliz@HIDDEN> writes:
> 
> > what happens with command (man "[") in this case?
> 
> It works fine here with that patch.  IOW, I get the expected man page
> 
>      test, [ – condition evaluation utility

Does it also work correctly in all the scenarios described in
bug#64795, including completion?
Information forwarded to bug-gnu-emacs@HIDDEN:
bug#66390; Package emacs. Full text available.

Message received at 66390 <at> debbugs.gnu.org:


Received: (at 66390) by debbugs.gnu.org; 10 Oct 2023 11:57:04 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Oct 10 07:57:04 2023
Received: from localhost ([127.0.0.1]:34166 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1qqBMG-0006ly-1U
	for submit <at> debbugs.gnu.org; Tue, 10 Oct 2023 07:57:04 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:59060)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <rms@HIDDEN>) id 1qqBMB-0006lQ-Gi
 for 66390 <at> debbugs.gnu.org; Tue, 10 Oct 2023 07:57:02 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <rms@HIDDEN>)
 id 1qqBLk-0008Sq-MU; Tue, 10 Oct 2023 07:56:32 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=Date:References:Subject:In-Reply-To:To:From:
 mime-version; bh=l9FnPVvWLfNJ+2wTf/PWGo++lkKx6YjDoCYkm8yy0iY=; b=BIF3jAqL6mH2
 dbOtVHXce2XqaI06U3lo6/ZUhQ7WgPiXRRetnGyC0w1ATnWNocuw20JFkHGcxcePgKJRc+ibKcqp3
 QzyB20KBSrJUc2PSaoUORyawROUhxywpBWUCzXOE0CrAU23OSIfEmoD5F4FIuOi20YOT7HV0EbdtN
 bjecpdLhgeHIgMb2Xvu63I9NvTicAliTQwRO5v9y43RQ2oNH6M8UVMnP7mDUnQ7hv3nVum1vd95wW
 l4fMhqDhdi4JFPBjA7BISs3+P3NM66euy4ljt7CO2jXaQjRvO7tKJuLSNJ8jGQQse+tTCNSYbMe2b
 3wYSPIaUIQbB9ubxEw6okA==;
Received: from rms by fencepost.gnu.org with local (Exim 4.90_1)
 (envelope-from <rms@HIDDEN>)
 id 1qqBLk-0005VF-9r; Tue, 10 Oct 2023 07:56:32 -0400
Content-Type: text/plain; charset=Utf-8
From: Richard Stallman <rms@HIDDEN>
To: Eli Zaretskii <eliz@HIDDEN>
In-Reply-To: <83ttr0vyyi.fsf@HIDDEN> (message from Eli Zaretskii on Mon, 09
 Oct 2023 14:04:37 +0300)
Subject: Re: bug#66390: `man' allows to inject arbitrary shell code
References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN>
 <83wmvyzir2.fsf@HIDDEN>
 <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN>
 <83v8bizf9r.fsf@HIDDEN>
 <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN>
 <875y3iigua.fsf@HIDDEN> <83o7hazap7.fsf@HIDDEN>
 <87mswugyoq.fsf@HIDDEN> <83jzryz6op.fsf@HIDDEN> <87a5sugwcx.fsf@HIDDEN>
 <83h6n2z3tr.fsf@HIDDEN> <E1qpg8N-0004yH-3Y@HIDDEN>
 <83ttr0vyyi.fsf@HIDDEN>
Message-Id: <E1qqBLk-0005VF-9r@HIDDEN>
Date: Tue, 10 Oct 2023 07:56:32 -0400
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 66390
Cc: manikulin@HIDDEN, 66390 <at> debbugs.gnu.org, michael.albinus@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Reply-To: rms@HIDDEN
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

  > We don't retrofit fixes into old branches of Emacs that are no longer
  > developed; 

In general, that is a reasonable policy -- but maybe a serious
security problem, which this eesms to be, calls for special treatment.

               we leave that to the distros (who maintain old Emacs
  > versions for many more years than we do).

That might be sufficient for the problem, but we should think
carefully about whether it _is_ sufficient.

-- 
Dr Richard Stallman (https://stallman.org)
Chief GNUisance of the GNU Project (https://gnu.org)
Founder, Free Software Foundation (https://fsf.org)
Internet Hall-of-Famer (https://internethalloffame.org)
Information forwarded to bug-gnu-emacs@HIDDEN:
bug#66390; Package emacs. Full text available.

Message received at 66390 <at> debbugs.gnu.org:


Received: (at 66390) by debbugs.gnu.org; 10 Oct 2023 11:10:14 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Oct 10 07:10:14 2023
Received: from localhost ([127.0.0.1]:34105 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1qqAcw-0002Sh-06
	for submit <at> debbugs.gnu.org; Tue, 10 Oct 2023 07:10:14 -0400
Received: from mail-lj1-x236.google.com ([2a00:1450:4864:20::236]:50583)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <manikulin@HIDDEN>) id 1qqAcu-0002SS-30
 for 66390 <at> debbugs.gnu.org; Tue, 10 Oct 2023 07:10:12 -0400
Received: by mail-lj1-x236.google.com with SMTP id
 38308e7fff4ca-2c189dabcc3so65547791fa.1
 for <66390 <at> debbugs.gnu.org>; Tue, 10 Oct 2023 04:09:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1696936185; x=1697540985; darn=debbugs.gnu.org;
 h=content-transfer-encoding:in-reply-to:from:references:cc:to
 :content-language:subject:user-agent:mime-version:date:message-id
 :sender:from:to:cc:subject:date:message-id:reply-to;
 bh=9BCJ6/zTcbn/B18kLa5Sa2/T2AfOae2Pv7jevKujyyY=;
 b=YUAv38dYOOZRInu4dx+7Tvrqc2m7i3DVkQ6gK58QeMAbthlYj/sv7nEz91YIG2iGuj
 S3wj3lmbH+iijuyGFCu8E3KtD8soGb4xCML+nX6MlZutAAxdPpGurHA9TNz0uR9oUXIp
 4FygrVcaWdYzvZSyUMaeXQKCPqON/hEdgBtaU8EIy57So26LrXuUHR2TePSYGlgRLSsg
 v6OXBweFAsdEaOG6Q5yIgkpnRFKqtaTA5+0cJih/v2JEHcVYUqNhL8mdhP7+crMQMW+M
 Dy0Rh7T/yBAFyuQrWx1LGkJVwLPfvG2qpqbl1Nn2U0VbyrI0gW2pYZhhMObHGOO2DsKl
 s9TQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1696936185; x=1697540985;
 h=content-transfer-encoding:in-reply-to:from:references:cc:to
 :content-language:subject:user-agent:mime-version:date:message-id
 :sender:x-gm-message-state:from:to:cc:subject:date:message-id
 :reply-to;
 bh=9BCJ6/zTcbn/B18kLa5Sa2/T2AfOae2Pv7jevKujyyY=;
 b=grVB4/QKxqQT1w0Yixg0jAVs4bI9qDDIOGISyxocjOcdiQvV8LUQaA/AqkXYJSsUkr
 vPedwpTmNUAnUdGnCbWIqaXhL+844IAJPtlxZ0pGa11U32VPYcrLvPm7B5B8e0pVFcWu
 pkZeLeVRwj4nZ/rmlYHM3rcOYt9dbiQc3JUpvB9mpDSb24nv8jAvo3jblHNpYlZ1bKaa
 X3dKQ9TqvmzFhVcScMvscwj2u69AOC1zCywMcuCi0GOpft6GfPoyJF8RxvqjhBs+3RKv
 MVnAkWvgK+b8gOg0dOMEUoUIYhP4PMnMM6BExa66n7RyTUQ+zxchPbEn5j1s0F10IfFe
 o9Uw==
X-Gm-Message-State: AOJu0YxElx7lpueS0NjKkboWnZRaYqFMH4bpqwTa4UuEbDITxnIWSBO5
 C2HzVO1eoVCW5IEnT42vx0A=
X-Google-Smtp-Source: AGHT+IFTeIbAhOnN2M9FB6PdD/Q+AjXJevW8GbCm0nOfN5rM/J7NfqdAoAgNqB9leSfxaQYrDkEFmg==
X-Received: by 2002:a2e:92c6:0:b0:2bf:e9e8:de23 with SMTP id
 k6-20020a2e92c6000000b002bfe9e8de23mr13619176ljh.16.1696936184727; 
 Tue, 10 Oct 2023 04:09:44 -0700 (PDT)
Received: from [192.168.0.101] (nat-0-0.nsk.sibset.net. [5.44.169.188])
 by smtp.googlemail.com with ESMTPSA id
 k11-20020a2e888b000000b002c00da5c522sm2387803lji.78.2023.10.10.04.09.43
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
 Tue, 10 Oct 2023 04:09:44 -0700 (PDT)
Message-ID: <76847bef-83a5-4bbe-8641-9dd82cf377a2@HIDDEN>
Date: Tue, 10 Oct 2023 18:09:43 +0700
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: bug#66390: `man' allows to inject arbitrary shell code
Content-Language: en-US, ru-RU
To: Eli Zaretskii <eliz@HIDDEN>, lux <lx@HIDDEN>
References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN>
 <83wmvyzir2.fsf@HIDDEN> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN>
 <83v8bizf9r.fsf@HIDDEN> <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN>
 <875y3iigua.fsf@HIDDEN> <83o7hazap7.fsf@HIDDEN> <87mswugyoq.fsf@HIDDEN>
 <83jzryz6op.fsf@HIDDEN> <87a5sugwcx.fsf@HIDDEN> <83h6n2z3tr.fsf@HIDDEN>
 <aaeb5c4f-2ae0-449e-9a8b-aa5155998e49@HIDDEN> <831qe5znrz.fsf@HIDDEN>
 <tencent_2EBCD42CDD9DC80B87AB06BB70EACCF8D60A@HIDDEN>
 <834jizwxm2.fsf@HIDDEN>
From: Max Nikulin <manikulin@HIDDEN>
In-Reply-To: <834jizwxm2.fsf@HIDDEN>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 66390
Cc: 66390 <at> debbugs.gnu.org, michael.albinus@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

On 09/10/2023 23:48, Eli Zaretskii wrote:
> And I ask again: what happens with command (man "[") in this case?

"sh" "-c" "man  [ 2>/dev/null | sed  -e '/^[\1-\32][\1-\32]*$/d' #...

so the code in man.el relies on "[" not interpreted as a special 
character when it is alone. It is not escaped!

Perhaps you are confused by the following commit

4ef9cc5a5de 2023-07-26 17:30:21 +0300 Eli Zaretskii: Fix "M-x man RET [ RET"

It affects completion, but not M-x man RET [ RET. (And I am surprised 
that "@" is treated specially for some reason.)

> Please believe me: this is not simple.  There's more here than meets
> the eye.  In addition to all kinds of weird characters in man-page
> names, you also need to consider SEE ALSO links from one man page to
> another, which can cross lines and include dashes and whitespace.
> Etc. etc...  I had my share of messing with this code, and one thing I
> know is that nothing is ever as simple as quoting here.

References split across lines should be handled by the code that 
creates/opens references, not by `man'. `man' should receive cleaned up 
references. (Cross-references is a case when properly implemented roff 
parser has advantages over dealing with text formatted for tty.)

If you believe that other packages must not call `man' then this 
function should not have an argument since it is a part of public interface.
Information forwarded to bug-gnu-emacs@HIDDEN:
bug#66390; Package emacs. Full text available.

Message received at 66390 <at> debbugs.gnu.org:


Received: (at 66390) by debbugs.gnu.org; 10 Oct 2023 10:55:36 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Oct 10 06:55:36 2023
Received: from localhost ([127.0.0.1]:34096 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1qqAOl-0007ng-Oo
	for submit <at> debbugs.gnu.org; Tue, 10 Oct 2023 06:55:36 -0400
Received: from mail-lf1-x12b.google.com ([2a00:1450:4864:20::12b]:49263)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <manikulin@HIDDEN>) id 1qqAOf-0007nI-MA
 for 66390 <at> debbugs.gnu.org; Tue, 10 Oct 2023 06:55:34 -0400
Received: by mail-lf1-x12b.google.com with SMTP id
 2adb3069b0e04-5031ccf004cso6662492e87.2
 for <66390 <at> debbugs.gnu.org>; Tue, 10 Oct 2023 03:55:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1696935302; x=1697540102; darn=debbugs.gnu.org;
 h=content-transfer-encoding:in-reply-to:from:references:cc:to
 :content-language:subject:user-agent:mime-version:date:message-id
 :sender:from:to:cc:subject:date:message-id:reply-to;
 bh=FJJaXyC4OWBBnDWiy6UC91VT6EUe9V1m7XBxCe2NPyY=;
 b=S7mDM5axmNvCieChS28MzvHcMk3LKCAsKR6/mgtadH0OZrIVAdrjadXhhE3giNUpyX
 0Fe8PXpDbc8yMuoIrtLP6v8IS0t2fVlUCf/dI1goEUZr2L8LBv09ZXHKSfdSRjZdpGGE
 ceMqplZEcS+FK3uJtL7/UDeTs1Ot96K3EkxZdqVEo9t4E+M78ipay8b1vdy6qx8gHvPg
 VAepBhw52fWs78pHcT/qbfysIppVHOuLbzGm/di6711eOPLmiNkPWCfa3DOculgs9nC9
 7Ns5ETwD1PN6P0W9OUBWpBuIAwAwqGM8XLc/I3AtVXwh0QZJTT9AXfn30Nk0CGOFh+GE
 gzkQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1696935302; x=1697540102;
 h=content-transfer-encoding:in-reply-to:from:references:cc:to
 :content-language:subject:user-agent:mime-version:date:message-id
 :sender:x-gm-message-state:from:to:cc:subject:date:message-id
 :reply-to;
 bh=FJJaXyC4OWBBnDWiy6UC91VT6EUe9V1m7XBxCe2NPyY=;
 b=ZLRiLcJI2rMN37uiktlsibkEoJuhBFGnylxZMqWDF3yos5upDK+ybhBbYGjSle5yEK
 NQEV3z28XNpHI18M1KtYxfRKPR2NOPhrwqPah0/FYF5Xu8ccWprZVm8/I7/SZkedu0cm
 HtDIazKg+YyGxzNxs8ALqKHFkcSjFq67BPMc0wL094uOpXyGDcuVyCaIlxiDkr2oHo06
 moR1C3DZUPRk/8H612+6o6BkWG8PXbwFPU6JPzNiiU1/4fdfTacFU/2et8pQHDqSiQGR
 2xgyYcl59SNpK/MoneCya4/MQwTpO6pZ98ePcFDz4i2Pq+uy1X+uTXV+AYBc87eYUCbx
 2dlQ==
X-Gm-Message-State: AOJu0Ywy4MZawftAoB1O5idg9oopExjbe6W7FtiEl3zbf3NpFb6zDUJ7
 VIno5f16wmmuRhKWT77yFDE=
X-Google-Smtp-Source: AGHT+IE9S9W182Miw98sN2ZyLPQ8NMooM5zy/+2FrzT5Jb9HMUL8YjimOSetjPT3Yva3yGPwVN00KQ==
X-Received: by 2002:a19:5e10:0:b0:4f9:5519:78b8 with SMTP id
 s16-20020a195e10000000b004f9551978b8mr12147469lfb.63.1696935301920; 
 Tue, 10 Oct 2023 03:55:01 -0700 (PDT)
Received: from [192.168.0.101] (nat-0-0.nsk.sibset.net. [5.44.169.188])
 by smtp.googlemail.com with ESMTPSA id
 j13-20020ac253ad000000b00504211d2a7bsm1749758lfh.297.2023.10.10.03.55.00
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
 Tue, 10 Oct 2023 03:55:01 -0700 (PDT)
Message-ID: <262ed9fe-b92b-489d-b1f0-5202bfdb088b@HIDDEN>
Date: Tue, 10 Oct 2023 17:54:59 +0700
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: bug#66390: `man' allows to inject arbitrary shell code
Content-Language: en-US, ru-RU
To: lux <lx@HIDDEN>, Eli Zaretskii <eliz@HIDDEN>
References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN>
 <83wmvyzir2.fsf@HIDDEN> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN>
 <83v8bizf9r.fsf@HIDDEN> <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN>
 <875y3iigua.fsf@HIDDEN> <83o7hazap7.fsf@HIDDEN> <87mswugyoq.fsf@HIDDEN>
 <83jzryz6op.fsf@HIDDEN> <87a5sugwcx.fsf@HIDDEN> <83h6n2z3tr.fsf@HIDDEN>
 <aaeb5c4f-2ae0-449e-9a8b-aa5155998e49@HIDDEN> <831qe5znrz.fsf@HIDDEN>
 <tencent_2EBCD42CDD9DC80B87AB06BB70EACCF8D60A@HIDDEN>
From: Max Nikulin <manikulin@HIDDEN>
In-Reply-To: <tencent_2EBCD42CDD9DC80B87AB06BB70EACCF8D60A@HIDDEN>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 66390
Cc: 66390 <at> debbugs.gnu.org, michael.albinus@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

On 09/10/2023 23:30, lux wrote:
> 
> Here's my patch and the test cases.

Thank you for your attempt to fix the issue. Unfortunately the proposed 
patch breaks the following case

    M-x man RET -k man RET

That is why I wrote that each word should escaped independently.

I am unsure if (man "-k man") should be supported as call with argument.
Information forwarded to bug-gnu-emacs@HIDDEN:
bug#66390; Package emacs. Full text available.

Message received at 66390 <at> debbugs.gnu.org:


Received: (at 66390) by debbugs.gnu.org; 10 Oct 2023 07:43:31 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Oct 10 03:43:31 2023
Received: from localhost ([127.0.0.1]:33910 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1qq7Ot-0000hY-BU
	for submit <at> debbugs.gnu.org; Tue, 10 Oct 2023 03:43:31 -0400
Received: from mail-lf1-x12d.google.com ([2a00:1450:4864:20::12d]:57661)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <stefankangas@HIDDEN>) id 1qq7Oq-0000hF-MP
 for 66390 <at> debbugs.gnu.org; Tue, 10 Oct 2023 03:43:29 -0400
Received: by mail-lf1-x12d.google.com with SMTP id
 2adb3069b0e04-505748580ceso6727597e87.3
 for <66390 <at> debbugs.gnu.org>; Tue, 10 Oct 2023 00:43:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1696923782; x=1697528582; darn=debbugs.gnu.org;
 h=content-transfer-encoding:cc:to:subject:message-id:date
 :mime-version:references:in-reply-to:from:from:to:cc:subject:date
 :message-id:reply-to;
 bh=sKQo4x/v23+Vy0SWGXDGMzB+j++6d2bl9Q3DVP4SM48=;
 b=UQ6YI1HuWj8JO0oZQs1cK3abdOP7YU63945pDqq+epQVSmZ0WcjYRl6g6mvUJ7yduh
 2/5TNdUPllvjbjev7jfxZRmZK8sxsrmDhoLLx82nqlYcd9+omuTvaN1mk9cQTJ1bDFeZ
 AYCUUynqJdym5x/laS7AfI1dyPxgIrJk7hSCvGVHOP92/NG7C83VPnGiTp1FQrTfPlmb
 mT27qs6nRCWZepWIcGIq+cSWW7Na/ZzYzbGVC4aI3duuyny+Db54L2SCp3P60UHq0Ap+
 VmWk2zWFqnnKaSjsMXykzWfzLQXV2dqu8jx49rU/5lTWeT+eZ/ZFXzvsZcdMVJJ12+MW
 wByw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1696923782; x=1697528582;
 h=content-transfer-encoding:cc:to:subject:message-id:date
 :mime-version:references:in-reply-to:from:x-gm-message-state:from:to
 :cc:subject:date:message-id:reply-to;
 bh=sKQo4x/v23+Vy0SWGXDGMzB+j++6d2bl9Q3DVP4SM48=;
 b=RcEq5AVOi3xoFz/iS0wyPRTOc+/OvPwfKmGOM2nDNUOkIlBtCq8R+li3n8XoCU59+z
 A7t7rsuIPBYJ0SAUsqAAuzFE1jrNs2kTYisbsVa2ieDjr5DNSLPYEbV6qTyxcLxcasFW
 4BKd0idVkVqqJ99Ez7sajRqdvQSLAFjbzA/itNSIO71Lh4tGPA13lOKCOYdp+aUAuwRj
 Gvou6g+6LvCpJk/xbYi4jUnZjFVGsGNW5Gj+6HhADwGkh1ITJwPeGcpPf7l7x/Nb0ole
 4rt3umY2xRq18AJb5CHce/tKVcLkaj+FgmN2KzslwDrKYkkj8yeAS4xqm23Q7fS0hTVT
 ya7g==
X-Gm-Message-State: AOJu0YznH6rB85zQOnusK5bhjuhOP/SdeimzAAKUYeeAnxv+x77uPRth
 V+HK19LuTs6JErlUqiMnkKx+OP3w+jPNs12BGRQ=
X-Google-Smtp-Source: AGHT+IH56p4Fu9Ob3enA/Kd/CGDvLrxg4AcRgeSKjRRWEJ9ATNtdNde+Zpia/mvRHfTObM+RjoS3CAojO8E1Dw5MhdM=
X-Received: by 2002:a05:6512:605:b0:503:1ca6:c590 with SMTP id
 b5-20020a056512060500b005031ca6c590mr13459376lfe.22.1696923781519; Tue, 10
 Oct 2023 00:43:01 -0700 (PDT)
Received: from 753933720722 named unknown by gmailapi.google.com with
 HTTPREST; Tue, 10 Oct 2023 07:43:00 +0000
From: Stefan Kangas <stefankangas@HIDDEN>
In-Reply-To: <834jizwxm2.fsf@HIDDEN>
References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN>
 <83wmvyzir2.fsf@HIDDEN> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN>
 <83v8bizf9r.fsf@HIDDEN> <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN>
 <875y3iigua.fsf@HIDDEN> <83o7hazap7.fsf@HIDDEN> <87mswugyoq.fsf@HIDDEN>
 <83jzryz6op.fsf@HIDDEN> <87a5sugwcx.fsf@HIDDEN> <83h6n2z3tr.fsf@HIDDEN>
 <aaeb5c4f-2ae0-449e-9a8b-aa5155998e49@HIDDEN> <831qe5znrz.fsf@HIDDEN>
 <tencent_2EBCD42CDD9DC80B87AB06BB70EACCF8D60A@HIDDEN> <834jizwxm2.fsf@HIDDEN>
MIME-Version: 1.0
Date: Tue, 10 Oct 2023 07:43:00 +0000
Message-ID: <CADwFkm=Yov5nmWB8JSJ+hNG_Hs=ayG+Efb46fLnhR5WjVA1Ukw@HIDDEN>
Subject: Re: bug#66390: `man' allows to inject arbitrary shell code
To: Eli Zaretskii <eliz@HIDDEN>, lux <lx@HIDDEN>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 66390
Cc: manikulin@HIDDEN, 66390 <at> debbugs.gnu.org, michael.albinus@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Eli Zaretskii <eliz@HIDDEN> writes:

> what happens with command (man "[") in this case?

It works fine here with that patch.  IOW, I get the expected man page

     test, [ =E2=80=93 condition evaluation utility
Information forwarded to bug-gnu-emacs@HIDDEN:
bug#66390; Package emacs. Full text available.

Message received at 66390 <at> debbugs.gnu.org:


Received: (at 66390) by debbugs.gnu.org; 10 Oct 2023 02:47:58 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Oct 09 22:47:58 2023
Received: from localhost ([127.0.0.1]:33713 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1qq2mr-0000a4-F4
	for submit <at> debbugs.gnu.org; Mon, 09 Oct 2023 22:47:57 -0400
Received: from out162-62-57-87.mail.qq.com ([162.62.57.87]:59113)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <lx@HIDDEN>) id 1qq2ml-0000Zi-AC
 for 66390 <at> debbugs.gnu.org; Mon, 09 Oct 2023 22:47:55 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512;
 t=1696906040; bh=Dt9Cv93v8UilCaG4eTYPZiSCwuIQjAg0yPQIM2/3tSA=;
 h=Subject:From:To:Cc:Date:In-Reply-To:References;
 b=JtyKD7WsnyMu/N2UssZNvdtMcoagS3uwZzXNGk3JPCCdg8TI3EQYfxHrsgD2UoTb+
 mo4mJiPEDb5kvZs9z08BI9jHXbEmFi8QryywshmbQFoBFf5pHWjTMFcaVoXT198d3D
 tkrFcWdbSg5wXk+GKF+Dxk/f7pMJXaH0hQqsHzkY=
Received: from [10.8.192.150] ([140.210.194.131])
 by newxmesmtplogicsvrszb1-0.qq.com (NewEsmtp) with SMTP
 id BD1A64CD; Tue, 10 Oct 2023 10:47:17 +0800
X-QQ-mid: xmsmtpt1696906037tiyxbgqmk
Message-ID: <tencent_19A566126A8A6B26EFA0E463C2D383F33809@HIDDEN>
X-QQ-XMAILINFO: MAehWEgsdgwGAt4o+kI+v/v4GHFFTsn9SMfjxeje80k+KypF0sBfKIrQ5SaxXs
 3hZDQVI/MI1fB/Nmq3XIBIVihXpdf9EvmhdwHo5HJPiRDKzf+GZM2YkPsjKTKeoO0Kp+RKl1jxY7
 q8bPKhwKYfPZY8im+ANeN3g6sQbf9iAEAsIqmBWtg1Px/x2VBFVXUWtCXP31YeR/a2MrJrd5r/FF
 ldFywHW0lBW7PQHqYabRERz4fgOeFF9lMzer7s4h69gXeQCYgZHv4PyI+ww6u71VOHQ0IKh5cHaT
 BE3/v5soHLIMTJNKoSVQ1h9laqhOo77uyrJU2DbSuerGw7bbBIe90oeYqu7Y+RaRHTAlogarR2Il
 X+RzBoFh0MFyrVmnixNaPjHNcuuk0lkBn8IOOHIShKW2U/hrAi1hPnGfI/aBlU1DC67/l8uFLPi0
 bWcNqbLRsAqjzkvwf+L4297MgGbU6OLlyJzCcHbSwFIX2oH0E0tIgk+O8fCUOni56hZ6aOovCc8m
 rBxUFMuqoBXYMKSiIl7cY9oDfq4EJKYCaPzsa6bUULi/8BKeYMl05GGvASKESN7+UsvnPpZgH5a2
 08RdErNu6VMh+H1FLx42nfkifh6ZABh2eIJ9srQZ1JclQJ7vLkzP0q2NCEITw0fBsst2VK4ZbSgB
 so5OQLg6ZAgtmuB3m81oXNJ7xTdE6hft6cCwJwpyVfkq+FVv+WRUXrdR9p7dS3tFuoVxwDuVbIye
 tji44sZzsLcX6TRAGkbHf5zpW1mrAcjIdvsyF4nFYyLgVLxXKn1mOkBjkq5gy4wj4c3nTGOWKDLR
 UQPTBSxYaJ3MwMXA/0XUyZ32BZ6ynhffOA1umvoKQxXO6m4WDr5yPVMWXAMYi8AZ0VrBLo0hgJyq
 3QCba+ApwaspIohYJE2Rma8+SRrVTFft+ZVElV+2WRLIS1Z76ssM60Zs97dL8BFqYDWFnSRip0pb
 lr06LhqFg=
X-QQ-XMRINFO: M/715EihBoGSf6IYSX1iLFg=
X-OQ-MSGID: <bfd8c0f9d6ba3fda09bf5be4f855d13351a844a4.camel@HIDDEN>
Subject: Re: bug#66390: `man' allows to inject arbitrary shell code
From: lux <lx@HIDDEN>
To: Eli Zaretskii <eliz@HIDDEN>
Date: Tue, 10 Oct 2023 10:47:17 +0800
In-Reply-To: <834jizwxm2.fsf@HIDDEN>
References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN>
 <83wmvyzir2.fsf@HIDDEN> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN>
 <83v8bizf9r.fsf@HIDDEN> <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN>
 <875y3iigua.fsf@HIDDEN> <83o7hazap7.fsf@HIDDEN> <87mswugyoq.fsf@HIDDEN>
 <83jzryz6op.fsf@HIDDEN> <87a5sugwcx.fsf@HIDDEN> <83h6n2z3tr.fsf@HIDDEN>
 <aaeb5c4f-2ae0-449e-9a8b-aa5155998e49@HIDDEN> <831qe5znrz.fsf@HIDDEN>
 <tencent_2EBCD42CDD9DC80B87AB06BB70EACCF8D60A@HIDDEN>
 <834jizwxm2.fsf@HIDDEN>
Autocrypt: addr=lx@HIDDEN; prefer-encrypt=mutual;
 keydata=mQENBF9ZlQQBCADp/JGo1JwVC86MQCSKI9Z2zeUOU2nItnuhfNfGLF3xueuL3QojOfPiBDdk14PqxXoZI6r2dS/YY2Nsr1iYch/ldkA1m9D8siwIzuWdkxntmuP56dtJVt6zGnMf+aijN4diRYPCmcENcdIly4aRPqcQZcftJRpLhsu+zDOT8LC+vCP9A5IEfqv1oFAbxt0pE/Lwymn/jzuqRnaEV5TA2+c+fMNhzfhaMp0FxrpO6sZIqU+c7r/d9ZJ98k3g8eq9MkK2s6ZQRnZUbngZ9p2c3zYB0BwHWovzDsGCl8pmUiUHEhGLhu6N2OGnQdUUuSU/Fdoq/zVsDfMz70II00pxSYOJABEBAAG0GWx1NG54IDxseEBzaGVsbGNvZGVzLm9yZz6JAU4EEwEIADgWIQSwvd/kky9UAikm2YRcdI5fNjiBRQUCX1mVBAIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRBcdI5fNjiBRTVbCAC510aF/8rpCzyAlBdxRlBzcz5FLw8ZS2VHn6FwxZbdk9USQPlnbtPSMzWRk7KLdzkUvvdRE8C8Z4JwnWOuNp3oDob5UEfLHQfL1+o/yHQqo2n5Wf9BFjIgvB2UThd2nxk1lW0yAnPsUrWX1Dy63hHtyAbpSMOXEjrn//EIH7If7BRTT5VYUEnhqMogWYWX8mE/ZrfFFY3LVyelHK86iYnIgW18Efg7g8k+Kys66tCSOdz19jhsxjbOKMrCISs5aQH5TNO0mqZq2eOdEi+nc6yLu1FLfUYeTXhIwA8jujSYdqswNU+2OU/JazMBFBK4duhHo5YqvneGwAt7Ksc4bRP7uQENBF9ZlQQBCADCAmMMp+tCYA32TIBRT+5yZjUeePgFkh7b+fvxfShyzgcsCFpFVzt+9YE7UjKMnb9fc3nAq2tHvphEDDreKN+FJKshzoziTriLvAnq9vV9QZmTbJ93R7io5i2EmnvB8
 356kgVTl5RwZtX3DjTZ+rv4Wn0qAowa/S3NZq8U87AuQ1z9s3Q2Jm8g1QCTJ3sFIKmg+hYAyaS3RvbKjGeOUOykrg5vRPqDl41Ra4jSiVQfFX+iD/k2grbUnHfn6kpDLQgBFPB4nJfkjj0e4MEg8PIqHs7n/MglJeKQ9ReExwhv4w7zpVgaE9Wv0ONJMyi+PAODCEq4w650KFJ3Yi4p+JSLABEBAAGJATYEGAEIACAWIQSwvd/kky9UAikm2YRcdI5fNjiBRQUCX1mVBAIbDAAKCRBcdI5fNjiBReafCADUXswXiE5Gov2GfQTvBjEpFKNG9AirE3l0mSIUj6+ch+GhTv9bTt2ozZb9t3RGq+BifCO9EVu98fjvAIwg9bHnU54Q+IGevnjUK61I80Not0Kq05o5yMOpK0cB7I9dWpo0Pmtx781ioWqWON4gcPYYGFhTyj7DE7Y0F4+7XSb8Aeuu6y8i1Oxsrh4MwdcNp48lbM/+AZice/f+K1i+oGg037Qal1CykNBfvE0ujPagDbxExZxKtjnrC0yUmj1y09YP+Z0WOpyAdSCSiwMh3zHJUvXnacX+ZlhUwsVEPlrYKtps2DrtgIo9tR/csSfsOOD+1gnedaLM7OfT6vCdwiFtmQINBGUPDqUBEADSEqnlY9wh+avEI1T40IlNg6/hMi5lTHg9KKeF4cEU/XYhh1POIuyZMJbeFyGTCOAN64emcDEhDZqgc007YX5rbdA7juyOjnCkAeezJJl7yuHdhkvOv56qpoLbrqXNXrCPWHYnIffpp2ovmvndgPr++EXXrzxIposgY+PXDekj/EnToNn+iCb4z7Mh4vYIxc8m4CDeoCf4Y/77o4XT84SNfuKMqdld9ktjzkP5thLJ6N2hH6YnXYfwrh7UVP6Pg+dVM/hEmSUJFwvRpDxkErVzkaIqqtv94BOqPHVifOUXIq++SuMSqDqkH4irLBRVXqAVs+0nnKYAk5Fjjn16MF5DI0
 kDjqyLJ18pWJFiegy+bBT837oNlPqdTFfG3pYlOC0mN5mYMFU2S2CsRujevBOnO2anQEdAv6T+PNu7LXfD1/Z9AgRn0NzHTkJWlAJ+PT8T0QFrVVW2H6T7WmpXP3FqFyeYbEedJyHbVm3Yd9HtdWJCUHSbTjJYcfhlWc8IeeHtna87Zjn8Ql1RFIo3kV2Pd3dk+IsOq1S3QZUiTTtwgRPP9fsx9OVB0v6k09R5PuvvFYzrccfuwdMvP8lWBNA+1XHX97JFC6nTPGeaPJLxYgcxhcRgXN+kaD8rFXva0YkyvkNgW+GismWimOrpsKgDdyxXzgK87OWL093xWjRlgwARAQABtBlYaSBMdSA8bHhAc2hlbGxjb2Rlcy5vcmc+iQJOBBMBCgA4FiEEdJQucETGhxqWHw3/SCoXYcbax74FAmUPDqUCGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQSCoXYcbax77pjQ/8CUsISqqy7CnbyVxAcarTHL8aw1cymaaqhni/rW2QDslaxmrp/h5NpWXE8TLPu0DH3BgJVztVjAUyx9wKpuSPntb+KwzeFO3SlaKlJyzcF/qKz0TisoGhpgn/BDCswrQyFV3bBtucLovdF6bjQ2JpamD+fOewas4/llU6ChtgRuT7J8wIJx6XfquO8jYcgDCHf9q3F2LF639hnadBaHxye4TEQ6VCWFDn/3kr0dnKSwb7TfeBeLt7wfdjM+AjQiyu1UF618poDp/1AzXHvxV0p9PcgCyHYIo+jjYOnvwYMbx4u0iUfHKwKSLUfgOiyAhRpOou0H3veC7vByDOyGEDhlP3rHD8d664PJMvG1hmp/OAhf7BhBRvvkvSGRSYI+vs5TyC72LLMlR8dx7XCc0ziRrWtmt6XFpDaIHftfGPcR4PEyTsnNFBll6+1EaX0U/oD3yNp4uTW7M5ShUqVBwrHviEiVyiluzEl6csJU4hreoDZ7NRovxDloBttiW
 tZ+TLgbbBOGHDeUbv7bSJ8+cR7nnL0FOeJwF3IRONDyZz6nQtd0aHbVg9Zpgl/JwQcXuTZrDz8E6qcZGjYtSlA/q8cwpDsen70rjg5S3GCnRfQQDwo1E6LOi3pEuCMy40iFJ/JEHtgxCHHeJ0i5jA+5zuEv02BndqllQkeyT4kkLSXcq5Ag0EZRAa8gEQAMF+frOpFPotOeC9OutnMyZY6jK8LjjqlHmZEFemBxUH8r6eY2P2+cChx6jwfkz9KMzM132gZAVAlE0nBhbiDJodPMGiYblNvs8thvxh2szLmErqWh7GcOF0feCvfY7QWjKwdtDJg1kUIxvgjrhE44k0/H7cvu/d4qWLsULAk0RsTzTLAZDmEBlEN5UlCXgDcjq5c5Lo52QAkWivWqg37k3PaFqmOKH0HKdRYAOgS/P9tdlgC/WDybxZy5tRsvi/d9NBza42WmvGU3PFvd7WDwhSQ7HwSfbMYFb3mSBfC3FR1796WeGAuMOesMCHp8TkaMtHZfUfbqF9VHhRyQf/r6GjTqYKtU5kjrg39gX1/5Ys5KFriNQLM/2cdLRqxBZ89u+Fi/VvnCJQ07NncqILwLmPcrtk8qH35aPOdxBf38/n9TAH44n/msmewjmVosprAfD8qwQjrwKkr8TausrBPrAkic7Vi8VFAyME6kUG77ctUDIv3jxqR08NrSiR1Ftt0AraQHWNUcLg6XVClR5GxVkkx4o+yefpukninIQlYwq3Sy/ZNsFkD2dYub/6OJhnWJxVVRDpVJsdKz9E7vBtgwcx2OPjG695w7L8RKl9qkIoRsKYDQ74Svxiw8vcdkz4O6FLFSayvsLTZgfsY3Krvuens2iFNWHnsBgIWVU+IW91ABEBAAGJAjYEGAEKACAWIQR0lC5wRMaHGpYfDf9IKhdhxtrHvgUCZRAa8gIbDAAKCRBIKhdhxtrHvvpLEADRSTXN0Fm/tdeQMVLy63fcTw8wjxEUelr0bDBzBeEc
 k328UqFrPDMOMWlREQ4GB/vHbTIvPYbOiCngH5WCPwRWVS/ycY4gCHHbPLlo24Or9NNvPRbkGYSEhP9ezcZD7F29/XCwi8+VfCNzcL6l7+V0BJNUly6Gwy3O4kUwgHlhpJn3cuKvMdSHe/JaJYx/BXu553vSh2s75XFJOMOlI0IC2lzzd2ohrwLEOwhCrFSkSRKXx63zt/uZL6oF2zIzHspGygtRR+KScnx/Gklp0nCGYMAenuRuixVICyaiB0Hkarwxm8kKpDzP6pD+5Zzdhzg3Sqj0RR5oqfqOWkh0hxJ+gblapLFBSXnGQqTT1gHrTHyIOBoBBVOxlaXb95sotfCwSU8VcoN0BexVwCsUFVR0jINlmJqMIpy2N0RNjU35bAnPgeGe5z+Zs5GPcEBK6XX4rQeTwWmVltQccWuM3+oca3sOcQsWD3ZACUWjGZboxTCMwiHkrm0VTxP4kO0CRILM5Ln3cisS/GdikCAv6O8K6jhckLEml1sFB6jCVK6EAInXKFzZGol281nGRPKzeI3V9BpDZmXplqdhe4R0FBGUbu5ffw3b/vNV770xhXLI7aOp0dlkGDh4In4Li5cBRgR8FTrIBEH9+I0l4EjliVr6k/skqVPYK2rKtwx/kjhzAA==
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
User-Agent: Evolution 3.50.0-1 
MIME-Version: 1.0
X-Spam-Score: 3.1 (+++)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  On Mon, 2023-10-09 at 19:48 +0300, Eli Zaretskii wrote: >
 > From: lux <lx@HIDDEN> > > Cc: 66390 <at> debbugs.gnu.org,
 michael.albinus@HIDDEN
 > > Date: Tue, 10 Oct 2023 00:30:06 +0800 > > > > There [...] 
 Content analysis details:   (3.1 points, 10.0 required)
 pts rule name              description
 ---- ---------------------- --------------------------------------------------
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 0.0 SPF_NONE               SPF: sender does not publish an SPF Record
 -0.5 RCVD_IN_MSPIKE_H2      RBL: Average reputation (+2)
 [162.62.57.87 listed in wl.mailspike.net]
 -0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at https://www.dnswl.org/,
 no trust [162.62.57.87 listed in list.dnswl.org]
 0.4 RDNS_DYNAMIC           Delivered to internal network by host with
 dynamic-looking rDNS
 3.2 HELO_DYNAMIC_IPADDR    Relay HELO'd using suspicious hostname (IP
 addr 1)
X-Debbugs-Envelope-To: 66390
Cc: manikulin@HIDDEN, 66390 <at> debbugs.gnu.org, michael.albinus@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: 2.1 (++)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 
 Content preview:  On Mon, 2023-10-09 at 19:48 +0300, Eli Zaretskii wrote: >
   > From: lux <lx@HIDDEN> > > Cc: 66390 <at> debbugs.gnu.org, michael.albinus@HIDDEN
    > > Date: Tue, 10 Oct 2023 00:30:06 +0800 > > > > There [...] 
 
 Content analysis details:   (2.1 points, 10.0 required)
 
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
 -0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at https://www.dnswl.org/,
                              no trust
                             [162.62.57.87 listed in list.dnswl.org]
 -0.5 RCVD_IN_MSPIKE_H2      RBL: Average reputation (+2)
                             [162.62.57.87 listed in wl.mailspike.net]
  0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
  0.0 SPF_NONE               SPF: sender does not publish an SPF Record
  0.4 RDNS_DYNAMIC           Delivered to internal network by host with
                             dynamic-looking rDNS
 -1.0 MAILING_LIST_MULTI     Multiple indicators imply a widely-seen list
                             manager
  3.2 HELO_DYNAMIC_IPADDR    Relay HELO'd using suspicious hostname (IP
                             addr 1)

On Mon, 2023-10-09 at 19:48 +0300, Eli Zaretskii wrote:
> > From: lux <lx@HIDDEN>
> > Cc: 66390 <at> debbugs.gnu.org, michael.albinus@HIDDEN
> > Date: Tue, 10 Oct 2023 00:30:06 +0800
> >=20
> > There is indeed an code injection vulnerability issue here, for example=
:
> >=20
> > =C2=A0 (man ";ls")=C2=A0=C2=A0=C2=A0 <-- The `ls' command will be execu=
ted.
>=20
> So does this:
>=20
> =C2=A0 (shell-command "ls")
>=20
> Does it mean we will disallow shell-command? or forcibly quote every
> shell command?=C2=A0 We cannot do that.
>=20
>=20

The responsibilities of the `shell-command' are clear, execute string COMMA=
ND in
inferior shell, But `man' not is, we cannot describe `man' as being "Get a =
Un*x
manual page and put it in a buffer. But sometime can by the way execute she=
ll
code."

For filenames, the "(", ")", and ";" characters all work. I think we should=
 be
able to handle them correctly, or described in the docstring.
Information forwarded to bug-gnu-emacs@HIDDEN:
bug#66390; Package emacs. Full text available.

Message received at 66390 <at> debbugs.gnu.org:


Received: (at 66390) by debbugs.gnu.org; 9 Oct 2023 17:20:35 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Oct 09 13:20:34 2023
Received: from localhost ([127.0.0.1]:33045 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1qptvm-0005Yk-KG
	for submit <at> debbugs.gnu.org; Mon, 09 Oct 2023 13:20:34 -0400
Received: from mail-out.m-online.net ([2001:a60:0:28:0:1:25:1]:39004)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <whitebox@HIDDEN>) id 1qptvh-0005YR-Eh
 for 66390 <at> debbugs.gnu.org; Mon, 09 Oct 2023 13:20:33 -0400
Received: from frontend01.mail.m-online.net (unknown [192.168.8.182])
 by mail-out.m-online.net (Postfix) with ESMTP id 4S45Pw6Rhyz1sBpn;
 Mon,  9 Oct 2023 19:20:04 +0200 (CEST)
Received: from localhost (dynscan1.mnet-online.de [192.168.6.68])
 by mail.m-online.net (Postfix) with ESMTP id 4S45Pw4kY8z1qqlb;
 Mon,  9 Oct 2023 19:20:04 +0200 (CEST)
X-Virus-Scanned: amavis at mnet-online.de
Received: from mail.mnet-online.de ([192.168.8.182])
 by localhost (dynscan1.mail.m-online.net [192.168.6.68]) (amavis, port 10024)
 with ESMTP id Fi5tXqFH-cXX; Mon,  9 Oct 2023 19:20:03 +0200 (CEST)
X-Auth-Info: qPwoZ5uIUG6GzCIvPRp/GXmAjTuXn6VJK4UERQ3BQctdKUXb2IB1B6JCPYHkwg/H
Received: from igel.home (aftr-62-216-205-170.dynamic.mnet-online.de
 [62.216.205.170])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 by mail.mnet-online.de (Postfix) with ESMTPSA;
 Mon,  9 Oct 2023 19:20:03 +0200 (CEST)
Received: by igel.home (Postfix, from userid 1000)
 id 9C2872C01A1; Mon,  9 Oct 2023 19:20:03 +0200 (CEST)
From: Andreas Schwab <schwab@HIDDEN>
To: Eli Zaretskii <eliz@HIDDEN>
Subject: Re: bug#66390: `man' allows to inject arbitrary shell code
In-Reply-To: <834jizwxm2.fsf@HIDDEN> (Eli Zaretskii's message of "Mon, 09 Oct
 2023 19:48:21 +0300")
References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN>
 <83wmvyzir2.fsf@HIDDEN>
 <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN>
 <83v8bizf9r.fsf@HIDDEN>
 <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN>
 <875y3iigua.fsf@HIDDEN> <83o7hazap7.fsf@HIDDEN>
 <87mswugyoq.fsf@HIDDEN> <83jzryz6op.fsf@HIDDEN>
 <87a5sugwcx.fsf@HIDDEN> <83h6n2z3tr.fsf@HIDDEN>
 <aaeb5c4f-2ae0-449e-9a8b-aa5155998e49@HIDDEN>
 <831qe5znrz.fsf@HIDDEN>
 <tencent_2EBCD42CDD9DC80B87AB06BB70EACCF8D60A@HIDDEN>
 <834jizwxm2.fsf@HIDDEN>
X-Yow: This ASIAGO-N-DRIED TOMATO combo would taste a lot better between two
 plastic SIPPER LIDS!
Date: Mon, 09 Oct 2023 19:20:03 +0200
Message-ID: <87sf6ju30c.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: -0.5 (/)
X-Debbugs-Envelope-To: 66390
Cc: lux <lx@HIDDEN>, manikulin@HIDDEN, 66390 <at> debbugs.gnu.org,
 michael.albinus@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.5 (-)

On Okt 09 2023, Eli Zaretskii wrote:

>> From: lux <lx@HIDDEN>
>> Cc: 66390 <at> debbugs.gnu.org, michael.albinus@HIDDEN
>> Date: Tue, 10 Oct 2023 00:30:06 +0800
>> 
>> There is indeed an code injection vulnerability issue here, for example:
>> 
>>   (man ";ls")    <-- The `ls' command will be executed.
>
> So does this:
>
>   (shell-command "ls")

shell-command does what it is supposed to do.  man, on the other hand,
is supposed to display a manpage, _not_ execute an arbitrary command
line.  While the doc string of the man command says that it runs a
command to do its work, it does not explain how man-args is related to
that command.

-- 
Andreas Schwab, schwab@HIDDEN
GPG Key fingerprint = 7578 EB47 D4E5 4D69 2510  2552 DF73 E780 A9DA AEC1
"And now for something completely different."
Information forwarded to bug-gnu-emacs@HIDDEN:
bug#66390; Package emacs. Full text available.

Message received at 66390 <at> debbugs.gnu.org:


Received: (at 66390) by debbugs.gnu.org; 9 Oct 2023 17:06:30 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Oct 09 13:06:30 2023
Received: from localhost ([127.0.0.1]:33039 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1qptiA-00053R-3f
	for submit <at> debbugs.gnu.org; Mon, 09 Oct 2023 13:06:30 -0400
Received: from mout02.posteo.de ([185.67.36.66]:37075)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <yantar92@HIDDEN>) id 1qpti6-00053B-Ux
 for 66390 <at> debbugs.gnu.org; Mon, 09 Oct 2023 13:06:28 -0400
Received: from submission (posteo.de [185.67.36.169]) 
 by mout02.posteo.de (Postfix) with ESMTPS id 03EBE240105
 for <66390 <at> debbugs.gnu.org>; Mon,  9 Oct 2023 19:05:59 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017;
 t=1696871160; bh=cwe/+Eo6r3KfUb9Iu2G1+UGtuy582w9w0GgqVonnhaY=;
 h=From:To:Cc:Subject:Date:Message-ID:MIME-Version:From;
 b=lDF93sJaU5AUF6N6zWYgjMLe1cRe+fqOaa3rqvxEahvVz/oFtFs2eQeCW3EgcQAnR
 4GFzleARc76CBIUl5/IG8+01TLricCz3J7nvcPvoOnzOwJ17gugswjnr2E+fDDVbab
 CnTkAfD4OoSZtwx3znCrjltVFTOoiP9Apm/kJJXl2nBPjspblMyYNGpyTdfVvVi7l0
 TfpaEx0fWRxU+ggUCNJ84VLHBnYvSYoABzhP7fTjMMnq7kX/VKqis8kWLJHb0iT+N5
 GeSbW5MD/83cq2k+ZzvwfmM2llRPGLyr68wZVhP9eH9+pCLAhJidkd4l9gehRW8Rs4
 COy5osTbdJV0w==
Received: from customer (localhost [127.0.0.1])
 by submission (posteo.de) with ESMTPSA id 4S455g0FgFz9rxq;
 Mon,  9 Oct 2023 19:05:58 +0200 (CEST)
From: Ihor Radchenko <yantar92@HIDDEN>
To: Eli Zaretskii <eliz@HIDDEN>
Subject: Re: bug#66390: `man' allows to inject arbitrary shell code
In-Reply-To: <834jizwxm2.fsf@HIDDEN>
References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN>
 <83wmvyzir2.fsf@HIDDEN> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN>
 <83v8bizf9r.fsf@HIDDEN> <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN>
 <875y3iigua.fsf@HIDDEN> <83o7hazap7.fsf@HIDDEN> <87mswugyoq.fsf@HIDDEN>
 <83jzryz6op.fsf@HIDDEN> <87a5sugwcx.fsf@HIDDEN> <83h6n2z3tr.fsf@HIDDEN>
 <aaeb5c4f-2ae0-449e-9a8b-aa5155998e49@HIDDEN> <831qe5znrz.fsf@HIDDEN>
 <tencent_2EBCD42CDD9DC80B87AB06BB70EACCF8D60A@HIDDEN>
 <834jizwxm2.fsf@HIDDEN>
Date: Mon, 09 Oct 2023 17:07:36 +0000
Message-ID: <87zg0rbu7b.fsf@localhost>
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 66390
Cc: lux <lx@HIDDEN>, manikulin@HIDDEN, 66390 <at> debbugs.gnu.org,
 michael.albinus@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Eli Zaretskii <eliz@HIDDEN> writes:

>> There is indeed an code injection vulnerability issue here, for example:
>> 
>>   (man ";ls")    <-- The `ls' command will be executed.
>
> So does this:
>
>   (shell-command "ls")
>
> Does it mean we will disallow shell-command? or forcibly quote every
> shell command?  We cannot do that.

You seem to have an idea what MAN-ARGS argument in `man' does. But it is
not described in the docstring. I think it would help if docstring were
more clear about the command argument.

-- 
Ihor Radchenko // yantar92,
Org mode contributor,
Learn more about Org mode at <https://orgmode.org/>.
Support Org development at <https://liberapay.com/org-mode>,
or support my work at <https://liberapay.com/yantar92>
Information forwarded to bug-gnu-emacs@HIDDEN:
bug#66390; Package emacs. Full text available.

Message received at 66390 <at> debbugs.gnu.org:


Received: (at 66390) by debbugs.gnu.org; 9 Oct 2023 16:49:23 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Oct 09 12:49:23 2023
Received: from localhost ([127.0.0.1]:32990 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1qptRa-0004P7-TO
	for submit <at> debbugs.gnu.org; Mon, 09 Oct 2023 12:49:23 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:51510)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eliz@HIDDEN>) id 1qptRY-0004On-Bi
 for 66390 <at> debbugs.gnu.org; Mon, 09 Oct 2023 12:49:21 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@HIDDEN>)
 id 1qptR6-0004TV-1B; Mon, 09 Oct 2023 12:48:53 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date:
 mime-version; bh=wcyqxLdkmh1zel4PovDCoj6kfaK/NFJFs0FtCgKxIJk=; b=iL14o8bvkoo/
 qcuqOJOffTUy4jE0a+QBe2T7Emt5Mu4KZvfbeDzvEIpQPZ/CquQghOst5iVebQIVNkDZnRpi8eonm
 gS95tm7kRx2kyFYg5vk7WbSpLFxAgFI1fc3L/eYjIr+BMAViFZveAAzXffjEWVO6uq2t7uRG5136+
 jMnB2Ox+reTDt48B6HgCcbWcttQKMSNKcrflXr2Jimk2QPD+gYqFluUhLTQQ78fgIZMJDshm1UzV9
 FPqrwVZz/rbB/VTotaN4Qkh8Zl1tKsH5uCFPnCoHjUTOUmRX4gPoEydCp3nyySP0U1ieu0oiYifjk
 tvJLmdzvH2mDD1S3enqj0Q==;
Date: Mon, 09 Oct 2023 19:48:21 +0300
Message-Id: <834jizwxm2.fsf@HIDDEN>
From: Eli Zaretskii <eliz@HIDDEN>
To: lux <lx@HIDDEN>
In-Reply-To: <tencent_2EBCD42CDD9DC80B87AB06BB70EACCF8D60A@HIDDEN> (message
 from lux on Tue, 10 Oct 2023 00:30:06 +0800)
Subject: Re: bug#66390: `man' allows to inject arbitrary shell code
References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN>
 <83wmvyzir2.fsf@HIDDEN> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN>
 <83v8bizf9r.fsf@HIDDEN> <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN>
 <875y3iigua.fsf@HIDDEN> <83o7hazap7.fsf@HIDDEN> <87mswugyoq.fsf@HIDDEN>
 <83jzryz6op.fsf@HIDDEN> <87a5sugwcx.fsf@HIDDEN> <83h6n2z3tr.fsf@HIDDEN>
 <aaeb5c4f-2ae0-449e-9a8b-aa5155998e49@HIDDEN> <831qe5znrz.fsf@HIDDEN>
 <tencent_2EBCD42CDD9DC80B87AB06BB70EACCF8D60A@HIDDEN>
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 66390
Cc: manikulin@HIDDEN, 66390 <at> debbugs.gnu.org, michael.albinus@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> From: lux <lx@HIDDEN>
> Cc: 66390 <at> debbugs.gnu.org, michael.albinus@HIDDEN
> Date: Tue, 10 Oct 2023 00:30:06 +0800
> 
> There is indeed an code injection vulnerability issue here, for example:
> 
>   (man ";ls")    <-- The `ls' command will be executed.

So does this:

  (shell-command "ls")

Does it mean we will disallow shell-command? or forcibly quote every
shell command?  We cannot do that.

> Here's my patch and the test cases.

And I ask again: what happens with command (man "[") in this case?

Please believe me: this is not simple.  There's more here than meets
the eye.  In addition to all kinds of weird characters in man-page
names, you also need to consider SEE ALSO links from one man page to
another, which can cross lines and include dashes and whitespace.
Etc. etc...  I had my share of messing with this code, and one thing I
know is that nothing is ever as simple as quoting here.
Information forwarded to bug-gnu-emacs@HIDDEN:
bug#66390; Package emacs. Full text available.

Message received at 66390 <at> debbugs.gnu.org:


Received: (at 66390) by debbugs.gnu.org; 9 Oct 2023 16:31:10 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Oct 09 12:31:10 2023
Received: from localhost ([127.0.0.1]:60767 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1qpt9y-0003E4-5T
	for submit <at> debbugs.gnu.org; Mon, 09 Oct 2023 12:31:10 -0400
Received: from out203-205-251-72.mail.qq.com ([203.205.251.72]:34995)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <lx@HIDDEN>) id 1qpt9u-0003DS-A8
 for 66390 <at> debbugs.gnu.org; Mon, 09 Oct 2023 12:31:09 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512;
 t=1696869029; bh=dsUoDWprUirfk86JsQkkrnM+J0aJ7OHhqrKZKCk3bk0=;
 h=Subject:From:To:Cc:Date:In-Reply-To:References;
 b=xop5dw0Ojp7n+TwGDIzgYXDCNukzMDmKX1QiB/TjCT494H3UjAQTsTw9/U8SXiZ5j
 CY+DErI4IcdGra4+5E6z3c90ed++soGunDpolMuMRv2rxUlCPztWNB1p7SgV2Pg7mZ
 GLNBll8a39fyEcj8x2syJ5ZmjZ1Z1Jc4hEl39rs8=
Received: from [IPv6:240e:399:e6f:ee32:191c:f145:5e9e:d7e0]
 ([240e:399:e6f:ee32:191c:f145:5e9e:d7e0])
 by newxmesmtplogicsvrsza12-0.qq.com (NewEsmtp) with SMTP
 id 786B04B2; Tue, 10 Oct 2023 00:30:06 +0800
X-QQ-mid: xmsmtpt1696869006t5epu5ma7
Message-ID: <tencent_2EBCD42CDD9DC80B87AB06BB70EACCF8D60A@HIDDEN>
X-QQ-XMAILINFO: OLsBWtCIHsg6RK0h22podySFFH3Hm4N3iVl1kDAcASYfq1bWBzZMmxXNpDJF19
 SkO+yUfc3Hwxg6Y1EzeqR1QAQo4EbAuCvgmZW6CRyfdQJ+au02ae1ZLEI0rGsa+yy8k3mbPz4vLJ
 j56Nk67xNL6R2SeYcHDK6I0yv0T6iJoHOU+v6aJ4cV3GRnC3UP2Ti4UmdESBZXvL6AMWdsVdY33V
 9xgFSd9y9fCl4bnRX5kYliBmD8EhhuQPe+02o0LY7osUMaxHLOKqhczm2mnCp+3OG8S77V8kvJS/
 6UZd4V6Ljjsy68gesEf/PhREkfUEceW9taWxwpXMiOowUFJfWYu92JW9vNRH1u8+e+x/tdeBkR20
 ZVlFJGuiV2m6LeuBRX/854iYcZcnRQTJSg5uAqm/remcZ80LhGm2ElkDbYPGmfQMapD+5XU5c/pD
 D0YMx/NidVZdBKF8rKlEyicE61BlN6/cBgCFO6pRnLf0uqQA+wdrSan3JFivmjQGP2vyRGN0/nEm
 XD6cW6q6T1jdKvH74vwntYIF5pb6itK7TmIV3DpxiE8mTVXCCbLlTe7eo8Q/ForgMI1KnCNhwhW9
 ovipVOCellYcgrVEzjSSElauAb3zT0pJOCT3FxP1B4CbfYxp89W3NmakI/aSiExIDimaUEzR1UEi
 EMSQXO4AJ3OZOtFmZ6jC7vKd3uBt7QJwyaCNBq6sg60BmQpWt1oL3W6NJyAJPUj7iKROzHxQVqeF
 OYoIuygnU+zQaYcLJMN/3PfStWCAoxBaeV9o4AE92JmWmZgcDXsFguPWXk5Er1GWD5j8CXB43zyV
 CLj9WOIyf+2oiNePXZCAYIz1dX3NX1gjGoN4sk/VGv25HSTbxcpyyEgYGtcYvArv+Q4njR+8k40y
 3AMqcnqpWl/Mf94hGTQdhXfZ6zI9nTjpvM3yhVqPfX48jXkb24oyYBcGoOkYemM1Z+j7EfUtIwGZ
 uLz5goH1rjGKE0f3fV3wRY+F54UUfUfdEilZX2E7o=
X-QQ-XMRINFO: OD9hHCdaPRBwq3WW+NvGbIU=
X-OQ-MSGID: <0dd3584d2bc7d2f904e36c2110c1b293f440ce52.camel@HIDDEN>
Subject: Re: bug#66390: `man' allows to inject arbitrary shell code
From: lux <lx@HIDDEN>
To: Eli Zaretskii <eliz@HIDDEN>, Max Nikulin <manikulin@HIDDEN>
Date: Tue, 10 Oct 2023 00:30:06 +0800
In-Reply-To: <831qe5znrz.fsf@HIDDEN>
References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN>
 <83wmvyzir2.fsf@HIDDEN> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN>
 <83v8bizf9r.fsf@HIDDEN> <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN>
 <875y3iigua.fsf@HIDDEN> <83o7hazap7.fsf@HIDDEN> <87mswugyoq.fsf@HIDDEN>
 <83jzryz6op.fsf@HIDDEN> <87a5sugwcx.fsf@HIDDEN> <83h6n2z3tr.fsf@HIDDEN>
 <aaeb5c4f-2ae0-449e-9a8b-aa5155998e49@HIDDEN> <831qe5znrz.fsf@HIDDEN>
Autocrypt: addr=lx@HIDDEN; prefer-encrypt=mutual;
 keydata=mQENBF9ZlQQBCADp/JGo1JwVC86MQCSKI9Z2zeUOU2nItnuhfNfGLF3xueuL3QojOfPiBDdk14PqxXoZI6r2dS/YY2Nsr1iYch/ldkA1m9D8siwIzuWdkxntmuP56dtJVt6zGnMf+aijN4diRYPCmcENcdIly4aRPqcQZcftJRpLhsu+zDOT8LC+vCP9A5IEfqv1oFAbxt0pE/Lwymn/jzuqRnaEV5TA2+c+fMNhzfhaMp0FxrpO6sZIqU+c7r/d9ZJ98k3g8eq9MkK2s6ZQRnZUbngZ9p2c3zYB0BwHWovzDsGCl8pmUiUHEhGLhu6N2OGnQdUUuSU/Fdoq/zVsDfMz70II00pxSYOJABEBAAG0GWx1NG54IDxseEBzaGVsbGNvZGVzLm9yZz6JAU4EEwEIADgWIQSwvd/kky9UAikm2YRcdI5fNjiBRQUCX1mVBAIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRBcdI5fNjiBRTVbCAC510aF/8rpCzyAlBdxRlBzcz5FLw8ZS2VHn6FwxZbdk9USQPlnbtPSMzWRk7KLdzkUvvdRE8C8Z4JwnWOuNp3oDob5UEfLHQfL1+o/yHQqo2n5Wf9BFjIgvB2UThd2nxk1lW0yAnPsUrWX1Dy63hHtyAbpSMOXEjrn//EIH7If7BRTT5VYUEnhqMogWYWX8mE/ZrfFFY3LVyelHK86iYnIgW18Efg7g8k+Kys66tCSOdz19jhsxjbOKMrCISs5aQH5TNO0mqZq2eOdEi+nc6yLu1FLfUYeTXhIwA8jujSYdqswNU+2OU/JazMBFBK4duhHo5YqvneGwAt7Ksc4bRP7uQENBF9ZlQQBCADCAmMMp+tCYA32TIBRT+5yZjUeePgFkh7b+fvxfShyzgcsCFpFVzt+9YE7UjKMnb9fc3nAq2tHvphEDDreKN+FJKshzoziTriLvAnq9vV9QZmTbJ93R7io5i2EmnvB8
 356kgVTl5RwZtX3DjTZ+rv4Wn0qAowa/S3NZq8U87AuQ1z9s3Q2Jm8g1QCTJ3sFIKmg+hYAyaS3RvbKjGeOUOykrg5vRPqDl41Ra4jSiVQfFX+iD/k2grbUnHfn6kpDLQgBFPB4nJfkjj0e4MEg8PIqHs7n/MglJeKQ9ReExwhv4w7zpVgaE9Wv0ONJMyi+PAODCEq4w650KFJ3Yi4p+JSLABEBAAGJATYEGAEIACAWIQSwvd/kky9UAikm2YRcdI5fNjiBRQUCX1mVBAIbDAAKCRBcdI5fNjiBReafCADUXswXiE5Gov2GfQTvBjEpFKNG9AirE3l0mSIUj6+ch+GhTv9bTt2ozZb9t3RGq+BifCO9EVu98fjvAIwg9bHnU54Q+IGevnjUK61I80Not0Kq05o5yMOpK0cB7I9dWpo0Pmtx781ioWqWON4gcPYYGFhTyj7DE7Y0F4+7XSb8Aeuu6y8i1Oxsrh4MwdcNp48lbM/+AZice/f+K1i+oGg037Qal1CykNBfvE0ujPagDbxExZxKtjnrC0yUmj1y09YP+Z0WOpyAdSCSiwMh3zHJUvXnacX+ZlhUwsVEPlrYKtps2DrtgIo9tR/csSfsOOD+1gnedaLM7OfT6vCdwiFtmQINBGUPDqUBEADSEqnlY9wh+avEI1T40IlNg6/hMi5lTHg9KKeF4cEU/XYhh1POIuyZMJbeFyGTCOAN64emcDEhDZqgc007YX5rbdA7juyOjnCkAeezJJl7yuHdhkvOv56qpoLbrqXNXrCPWHYnIffpp2ovmvndgPr++EXXrzxIposgY+PXDekj/EnToNn+iCb4z7Mh4vYIxc8m4CDeoCf4Y/77o4XT84SNfuKMqdld9ktjzkP5thLJ6N2hH6YnXYfwrh7UVP6Pg+dVM/hEmSUJFwvRpDxkErVzkaIqqtv94BOqPHVifOUXIq++SuMSqDqkH4irLBRVXqAVs+0nnKYAk5Fjjn16MF5DI0
 kDjqyLJ18pWJFiegy+bBT837oNlPqdTFfG3pYlOC0mN5mYMFU2S2CsRujevBOnO2anQEdAv6T+PNu7LXfD1/Z9AgRn0NzHTkJWlAJ+PT8T0QFrVVW2H6T7WmpXP3FqFyeYbEedJyHbVm3Yd9HtdWJCUHSbTjJYcfhlWc8IeeHtna87Zjn8Ql1RFIo3kV2Pd3dk+IsOq1S3QZUiTTtwgRPP9fsx9OVB0v6k09R5PuvvFYzrccfuwdMvP8lWBNA+1XHX97JFC6nTPGeaPJLxYgcxhcRgXN+kaD8rFXva0YkyvkNgW+GismWimOrpsKgDdyxXzgK87OWL093xWjRlgwARAQABtBlYaSBMdSA8bHhAc2hlbGxjb2Rlcy5vcmc+iQJOBBMBCgA4FiEEdJQucETGhxqWHw3/SCoXYcbax74FAmUPDqUCGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQSCoXYcbax77pjQ/8CUsISqqy7CnbyVxAcarTHL8aw1cymaaqhni/rW2QDslaxmrp/h5NpWXE8TLPu0DH3BgJVztVjAUyx9wKpuSPntb+KwzeFO3SlaKlJyzcF/qKz0TisoGhpgn/BDCswrQyFV3bBtucLovdF6bjQ2JpamD+fOewas4/llU6ChtgRuT7J8wIJx6XfquO8jYcgDCHf9q3F2LF639hnadBaHxye4TEQ6VCWFDn/3kr0dnKSwb7TfeBeLt7wfdjM+AjQiyu1UF618poDp/1AzXHvxV0p9PcgCyHYIo+jjYOnvwYMbx4u0iUfHKwKSLUfgOiyAhRpOou0H3veC7vByDOyGEDhlP3rHD8d664PJMvG1hmp/OAhf7BhBRvvkvSGRSYI+vs5TyC72LLMlR8dx7XCc0ziRrWtmt6XFpDaIHftfGPcR4PEyTsnNFBll6+1EaX0U/oD3yNp4uTW7M5ShUqVBwrHviEiVyiluzEl6csJU4hreoDZ7NRovxDloBttiW
 tZ+TLgbbBOGHDeUbv7bSJ8+cR7nnL0FOeJwF3IRONDyZz6nQtd0aHbVg9Zpgl/JwQcXuTZrDz8E6qcZGjYtSlA/q8cwpDsen70rjg5S3GCnRfQQDwo1E6LOi3pEuCMy40iFJ/JEHtgxCHHeJ0i5jA+5zuEv02BndqllQkeyT4kkLSXcq5Ag0EZRAa8gEQAMF+frOpFPotOeC9OutnMyZY6jK8LjjqlHmZEFemBxUH8r6eY2P2+cChx6jwfkz9KMzM132gZAVAlE0nBhbiDJodPMGiYblNvs8thvxh2szLmErqWh7GcOF0feCvfY7QWjKwdtDJg1kUIxvgjrhE44k0/H7cvu/d4qWLsULAk0RsTzTLAZDmEBlEN5UlCXgDcjq5c5Lo52QAkWivWqg37k3PaFqmOKH0HKdRYAOgS/P9tdlgC/WDybxZy5tRsvi/d9NBza42WmvGU3PFvd7WDwhSQ7HwSfbMYFb3mSBfC3FR1796WeGAuMOesMCHp8TkaMtHZfUfbqF9VHhRyQf/r6GjTqYKtU5kjrg39gX1/5Ys5KFriNQLM/2cdLRqxBZ89u+Fi/VvnCJQ07NncqILwLmPcrtk8qH35aPOdxBf38/n9TAH44n/msmewjmVosprAfD8qwQjrwKkr8TausrBPrAkic7Vi8VFAyME6kUG77ctUDIv3jxqR08NrSiR1Ftt0AraQHWNUcLg6XVClR5GxVkkx4o+yefpukninIQlYwq3Sy/ZNsFkD2dYub/6OJhnWJxVVRDpVJsdKz9E7vBtgwcx2OPjG695w7L8RKl9qkIoRsKYDQ74Svxiw8vcdkz4O6FLFSayvsLTZgfsY3Krvuens2iFNWHnsBgIWVU+IW91ABEBAAGJAjYEGAEKACAWIQR0lC5wRMaHGpYfDf9IKhdhxtrHvgUCZRAa8gIbDAAKCRBIKhdhxtrHvvpLEADRSTXN0Fm/tdeQMVLy63fcTw8wjxEUelr0bDBzBeEc
 k328UqFrPDMOMWlREQ4GB/vHbTIvPYbOiCngH5WCPwRWVS/ycY4gCHHbPLlo24Or9NNvPRbkGYSEhP9ezcZD7F29/XCwi8+VfCNzcL6l7+V0BJNUly6Gwy3O4kUwgHlhpJn3cuKvMdSHe/JaJYx/BXu553vSh2s75XFJOMOlI0IC2lzzd2ohrwLEOwhCrFSkSRKXx63zt/uZL6oF2zIzHspGygtRR+KScnx/Gklp0nCGYMAenuRuixVICyaiB0Hkarwxm8kKpDzP6pD+5Zzdhzg3Sqj0RR5oqfqOWkh0hxJ+gblapLFBSXnGQqTT1gHrTHyIOBoBBVOxlaXb95sotfCwSU8VcoN0BexVwCsUFVR0jINlmJqMIpy2N0RNjU35bAnPgeGe5z+Zs5GPcEBK6XX4rQeTwWmVltQccWuM3+oca3sOcQsWD3ZACUWjGZboxTCMwiHkrm0VTxP4kO0CRILM5Ln3cisS/GdikCAv6O8K6jhckLEml1sFB6jCVK6EAInXKFzZGol281nGRPKzeI3V9BpDZmXplqdhe4R0FBGUbu5ffw3b/vNV770xhXLI7aOp0dlkGDh4In4Li5cBRgR8FTrIBEH9+I0l4EjliVr6k/skqVPYK2rKtwx/kjhzAA==
Content-Type: multipart/mixed; boundary="=-PyOEwl+ewaSzzvy50QcG"
User-Agent: Evolution 3.50.0-1 
MIME-Version: 1.0
X-Spam-Score: 3.6 (+++)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  On Sun, 2023-10-08 at 08:28 +0300, Eli Zaretskii wrote: >
 > Date: Sun, 8 Oct 2023 10:37:33 +0700 > > Cc: 66390 <at> debbugs.gnu.org > > From:
 Max Nikulin <manikulin@HIDDEN> > > > > On 08/10/2023 01:26, [...] 
 Content analysis details:   (3.6 points, 10.0 required)
 pts rule name              description
 ---- ---------------------- --------------------------------------------------
 -0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at https://www.dnswl.org/,
 no trust [203.205.251.72 listed in list.dnswl.org]
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 0.0 SPF_NONE               SPF: sender does not publish an SPF Record
 0.4 RDNS_DYNAMIC           Delivered to internal network by host with
 dynamic-looking rDNS
 3.2 HELO_DYNAMIC_IPADDR    Relay HELO'd using suspicious hostname (IP
 addr 1)
X-Debbugs-Envelope-To: 66390
Cc: 66390 <at> debbugs.gnu.org, michael.albinus@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: 2.6 (++)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 
 Content preview:  On Sun, 2023-10-08 at 08:28 +0300, Eli Zaretskii wrote: >
   > Date: Sun, 8 Oct 2023 10:37:33 +0700 > > Cc: 66390 <at> debbugs.gnu.org > > From:
    Max Nikulin <manikulin@HIDDEN> > > > > On 08/10/2023 01:26, [...] 
 
 Content analysis details:   (2.6 points, 10.0 required)
 
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
 -0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at https://www.dnswl.org/,
                              no trust
                             [203.205.251.72 listed in list.dnswl.org]
  0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
  0.0 SPF_NONE               SPF: sender does not publish an SPF Record
  0.4 RDNS_DYNAMIC           Delivered to internal network by host with
                             dynamic-looking rDNS
 -1.0 MAILING_LIST_MULTI     Multiple indicators imply a widely-seen list
                             manager
  3.2 HELO_DYNAMIC_IPADDR    Relay HELO'd using suspicious hostname (IP
                             addr 1)

--=-PyOEwl+ewaSzzvy50QcG
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Sun, 2023-10-08 at 08:28 +0300, Eli Zaretskii wrote:
> > Date: Sun, 8 Oct 2023 10:37:33 +0700
> > Cc: 66390 <at> debbugs.gnu.org
> > From: Max Nikulin <manikulin@HIDDEN>
> >=20
> > On 08/10/2023 01:26, Eli Zaretskii wrote:
> > >=20
> > > So the problem _is_ with the shell?=C2=A0 If so, the best way of avoi=
ding
> > > these problems is not invoke 'man' via the shell, but via call-proces=
s
> > > and its ilk instead.
> >=20
> > It will be great if it is possible to avoid shell in the middle. Howeve=
r
> > - man.el uses pipes with sed and awk to post-process output of man=20
> > executable.
> > - if support of remote man files is considered then it is even more har=
d=20
> > to avoid shell. SSH assumes shell commands.
>=20
> Even if sometimes the shell cannot be avoided (which has yet to be
> established, AFAIU), it's not an argument against avoiding it where
> possible, because that solves any security issues, definitely those
> you brought up.
>=20
> > I had in mind using at least `shell-quote-argument'.
>=20
> That doesn't work with 'man', which has its own ideas about quoting,
> besides shell-related quoting.
>=20
> > The issues of sanitizing outputs in callers
> > - If there was a safe function in man.el then callers code would be mor=
e=20
> > simple, so it would be less probable to introduce bugs in such code.
> > - behavior of the `man' emacs command is *underspecified*, so it is har=
d=20
> > to provide safe argument for it. Some parenthesis are allowed as in=20
> > "man(1)" others may be interpreted by shell.
> > - `shell-quote-argument' in callers would rely on man.el implementation=
=20
> > details at best or may even lead to undefined behavior since I see have=
=20
> > no way to bypass some processing of the argument of the `man' emacs com=
mand.
>=20
> Reiterating what you already said doesn't help to have a productive
> discussion.
>=20
> > Execution a part of `man' emacs command argument by shell is a surprise=
=20
> > to the user any case. Ideally elisp code should prevent it and man.el=
=20
> > should emit an error.
>=20
> IMO, this ideal cannot be reached in practice, let alone kept for any
> length of time.=C2=A0 Systems are adding strangely-named man pages all th=
e
> time.=C2=A0 We had quite a few bug reports about that during the recent
> years.
>=20
> > Attempts to call of `man' from other packages is an open door for=20
> > security vulnerabilities.
>=20
> Then perhaps those other packages shouldn't call 'man'.
>=20
>=20
>=20

Hi,=C2=A0

There is indeed an code injection vulnerability issue here, for example:

  (man ";ls")    <-- The `ls' command will be executed.

I think the fix can start with the `Man-translate-references' function.

Here's my patch and the test cases.

--=-PyOEwl+ewaSzzvy50QcG
Content-Disposition: attachment; filename="0001-Fix-man.el-code-injection-vulnerability.patch"
Content-Type: text/x-patch; name="0001-Fix-man.el-code-injection-vulnerability.patch";
	charset="UTF-8"
Content-Transfer-Encoding: base64

RnJvbSAxYzI5MDVkOTNkM2NiYTk2NmE3ZDI0NGY0YzI3OGM3MjBjZWZmMzc4IE1vbiBTZXAgMTcg
MDA6MDA6MDAgMjAwMQpGcm9tOiBYaSBMdSA8bHhAc2hlbGxjb2Rlcy5vcmc+CkRhdGU6IFR1ZSwg
MTAgT2N0IDIwMjMgMDA6MjE6MzEgKzA4MDAKU3ViamVjdDogW1BBVENIXSBGaXggbWFuLmVsIGNv
ZGUgaW5qZWN0aW9uIHZ1bG5lcmFiaWxpdHkuCgoqIGxpc3AvbWFuLmVsIChNYW4tdHJhbnNsYXRl
LXJlZmVyZW5jZXMpOiBGaXggY29kZSBpbmplY3Rpb24uCiogdGVzdC9saXNwL21hbi10ZXN0cy5l
bCAobWFuLXRlc3RzLU1hbi10cmFuc2xhdGUtcmVmZXJlbmNlcyk6IE5ldy4KLS0tCiBsaXNwL21h
bi5lbCAgICAgICAgICAgIHwgIDIgKy0KIHRlc3QvbGlzcC9tYW4tdGVzdHMuZWwgfCAxMCArKysr
KysrKysrCiAyIGZpbGVzIGNoYW5nZWQsIDExIGluc2VydGlvbnMoKyksIDEgZGVsZXRpb24oLSkK
CmRpZmYgLS1naXQgYS9saXNwL21hbi5lbCBiL2xpc3AvbWFuLmVsCmluZGV4IDI4NmVkZjkzMTRl
Li40MzgzOTk1OTYyMiAxMDA2NDQKLS0tIGEvbGlzcC9tYW4uZWwKKysrIGIvbGlzcC9tYW4uZWwK
QEAgLTY4NCw3ICs2ODQsNyBAQCBNYW4tdHJhbnNsYXRlLXJlZmVyZW5jZXMKICAgICAgIChzZXRx
IG5hbWUgKG1hdGNoLXN0cmluZyAyIHJlZikKIAkgICAgc2VjdGlvbiAobWF0Y2gtc3RyaW5nIDEg
cmVmKSkpKQogICAgIChpZiAoc3RyaW5nPSBuYW1lICIiKQotCXJlZgkJCQk7IFJldHVybiB0aGUg
cmVmZXJlbmNlIGFzIGlzCisJKHNoZWxsLXF1b3RlLWFyZ3VtZW50IHJlZikgICAgICA7IFJldHVy
biB0aGUgcmVmZXJlbmNlIGFzIGlzCiAgICAgICAoaWYgTWFuLWRvd25jYXNlLXNlY3Rpb24tbGV0
dGVycy1mbGFnCiAJICAoc2V0cSBzZWN0aW9uIChkb3duY2FzZSBzZWN0aW9uKSkpCiAgICAgICAo
d2hpbGUgc2xpc3QKZGlmZiAtLWdpdCBhL3Rlc3QvbGlzcC9tYW4tdGVzdHMuZWwgYi90ZXN0L2xp
c3AvbWFuLXRlc3RzLmVsCmluZGV4IGUzNjU3ZDdkZjhhLi40ODU3MDk2N2EwOSAxMDA2NDQKLS0t
IGEvdGVzdC9saXNwL21hbi10ZXN0cy5lbAorKysgYi90ZXN0L2xpc3AvbWFuLXRlc3RzLmVsCkBA
IC0xNjEsNiArMTYxLDE2IEBAIG1hbi1iZ3Byb2MtZmlsdGVyLWJ1dHRvbml6ZS1pbmNsdWRlcwog
ICAgICAgICAgIChsZXQgKChidXR0b24gKGJ1dHRvbi1hdCAobWF0Y2gtYmVnaW5uaW5nIDApKSkp
CiAgICAgICAgICAgICAoc2hvdWxkIChhbmQgYnV0dG9uIChlcSAnTWFuLXhyZWYtaGVhZGVyLWZp
bGUgKGJ1dHRvbi10eXBlIGJ1dHRvbikpKSkpKSkpKSkKIAorKGVydC1kZWZ0ZXN0IG1hbi10ZXN0
cy1NYW4tdHJhbnNsYXRlLXJlZmVyZW5jZXMgKCkKKyAgKHNob3VsZCAoZXF1YWwgKE1hbi10cmFu
c2xhdGUtcmVmZXJlbmNlcyAiYmFzZW5hbWUiKQorICAgICAgICAgICAgICAgICAiYmFzZW5hbWUi
KSkKKyAgKHNob3VsZCAoZXF1YWwgKE1hbi10cmFuc2xhdGUtcmVmZXJlbmNlcyAiYmFzZW5hbWUo
MykiKQorICAgICAgICAgICAgICAgICAiMyBiYXNlbmFtZSIpKQorICAoc2hvdWxkIChlcXVhbCAo
TWFuLXRyYW5zbGF0ZS1yZWZlcmVuY2VzICJiYXNlbmFtZSgzdikiKQorICAgICAgICAgICAgICAg
ICAiM3YgYmFzZW5hbWUiKSkKKyAgKHNob3VsZCAoZXF1YWwgKE1hbi10cmFuc2xhdGUtcmVmZXJl
bmNlcyAiO2lkIikKKyAgICAgICAgICAgICAgICAgIlxcO2lkIikpKQorCiAocHJvdmlkZSAnbWFu
LXRlc3RzKQogCiA7OzsgbWFuLXRlc3RzLmVsIGVuZHMgaGVyZQotLSAKMi40Mi4wCgo=


--=-PyOEwl+ewaSzzvy50QcG--
Information forwarded to bug-gnu-emacs@HIDDEN:
bug#66390; Package emacs. Full text available.

Message received at 66390 <at> debbugs.gnu.org:


Received: (at 66390) by debbugs.gnu.org; 9 Oct 2023 15:53:37 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Oct 09 11:53:37 2023
Received: from localhost ([127.0.0.1]:60720 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1qpsZd-0001sb-1B
	for submit <at> debbugs.gnu.org; Mon, 09 Oct 2023 11:53:37 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:48674)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eliz@HIDDEN>) id 1qpsZa-0001sO-MF
 for 66390 <at> debbugs.gnu.org; Mon, 09 Oct 2023 11:53:35 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@HIDDEN>)
 id 1qpsZ6-000855-NR; Mon, 09 Oct 2023 11:53:08 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date:
 mime-version; bh=x5F1wgBMT0Wc6bkwjWGSDXv/Zf+XCKCdVhPR08r/rMI=; b=BHUWlLqqaSxW
 uhE2b9nOuLPX7gI1jFRaMbsm7tQ/drgepvAmIeO4QzORC6fj2sFO2aITMoyv9O5UREjfkrPBgO6L3
 F0WTkdTOrXg1x+1G9K4/iMq7yZFVyZnwbeDnosp4DB4rY1c/l2iQDrGcEwxnFEup7Q2tyg3UiFGfa
 cbuGlWFhXioFhuJ5vkdKrBuDj36mz1k6EB9WbouRv+6kdZTPtEU6mlfZeKnJZKJfQKAeaXyJu1wOq
 6+z0i+RIOGIqJCYjktkRH9cHevVk+oteK0LbZYul4YGb2EaRUU4H6lyxuA5D5zIX7nQmOwGwDtRP3
 cbh+usPs91ZVYA0W7IzhdA==;
Date: Mon, 09 Oct 2023 18:52:52 +0300
Message-Id: <83bkd7x06j.fsf@HIDDEN>
From: Eli Zaretskii <eliz@HIDDEN>
To: Max Nikulin <manikulin@HIDDEN>
In-Reply-To: <a4a1b6d4-8fb4-4f5f-aafc-a9521bcbbcc3@HIDDEN> (message from
 Max Nikulin on Mon, 9 Oct 2023 22:12:34 +0700)
Subject: Re: bug#66390: `man' allows to inject arbitrary shell code
References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN>
 <83wmvyzir2.fsf@HIDDEN> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN>
 <83v8bizf9r.fsf@HIDDEN> <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN>
 <875y3iigua.fsf@HIDDEN> <83o7hazap7.fsf@HIDDEN> <87mswugyoq.fsf@HIDDEN>
 <83jzryz6op.fsf@HIDDEN> <87a5sugwcx.fsf@HIDDEN> <83h6n2z3tr.fsf@HIDDEN>
 <aaeb5c4f-2ae0-449e-9a8b-aa5155998e49@HIDDEN> <831qe5znrz.fsf@HIDDEN>
 <a4a1b6d4-8fb4-4f5f-aafc-a9521bcbbcc3@HIDDEN>
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 66390
Cc: 66390 <at> debbugs.gnu.org, michael.albinus@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> Date: Mon, 9 Oct 2023 22:12:34 +0700
> Cc: michael.albinus@HIDDEN, 66390 <at> debbugs.gnu.org
> From: Max Nikulin <manikulin@HIDDEN>
> 
> On 08/10/2023 12:28, Eli Zaretskii wrote:
> >> Date: Sun, 8 Oct 2023 10:37:33 +0700 From: Max Nikulin
> > 
> >> I had in mind using at least `shell-quote-argument'.
> > That doesn't work with 'man', which has its own ideas about quoting,
> > besides shell-related quoting.
> 
> I see usage of `shell-quote-argument' for completion where shell is not 
> involved. During formatting there is parsing of references with some 
> regular expressions to get (X) section suffix, but I have not noticed 
> quoting. Certainly the code relies on spaces passed literally and 
> substituted into shell command directly. If there were page names with 
> spaces it would be a problem.
> 
> I mean passing through `shell-quote-argument' each word returned by 
> `Man-translate-references'

What will this do with a man page called [.1 ?

> (defun Man-translate-cleanup (string)
>    "Strip leading, trailing and middle spaces."
>     ^^^^^^^^^^^^^
> 
> (Man-translate-cleanup " w")
> " w"

But

  (Man-translate-cleanup " ww")
    => "ww"
Information forwarded to bug-gnu-emacs@HIDDEN:
bug#66390; Package emacs. Full text available.

Message received at 66390 <at> debbugs.gnu.org:


Received: (at 66390) by debbugs.gnu.org; 9 Oct 2023 15:13:11 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Oct 09 11:13:11 2023
Received: from localhost ([127.0.0.1]:60702 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1qprwR-0000YM-5O
	for submit <at> debbugs.gnu.org; Mon, 09 Oct 2023 11:13:11 -0400
Received: from mail-lj1-x22a.google.com ([2a00:1450:4864:20::22a]:60689)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <manikulin@HIDDEN>) id 1qprwN-0000Xo-3J
 for 66390 <at> debbugs.gnu.org; Mon, 09 Oct 2023 11:13:05 -0400
Received: by mail-lj1-x22a.google.com with SMTP id
 38308e7fff4ca-2bfed7c4e6dso52118301fa.1
 for <66390 <at> debbugs.gnu.org>; Mon, 09 Oct 2023 08:12:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1696864356; x=1697469156; darn=debbugs.gnu.org;
 h=content-transfer-encoding:in-reply-to:from:references:cc:to
 :content-language:subject:user-agent:mime-version:date:message-id
 :sender:from:to:cc:subject:date:message-id:reply-to;
 bh=/A6Fnp0ZDnH0YxljJu73DI0ix4EfIPhk2muLvghBgts=;
 b=MteaK7rPNskOeNh9X8nkvNiQzmGcD87ks0FV/pkqISbEcu27/AYDm+ERKcyPvlgerr
 uS5Iw80IfLH/sv+/r4xw7peE/esBQA1SS0X2wh5eQBA4lv2vpOWwf4rFivcgs4yXtdvR
 FXbsjis9VFizjk5ql3Ffqyxl6A63d7ZIxuPozRL1GXyvD1FJSl14NcHMFeRRVc7Ya2Gn
 tTJ1Gqw6O6/CRYI+Bo7HMOMx523p2Vxu/kMBiW8WOq+7g3X7qmKw/0KwcDcry+vVHDuu
 009IwRqOlO+oDTUK3+EAPf8Fdii0/d2xqIqZ4BXiVoyZKPt/WYrLcjVQc9f9AilZNJjg
 Zkrw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1696864356; x=1697469156;
 h=content-transfer-encoding:in-reply-to:from:references:cc:to
 :content-language:subject:user-agent:mime-version:date:message-id
 :sender:x-gm-message-state:from:to:cc:subject:date:message-id
 :reply-to;
 bh=/A6Fnp0ZDnH0YxljJu73DI0ix4EfIPhk2muLvghBgts=;
 b=mwK6IJX7uLnqwF4tI8OhWvegIVE491qM6GyOADdaUNnsOxaFBEuMeULjOfoMqIVvu1
 9C6/II0WZIzKa+iVYevPuSkk2CmsSG6JQVAnh/bknkRTT4Y7oGqYcV6HzJ6uPVAf9Sns
 4hmZxv4VW7A/tpYbdoowJgTeWUyOPDpI0v2R+zRSjAQkfdcdobkXfUfn5C5Swgvy1osD
 7FUAEKl7hy9WbKqgSmV7k1rCpky81zsOlPzlkr8CJdoY5Ebs4recpTvnrHTH7HrIllZQ
 DTEl85D+csR1U3uz3Z6sHa1BZZn+cdFs9NFrBj1s8uLaU3QNbz6XeNHv798bXYf+MeYR
 REbA==
X-Gm-Message-State: AOJu0YzGmjtU6+++ks8u2GAWy01oD/30gCxvAE4urN8nV+s94/1laHj8
 RXNFEodVcA9oYtRISHazSHk=
X-Google-Smtp-Source: AGHT+IEaATbEm/1n3pGgiUavsUbLCpzM4ZZIfi+Tbt93EDGDBh4PJSi3VPhxGlK0D3Q6Vbn8fSyIMQ==
X-Received: by 2002:a2e:9b51:0:b0:2b9:412a:111d with SMTP id
 o17-20020a2e9b51000000b002b9412a111dmr15609822ljj.42.1696864356199; 
 Mon, 09 Oct 2023 08:12:36 -0700 (PDT)
Received: from [192.168.0.101] (nat-0-0.nsk.sibset.net. [5.44.169.188])
 by smtp.googlemail.com with ESMTPSA id
 e9-20020a2e8189000000b002c12630e4d3sm2099487ljg.127.2023.10.09.08.12.35
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
 Mon, 09 Oct 2023 08:12:35 -0700 (PDT)
Message-ID: <a4a1b6d4-8fb4-4f5f-aafc-a9521bcbbcc3@HIDDEN>
Date: Mon, 9 Oct 2023 22:12:34 +0700
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: bug#66390: `man' allows to inject arbitrary shell code
Content-Language: en-US, ru-RU
To: Eli Zaretskii <eliz@HIDDEN>
References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN>
 <83wmvyzir2.fsf@HIDDEN> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN>
 <83v8bizf9r.fsf@HIDDEN> <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN>
 <875y3iigua.fsf@HIDDEN> <83o7hazap7.fsf@HIDDEN> <87mswugyoq.fsf@HIDDEN>
 <83jzryz6op.fsf@HIDDEN> <87a5sugwcx.fsf@HIDDEN> <83h6n2z3tr.fsf@HIDDEN>
 <aaeb5c4f-2ae0-449e-9a8b-aa5155998e49@HIDDEN> <831qe5znrz.fsf@HIDDEN>
From: Max Nikulin <manikulin@HIDDEN>
In-Reply-To: <831qe5znrz.fsf@HIDDEN>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 66390
Cc: 66390 <at> debbugs.gnu.org, michael.albinus@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

On 08/10/2023 12:28, Eli Zaretskii wrote:
>> Date: Sun, 8 Oct 2023 10:37:33 +0700 From: Max Nikulin
> 
>> I had in mind using at least `shell-quote-argument'.
> That doesn't work with 'man', which has its own ideas about quoting,
> besides shell-related quoting.

I see usage of `shell-quote-argument' for completion where shell is not 
involved. During formatting there is parsing of references with some 
regular expressions to get (X) section suffix, but I have not noticed 
quoting. Certainly the code relies on spaces passed literally and 
substituted into shell command directly. If there were page names with 
spaces it would be a problem.

I mean passing through `shell-quote-argument' each word returned by 
`Man-translate-references'

P.S.

(defun Man-translate-cleanup (string)
   "Strip leading, trailing and middle spaces."
    ^^^^^^^^^^^^^

(Man-translate-cleanup " w")
" w"

?
Information forwarded to bug-gnu-emacs@HIDDEN:
bug#66390; Package emacs. Full text available.

Message received at 66390 <at> debbugs.gnu.org:


Received: (at 66390) by debbugs.gnu.org; 9 Oct 2023 11:06:04 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Oct 09 07:06:04 2023
Received: from localhost ([127.0.0.1]:59405 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1qpo5M-0004Sh-6k
	for submit <at> debbugs.gnu.org; Mon, 09 Oct 2023 07:06:04 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:35884)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eliz@HIDDEN>) id 1qpo5I-0004S1-Fp
 for 66390 <at> debbugs.gnu.org; Mon, 09 Oct 2023 07:06:02 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@HIDDEN>)
 id 1qpo4s-00042L-Gb; Mon, 09 Oct 2023 07:05:34 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date:
 mime-version; bh=tY1THgED6T1aWQPLiclmA41G/HU96mN2J4yG5C+LQEE=; b=sdm88CYznaFp
 ucIQcTr406N0EtSA8Bxd+3FqXsZaVRTwmXCHDSQyt/fFIt3rxki+IGw82Hj+waTX+DBSq5FnlMJS8
 jKJA3imye+BwtKblbiDmO+QZRByrqoqQAHlbKS1V31lnf70apimiz54WVI91wbws+/JIl1eQcUjXz
 8o/UtWxnOQQQtZ57M+21tpSNkjwweFBy8QpWiWVZqOQL0ogG0FafSaYq9GEWR1qLlMiEKFv4crPTq
 tUjA7JZzBzEjfgtmLuiLXYeyzPOCuowDh/q0MOTy9WyB9lRaINhdTvgKXomkWqnLhc+kQDIfSb4XM
 6rl3WMlx/c5SStfCK88Aqg==;
Date: Mon, 09 Oct 2023 14:04:37 +0300
Message-Id: <83ttr0vyyi.fsf@HIDDEN>
From: Eli Zaretskii <eliz@HIDDEN>
To: rms@HIDDEN
In-Reply-To: <E1qpg8N-0004yH-3Y@HIDDEN> (message from Richard
 Stallman on Sun, 08 Oct 2023 22:36:39 -0400)
Subject: Re: bug#66390: `man' allows to inject arbitrary shell code
References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN>
 <83wmvyzir2.fsf@HIDDEN>
 <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN>
 <83v8bizf9r.fsf@HIDDEN>
 <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN>
 <875y3iigua.fsf@HIDDEN> <83o7hazap7.fsf@HIDDEN>
 <87mswugyoq.fsf@HIDDEN> <83jzryz6op.fsf@HIDDEN> <87a5sugwcx.fsf@HIDDEN>
 <83h6n2z3tr.fsf@HIDDEN> <E1qpg8N-0004yH-3Y@HIDDEN>
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 66390
Cc: manikulin@HIDDEN, 66390 <at> debbugs.gnu.org, michael.albinus@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> From: Richard Stallman <rms@HIDDEN>
> Cc: michael.albinus@HIDDEN, manikulin@HIDDEN, 66390 <at> debbugs.gnu.org
> Date: Sun, 08 Oct 2023 22:36:39 -0400
> 
>   > We can do something, just not the way it was suggested: avoid using
>   > the shell.
> 
> I wonder: do we need to backport this fix to old Emacs versions that we
> do not normally maintainn at all, because of the insecurity?

We don't retrofit fixes into old branches of Emacs that are no longer
developed; we leave that to the distros (who maintain old Emacs
versions for many more years than we do).  At this time, this means
only Emacs 29.x and newer can get such fixes, but not older versions.

(Btw, there's no fix yet, just discussions about what would be the
most appropriate fix.)
Information forwarded to bug-gnu-emacs@HIDDEN:
bug#66390; Package emacs. Full text available.

Message received at 66390 <at> debbugs.gnu.org:


Received: (at 66390) by debbugs.gnu.org; 9 Oct 2023 02:37:07 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Oct 08 22:37:07 2023
Received: from localhost ([127.0.0.1]:58947 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1qpg8p-00015R-3t
	for submit <at> debbugs.gnu.org; Sun, 08 Oct 2023 22:37:07 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:49528)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <rms@HIDDEN>) id 1qpg8n-00014q-6l
 for 66390 <at> debbugs.gnu.org; Sun, 08 Oct 2023 22:37:05 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <rms@HIDDEN>)
 id 1qpg8N-0006Ty-F8; Sun, 08 Oct 2023 22:36:39 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=Date:References:Subject:In-Reply-To:To:From:
 mime-version; bh=FnwR0Pbq9D60GBwiyeh/jzBru9xdsvvRrWzjnfms/qk=; b=bVi8E8iOscIp
 JgChM7PXOrBapa6Uxc9iOun0eDrusVSjzrVF9OdSelF5KXQSJIwuM/9ZMqTsRnWJEzmjs6V4nBGvW
 CP9st5enhZUmZmqjVNOUQKN0zYA6G9x2uoQZWYVUZiIdU5CylevQ8OM9wP+esGrIdr3wyBhLdZ/sC
 z7ClJ0bJBNcpjXsBOBcXong6LNw6gphL1dp/2AtvXxDgelrmlUk44+wjItbtO7j8pOCWqbnkymaXw
 QGqhVtpjbZvX3ktWNrZFp2GwjDOdBEtrIIadbJVkOAotCSlmcVmMrtpLm77oWMQ/NJ4zFkMHDa48r
 P2l86vbo/xbnjVr2OlRUNQ==;
Received: from rms by fencepost.gnu.org with local (Exim 4.90_1)
 (envelope-from <rms@HIDDEN>)
 id 1qpg8N-0004yH-3Y; Sun, 08 Oct 2023 22:36:39 -0400
Content-Type: text/plain; charset=Utf-8
From: Richard Stallman <rms@HIDDEN>
To: Eli Zaretskii <eliz@HIDDEN>
In-Reply-To: <83h6n2z3tr.fsf@HIDDEN> (message from Eli Zaretskii on Sat, 07
 Oct 2023 21:26:40 +0300)
Subject: Re: bug#66390: `man' allows to inject arbitrary shell code
References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN>
 <83wmvyzir2.fsf@HIDDEN>
 <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN>
 <83v8bizf9r.fsf@HIDDEN>
 <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN>
 <875y3iigua.fsf@HIDDEN> <83o7hazap7.fsf@HIDDEN>
 <87mswugyoq.fsf@HIDDEN> <83jzryz6op.fsf@HIDDEN> <87a5sugwcx.fsf@HIDDEN>
 <83h6n2z3tr.fsf@HIDDEN>
Message-Id: <E1qpg8N-0004yH-3Y@HIDDEN>
Date: Sun, 08 Oct 2023 22:36:39 -0400
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 66390
Cc: manikulin@HIDDEN, 66390 <at> debbugs.gnu.org, michael.albinus@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Reply-To: rms@HIDDEN
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

  > We can do something, just not the way it was suggested: avoid using
  > the shell.

I wonder: do we need to backport this fix to old Emacs versions that we
do not normally maintainn at all, because of the insecurity?

-- 
Dr Richard Stallman (https://stallman.org)
Chief GNUisance of the GNU Project (https://gnu.org)
Founder, Free Software Foundation (https://fsf.org)
Internet Hall-of-Famer (https://internethalloffame.org)
Information forwarded to bug-gnu-emacs@HIDDEN:
bug#66390; Package emacs. Full text available.

Message received at 66390 <at> debbugs.gnu.org:


Received: (at 66390) by debbugs.gnu.org; 8 Oct 2023 07:23:15 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Oct 08 03:23:15 2023
Received: from localhost ([127.0.0.1]:56205 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1qpO8A-0000Co-9V
	for submit <at> debbugs.gnu.org; Sun, 08 Oct 2023 03:23:14 -0400
Received: from mail-lj1-x230.google.com ([2a00:1450:4864:20::230]:57645)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <manikulin+gzh@HIDDEN>) id 1qpKgY-00027M-CF
 for 66390 <at> debbugs.gnu.org; Sat, 07 Oct 2023 23:42:31 -0400
Received: by mail-lj1-x230.google.com with SMTP id
 38308e7fff4ca-2bfea381255so40632131fa.3
 for <66390 <at> debbugs.gnu.org>; Sat, 07 Oct 2023 20:42:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1696736524; x=1697341324; darn=debbugs.gnu.org;
 h=content-transfer-encoding:in-reply-to:from:references:cc:to
 :content-language:subject:user-agent:mime-version:date:message-id
 :sender:from:to:cc:subject:date:message-id:reply-to;
 bh=GWr7+32uVjP1kcOBxOj0lZoaRtqrHDJXShqigddG94w=;
 b=dsaSrje+mNHJMbxPnBhdarsGLplHCIolS5YR4w9TW9sq2VycQ66rtKrl2kCH0z7/T4
 /AuHgleQ3bcUMKvdojpXQasARI1B/PhgRzLRxMPE8HsClG/YrZzKnzNLp2Ie4c3uciL6
 wStwTOQCZarxUHbpsEO8t7fwzOxiCZ6nGWho1Rdxx0ECk/zHPyvP5VW0JroatG6Me6vC
 NL+0RnjAAMhLwIFeH6kpow24bg+lvbXjLRttwwYMNVmurFKEbb4sePaYl5VOZPoyz7XF
 YOToOiG9+7RCvEiMdWhb9MEoR/3hmMHzt4gKE1A3d5thmqcses6NJRiUkHRQkEFvXZNi
 /dBg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1696736524; x=1697341324;
 h=content-transfer-encoding:in-reply-to:from:references:cc:to
 :content-language:subject:user-agent:mime-version:date:message-id
 :sender:x-gm-message-state:from:to:cc:subject:date:message-id
 :reply-to;
 bh=GWr7+32uVjP1kcOBxOj0lZoaRtqrHDJXShqigddG94w=;
 b=XQes0sQBbPg3+aCPPVySOvLX2IzKZ/dlFagjnir9YsnFUacGqShypLwqmFFr6KDMyD
 jDOyhllDpX7QqHFlW3hZ9h06dvUvyEBRDPJWNWo6iq0zO68peCfID7+wdKHBl4iaw4GB
 kV7T+b/ybqs0MlWX9vB+Z844Zeka3CTVyri8idqAslA/7FQ/DcgvScMBFFXdo+GyHdku
 mtNcV6i4NBcr5Ink1G9L4Pzc+eHGWYJLOJyli6lE2gTa1w2qiBC70kJN199NUiLq8COB
 R7Y4lgWgpm3N9mt7JT53bWmQLknHkDvxahxcBH2+aGHCLypkNWn5Gy+KHoMSri2nMlQ4
 I+BQ==
X-Gm-Message-State: AOJu0Ywma114b2vHcaj2l1dSX3I4ENcwVXM7fZHQKGyDhCuuwlyoA22m
 41Et0pvgwfuER92qsAxoU70=
X-Google-Smtp-Source: AGHT+IFdVsA81PKZf4FRtLH0PiO7IXZFa8mq1mAD91Jfa6WQp9gC10LVIHQoICQ5+zTPsT6BvUb0LA==
X-Received: by 2002:a2e:a402:0:b0:2b9:e53f:e201 with SMTP id
 p2-20020a2ea402000000b002b9e53fe201mr10714958ljn.31.1696736524242; 
 Sat, 07 Oct 2023 20:42:04 -0700 (PDT)
Received: from [192.168.0.101] (nat-0-0.nsk.sibset.net. [5.44.169.188])
 by smtp.googlemail.com with ESMTPSA id
 w22-20020a2e8216000000b002bba9a4f715sm1425040ljg.11.2023.10.07.20.42.03
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
 Sat, 07 Oct 2023 20:42:03 -0700 (PDT)
Message-ID: <245d34b5-8a93-42bd-9ad8-91f6a72bb6f3@HIDDEN>
Date: Sun, 8 Oct 2023 10:42:03 +0700
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: bug#66390: `man' allows to inject arbitrary shell code
Content-Language: en-US, ru-RU
To: Eli Zaretskii <eliz@HIDDEN>, Michael Albinus <michael.albinus@HIDDEN>
References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN>
 <83wmvyzir2.fsf@HIDDEN> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN>
 <83v8bizf9r.fsf@HIDDEN> <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN>
 <875y3iigua.fsf@HIDDEN> <83o7hazap7.fsf@HIDDEN> <87mswugyoq.fsf@HIDDEN>
 <83jzryz6op.fsf@HIDDEN>
From: Maxim Nikulin <manikulin+gzh@HIDDEN>
In-Reply-To: <83jzryz6op.fsf@HIDDEN>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 66390
X-Mailman-Approved-At: Sun, 08 Oct 2023 03:23:13 -0400
Cc: 66390 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

On 08/10/2023 00:24, Eli Zaretskii wrote:
>> From: Michael Albinus Date: Sat, 07 Oct 2023 18:55:01 +0200
> 
>> The docstring of man explains already, which kind of arguments are
>> expected.
> 
> Yes, and we update that all the time, given how the systems stretch
> these specs.

I see some discrepancy with the declaration of stable API in "Re: 
Completion of links to man pages"

On 06/10/2023 00:11, Eli Zaretskii wrote:
> From: Ihor Radchenko <yantar92@HIDDEN>
> Cc: emacs-orgmode@HIDDEN, emacs-devel@HIDDEN
> Date: Thu, 05 Oct 2023 16:53:57 +0000
>> What I am asking here is to provide a stable Elisp API for the above use
>> case. Currently, we have to rely on implementation details.
> 
> From where I stand, we have already a stable API tested by years of
> use.  What is maybe missing is some documentation to allow its easier
> use, that's all.
Information forwarded to bug-gnu-emacs@HIDDEN:
bug#66390; Package emacs. Full text available.

Message received at 66390 <at> debbugs.gnu.org:


Received: (at 66390) by debbugs.gnu.org; 8 Oct 2023 05:28:39 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Oct 08 01:28:39 2023
Received: from localhost ([127.0.0.1]:56159 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1qpMLG-0005CJ-Uo
	for submit <at> debbugs.gnu.org; Sun, 08 Oct 2023 01:28:39 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:34266)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eliz@HIDDEN>) id 1qpMLF-0005C3-M9
 for 66390 <at> debbugs.gnu.org; Sun, 08 Oct 2023 01:28:38 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@HIDDEN>)
 id 1qpMKq-0006c3-90; Sun, 08 Oct 2023 01:28:12 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date:
 mime-version; bh=FbsC3Lvb4QvyOXnYGMG78UTZ0S0zdMth7soLVjPBWuE=; b=NqcPuaKnO4EU
 0vQjyHkAVLK4ZtxLZ3BqiD5vqYAupkKT4wCrsXmIsJPaBkzNVLOD8ZMLvgEQd/CM8TVDeGa+qnIB0
 iBr+WFIG5gIBxmbu9aFbjY3qeJMbaRxFhkrufgj7tcDdkTgjc/EFbfVl4pFmjXpvQYh3Mz6aNtpqj
 vP+6K9rGuMNb+DXThaXu1HROBystlJlpSkOUxEELZGJKWfiRZsu5xeUzqujZ2/yFRdobluj6m20Rw
 il/r0goucse8Rh+EEkL3ZxdB0ZXCi0OCxE8TyH3+G7QaXPszIYIoRRu3XiRMQr6Ba2v4PxWtuan8m
 bgQL0mND5NF7x4d5G8Wpxg==;
Date: Sun, 08 Oct 2023 08:28:00 +0300
Message-Id: <831qe5znrz.fsf@HIDDEN>
From: Eli Zaretskii <eliz@HIDDEN>
To: Max Nikulin <manikulin@HIDDEN>
In-Reply-To: <aaeb5c4f-2ae0-449e-9a8b-aa5155998e49@HIDDEN> (message from
 Max Nikulin on Sun, 8 Oct 2023 10:37:33 +0700)
Subject: Re: bug#66390: `man' allows to inject arbitrary shell code
References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN>
 <83wmvyzir2.fsf@HIDDEN> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN>
 <83v8bizf9r.fsf@HIDDEN> <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN>
 <875y3iigua.fsf@HIDDEN> <83o7hazap7.fsf@HIDDEN> <87mswugyoq.fsf@HIDDEN>
 <83jzryz6op.fsf@HIDDEN> <87a5sugwcx.fsf@HIDDEN> <83h6n2z3tr.fsf@HIDDEN>
 <aaeb5c4f-2ae0-449e-9a8b-aa5155998e49@HIDDEN>
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 66390
Cc: 66390 <at> debbugs.gnu.org, michael.albinus@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> Date: Sun, 8 Oct 2023 10:37:33 +0700
> Cc: 66390 <at> debbugs.gnu.org
> From: Max Nikulin <manikulin@HIDDEN>
> 
> On 08/10/2023 01:26, Eli Zaretskii wrote:
> > 
> > So the problem _is_ with the shell?  If so, the best way of avoiding
> > these problems is not invoke 'man' via the shell, but via call-process
> > and its ilk instead.
> 
> It will be great if it is possible to avoid shell in the middle. However
> - man.el uses pipes with sed and awk to post-process output of man 
> executable.
> - if support of remote man files is considered then it is even more hard 
> to avoid shell. SSH assumes shell commands.

Even if sometimes the shell cannot be avoided (which has yet to be
established, AFAIU), it's not an argument against avoiding it where
possible, because that solves any security issues, definitely those
you brought up.

> I had in mind using at least `shell-quote-argument'.

That doesn't work with 'man', which has its own ideas about quoting,
besides shell-related quoting.

> The issues of sanitizing outputs in callers
> - If there was a safe function in man.el then callers code would be more 
> simple, so it would be less probable to introduce bugs in such code.
> - behavior of the `man' emacs command is *underspecified*, so it is hard 
> to provide safe argument for it. Some parenthesis are allowed as in 
> "man(1)" others may be interpreted by shell.
> - `shell-quote-argument' in callers would rely on man.el implementation 
> details at best or may even lead to undefined behavior since I see have 
> no way to bypass some processing of the argument of the `man' emacs command.

Reiterating what you already said doesn't help to have a productive
discussion.

> Execution a part of `man' emacs command argument by shell is a surprise 
> to the user any case. Ideally elisp code should prevent it and man.el 
> should emit an error.

IMO, this ideal cannot be reached in practice, let alone kept for any
length of time.  Systems are adding strangely-named man pages all the
time.  We had quite a few bug reports about that during the recent
years.

> Attempts to call of `man' from other packages is an open door for 
> security vulnerabilities.

Then perhaps those other packages shouldn't call 'man'.
Information forwarded to bug-gnu-emacs@HIDDEN:
bug#66390; Package emacs. Full text available.

Message received at 66390 <at> debbugs.gnu.org:


Received: (at 66390) by debbugs.gnu.org; 8 Oct 2023 05:20:50 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Oct 08 01:20:50 2023
Received: from localhost ([127.0.0.1]:56154 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1qpMDi-0004zz-11
	for submit <at> debbugs.gnu.org; Sun, 08 Oct 2023 01:20:50 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:47732)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eliz@HIDDEN>) id 1qpMDf-0004zl-Sw
 for 66390 <at> debbugs.gnu.org; Sun, 08 Oct 2023 01:20:48 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@HIDDEN>)
 id 1qpMDF-000485-GX; Sun, 08 Oct 2023 01:20:22 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date:
 mime-version; bh=LScC/TTtdMKJm8cIEcdjU/Mp1KhudsVIPyZ+1DzdzTk=; b=Ah0M4dyZG6tr
 KoABr/XtnvUU8hWKTk8WpEpahF0LF4uYPWFSWK1IYiwC7/pDl4bHfjKpPgO3iqBsX5JQTH/39nByU
 Dcf8p/JTs2yQDPe5i8izVWqJ6fQ5dd5HCxKwV/1voMrv0bZNtQOB0/0GVhmlYgJA28Z+njq+FQVru
 vhvyExlz5wgHSci4wADcMaj1s9nRwjmTDQ2q9kgiALembBgcTDYfpmgkaLmgkrgC9UNiI/qs+B4UC
 O78TBt1xSLHcFnWiyYfjbpZFiUZD1W2+yURbV0vtHghGNnKo6BgaVGANTRyj9xdOC6uGD3uFxIwcY
 gKQTeudZoYPY5TGgMxrIjQ==;
Date: Sun, 08 Oct 2023 08:20:09 +0300
Message-Id: <8334ylzo52.fsf@HIDDEN>
From: Eli Zaretskii <eliz@HIDDEN>
To: Maxim Nikulin <manikulin+gzh@HIDDEN>
In-Reply-To: <245d34b5-8a93-42bd-9ad8-91f6a72bb6f3@HIDDEN> (message from
 Maxim Nikulin on Sun, 8 Oct 2023 10:42:03 +0700)
Subject: Re: bug#66390: `man' allows to inject arbitrary shell code
References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN>
 <83wmvyzir2.fsf@HIDDEN> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN>
 <83v8bizf9r.fsf@HIDDEN> <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN>
 <875y3iigua.fsf@HIDDEN> <83o7hazap7.fsf@HIDDEN> <87mswugyoq.fsf@HIDDEN>
 <83jzryz6op.fsf@HIDDEN> <245d34b5-8a93-42bd-9ad8-91f6a72bb6f3@HIDDEN>
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 66390
Cc: 66390 <at> debbugs.gnu.org, michael.albinus@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> Date: Sun, 8 Oct 2023 10:42:03 +0700
> Cc: 66390 <at> debbugs.gnu.org
> From: Maxim Nikulin <manikulin+gzh@HIDDEN>
> 
> On 08/10/2023 00:24, Eli Zaretskii wrote:
> >> From: Michael Albinus Date: Sat, 07 Oct 2023 18:55:01 +0200
> > 
> >> The docstring of man explains already, which kind of arguments are
> >> expected.
> > 
> > Yes, and we update that all the time, given how the systems stretch
> > these specs.
> 
> I see some discrepancy with the declaration of stable API in "Re: 
> Completion of links to man pages"

IMO, you see something that doesn't exist.  The quoted message was
talking about Lisp API for completing names of 'man' pages, not about
the spec of 'man' arguments.
Information forwarded to bug-gnu-emacs@HIDDEN:
bug#66390; Package emacs. Full text available.

Message received at 66390 <at> debbugs.gnu.org:


Received: (at 66390) by debbugs.gnu.org; 8 Oct 2023 03:38:05 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Oct 07 23:38:05 2023
Received: from localhost ([127.0.0.1]:56115 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1qpKcG-00020i-MH
	for submit <at> debbugs.gnu.org; Sat, 07 Oct 2023 23:38:04 -0400
Received: from mail-lj1-x234.google.com ([2a00:1450:4864:20::234]:51409)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <manikulin@HIDDEN>) id 1qpKcE-000209-7z
 for 66390 <at> debbugs.gnu.org; Sat, 07 Oct 2023 23:38:02 -0400
Received: by mail-lj1-x234.google.com with SMTP id
 38308e7fff4ca-2c038a1e2e6so40096741fa.2
 for <66390 <at> debbugs.gnu.org>; Sat, 07 Oct 2023 20:37:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1696736256; x=1697341056; darn=debbugs.gnu.org;
 h=content-transfer-encoding:in-reply-to:from:references:cc:to
 :content-language:subject:user-agent:mime-version:date:message-id
 :sender:from:to:cc:subject:date:message-id:reply-to;
 bh=FrlOfTzL5iTJK4HK8o0kk50IbNpz3zMXKXM8ceq4es0=;
 b=b1xy7Er22CY0uyLBJFS75X+qF08DnaV9ICcxkItkfu/tEoCXkDkxl8pBft8WWCWnU4
 PJbep9lk0nAwdCXNQlHSbhrkNKP3bR9vxFyGbmaJbKWiPwSmQIvWg2PdtKveeYj+vMD6
 CBIWDJapXRgBMDMQdZnGEHPuGzzT5ahN75MpR5izJy/y5TV6kN24s/HZwd5q2VvGrhaT
 l4pPZJm+oEOk+1PoxhkqplRJ0OsKzX2skrs7E9TZ9+ivzt1l/TDmbGREdCZgVPdKVeCX
 W1IxeWlVRJovFTx1hbfJwlXKWlWLZ7kI+VRbybCQR7Gqw13w3sq4wQ7KBdTudpbzvK7n
 u/bQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1696736256; x=1697341056;
 h=content-transfer-encoding:in-reply-to:from:references:cc:to
 :content-language:subject:user-agent:mime-version:date:message-id
 :sender:x-gm-message-state:from:to:cc:subject:date:message-id
 :reply-to;
 bh=FrlOfTzL5iTJK4HK8o0kk50IbNpz3zMXKXM8ceq4es0=;
 b=Udgm0JWVj4xaHF5is6ZKIhbW5t61GnqoNd13+lA9aNpdKooBvQeVok4n9S9H7ZdMkM
 rC56SSdatiqzThTy0MBeoAs6W13465S3bX3XvI2rNGb//r9OV8tm8vn8Rns781dJTD0x
 LAqvKYX2/kx/33JU2gitRXKzQBO1oS/BWHRVP0f/EQqiy70BVTyBjoU9HkLhOCKtTDb5
 bq5KBONadRm901TthU0PESFR7VDMPoU0Gn/Issl/UlU+L4T8INSAfZMECd9SDENb7SX+
 03uU+7nhiKbfDKVlmLTyL8kTzx0PBQW/nwBNGjRwXkPto+XnP9AshCLciXQihDOImf/1
 Z5Mg==
X-Gm-Message-State: AOJu0Yy39tY2wEq5h60wTj8o5fk9PMVd5X+kVH/G8SGobtbIW+z+Pq8l
 Wi3RGHFlInwPB/QmgDJr8fo=
X-Google-Smtp-Source: AGHT+IEWXZEXrjJ+JqYCjlaYogIudKo4xbP1GdS2G1Dnv0F0j+sSHfDb180b67/qnykJzJsmu3Q0ew==
X-Received: by 2002:a2e:8310:0:b0:2c0:a99:68e7 with SMTP id
 a16-20020a2e8310000000b002c00a9968e7mr10782764ljh.19.1696736255661; 
 Sat, 07 Oct 2023 20:37:35 -0700 (PDT)
Received: from [192.168.0.101] (nat-0-0.nsk.sibset.net. [5.44.169.188])
 by smtp.googlemail.com with ESMTPSA id
 o18-20020a2e7312000000b002ba586d27a2sm1421419ljc.26.2023.10.07.20.37.34
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
 Sat, 07 Oct 2023 20:37:35 -0700 (PDT)
Message-ID: <aaeb5c4f-2ae0-449e-9a8b-aa5155998e49@HIDDEN>
Date: Sun, 8 Oct 2023 10:37:33 +0700
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: bug#66390: `man' allows to inject arbitrary shell code
Content-Language: en-US, ru-RU
To: Eli Zaretskii <eliz@HIDDEN>, Michael Albinus <michael.albinus@HIDDEN>
References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN>
 <83wmvyzir2.fsf@HIDDEN> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN>
 <83v8bizf9r.fsf@HIDDEN> <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN>
 <875y3iigua.fsf@HIDDEN> <83o7hazap7.fsf@HIDDEN> <87mswugyoq.fsf@HIDDEN>
 <83jzryz6op.fsf@HIDDEN> <87a5sugwcx.fsf@HIDDEN> <83h6n2z3tr.fsf@HIDDEN>
From: Max Nikulin <manikulin@HIDDEN>
In-Reply-To: <83h6n2z3tr.fsf@HIDDEN>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 66390
Cc: 66390 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

On 08/10/2023 01:26, Eli Zaretskii wrote:
> 
> So the problem _is_ with the shell?  If so, the best way of avoiding
> these problems is not invoke 'man' via the shell, but via call-process
> and its ilk instead.

It will be great if it is possible to avoid shell in the middle. However
- man.el uses pipes with sed and awk to post-process output of man 
executable.
- if support of remote man files is considered then it is even more hard 
to avoid shell. SSH assumes shell commands.

I had in mind using at least `shell-quote-argument'.

The issues of sanitizing outputs in callers
- If there was a safe function in man.el then callers code would be more 
simple, so it would be less probable to introduce bugs in such code.
- behavior of the `man' emacs command is *underspecified*, so it is hard 
to provide safe argument for it. Some parenthesis are allowed as in 
"man(1)" others may be interpreted by shell.
- `shell-quote-argument' in callers would rely on man.el implementation 
details at best or may even lead to undefined behavior since I see have 
no way to bypass some processing of the argument of the `man' emacs command.

Execution a part of `man' emacs command argument by shell is a surprise 
to the user any case. Ideally elisp code should prevent it and man.el 
should emit an error.

Attempts to call of `man' from other packages is an open door for 
security vulnerabilities.

I was really surprised when I noticed that various Linux distributions 
patched and updated emacs even in stable releases in response to 
https://security-tracker.debian.org/tracker/CVE-2023-28617 Formally the 
score of this CVE was high.
Information forwarded to bug-gnu-emacs@HIDDEN:
bug#66390; Package emacs. Full text available.

Message received at 66390 <at> debbugs.gnu.org:


Received: (at 66390) by debbugs.gnu.org; 7 Oct 2023 18:26:54 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Oct 07 14:26:54 2023
Received: from localhost ([127.0.0.1]:55889 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1qpC0s-0001Z0-Ek
	for submit <at> debbugs.gnu.org; Sat, 07 Oct 2023 14:26:54 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:60276)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eliz@HIDDEN>) id 1qpC0q-0001Ym-OT
 for 66390 <at> debbugs.gnu.org; Sat, 07 Oct 2023 14:26:53 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@HIDDEN>)
 id 1qpC0R-000119-3U; Sat, 07 Oct 2023 14:26:27 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date:
 mime-version; bh=HxUROOchoDnaMe84tG6yRqOqKVQRhu2sjndfMYBY8NY=; b=VkViglzx4u5B
 Cr0clyR4yt8hDYIbjq1C6yL5SxIM5jwYmQQ1tHWdA1q/yXNpeTEV3CaOCE4IKmlicAbhMWyM4Ndp2
 PLdk5eu6z6lvwQmQ2A0mlQf/TiNDIZXKlQtAPMBxp1IrQny94i6078qTYA10BzLHqFOCMseU3JUMu
 g6e7imWk+eHwIzb/mWIouovvb4Y14F25HFm2dUZihgW6/A1sgb3jhrCZAHCnMbmxUKub8KQXIoXZM
 znx50J87IbB4XEgkHOYeMFwACLi3VQnabq8i4X3Lfo+0Umt0sZHl8eY8/bFmd8x5yulLfZIjkNbVe
 Cqzvq87aCKefo5xaHiq43g==;
Date: Sat, 07 Oct 2023 21:26:40 +0300
Message-Id: <83h6n2z3tr.fsf@HIDDEN>
From: Eli Zaretskii <eliz@HIDDEN>
To: Michael Albinus <michael.albinus@HIDDEN>
In-Reply-To: <87a5sugwcx.fsf@HIDDEN> (message from Michael Albinus on Sat, 07
 Oct 2023 19:45:18 +0200)
Subject: Re: bug#66390: `man' allows to inject arbitrary shell code
References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN>
 <83wmvyzir2.fsf@HIDDEN>
 <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN>
 <83v8bizf9r.fsf@HIDDEN>
 <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN>
 <875y3iigua.fsf@HIDDEN> <83o7hazap7.fsf@HIDDEN>
 <87mswugyoq.fsf@HIDDEN> <83jzryz6op.fsf@HIDDEN> <87a5sugwcx.fsf@HIDDEN>
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 66390
Cc: manikulin@HIDDEN, 66390 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> From: Michael Albinus <michael.albinus@HIDDEN>
> Cc: manikulin@HIDDEN,  66390 <at> debbugs.gnu.org
> Date: Sat, 07 Oct 2023 19:45:18 +0200
> 
> Eli Zaretskii <eliz@HIDDEN> writes:
> 
> >> > And what kind of shell would we assume when rejecting that?
> >>
> >> It isn't a problem of the shell. Man-translate-references manipulates
> >> the arguments such a way that no shell quoting is neded.
> >
> > Then there's no problem to begin with, since the OP claims the problem
> > is with the shell?
> 
> The OP claims that the arguments could be misused, bypassing exotic
> strings which would do terrific work in the shell man is using.

So the problem _is_ with the shell?  If so, the best way of avoiding
these problems is not invoke 'man' via the shell, but via call-process
and its ilk instead.

> > There's only madness down that road.
> 
> Well, if you still believe there's nothing to do for us I will be quiet.

We can do something, just not the way it was suggested: avoid using
the shell.
Information forwarded to bug-gnu-emacs@HIDDEN:
bug#66390; Package emacs. Full text available.

Message received at 66390 <at> debbugs.gnu.org:


Received: (at 66390) by debbugs.gnu.org; 7 Oct 2023 17:45:48 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Oct 07 13:45:48 2023
Received: from localhost ([127.0.0.1]:55862 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1qpBN6-00006F-Aa
	for submit <at> debbugs.gnu.org; Sat, 07 Oct 2023 13:45:48 -0400
Received: from mout.gmx.net ([212.227.15.19]:54581)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <michael.albinus@HIDDEN>) id 1qpBN3-00005b-AJ
 for 66390 <at> debbugs.gnu.org; Sat, 07 Oct 2023 13:45:46 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.de; s=s31663417;
 t=1696700719; x=1697305519; i=michael.albinus@HIDDEN;
 bh=skKkp0seRFoizDhkvC516DrzZ5Yj5TyX3PU1fL0Cxs0=;
 h=X-UI-Sender-Class:From:To:Cc:Subject:In-Reply-To:References:Date;
 b=HDLWaIGvfCYZEokRXzbUjnehWJp6EPqGBnd3JTv0jq3NRoMLTc+cVRhLkpyMrOIInKtnhm513HB
 UQjwRtihrDlj0INuDCixF+5+ojhUExUEMTtmTLvPouko/aa22IHQPzSn5I0vFtUUgSdoiG9+9KFQ3
 4vzszp9F6K0XXGG/yAKaZI0mm7CKEqFhdu+B7soV/5V0cPpeSs2qgs7BJ4XLXKQKhnSH7xDpeYKRu
 e/IMgIcvYMytHFvALjm91bWI+UVc7q715Jt7TGlxoc86gwHYncPgAGnWK2m0Mpe061IN20uWBXkW1
 XiiQaZlr79qYW/6VSW0Mb6kOvQG7JMTcltCg==
X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a
Received: from gandalf.gmx.de ([185.89.39.30]) by mail.gmx.net (mrgmx005
 [212.227.17.190]) with ESMTPSA (Nemesis) id 1MWASe-1r5D8e3RPO-00XdEY; Sat, 07
 Oct 2023 19:45:18 +0200
From: Michael Albinus <michael.albinus@HIDDEN>
To: Eli Zaretskii <eliz@HIDDEN>
Subject: Re: bug#66390: `man' allows to inject arbitrary shell code
In-Reply-To: <83jzryz6op.fsf@HIDDEN> (Eli Zaretskii's message of "Sat, 07 Oct
 2023 20:24:54 +0300")
References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN>
 <83wmvyzir2.fsf@HIDDEN>
 <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN>
 <83v8bizf9r.fsf@HIDDEN>
 <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN>
 <875y3iigua.fsf@HIDDEN> <83o7hazap7.fsf@HIDDEN>
 <87mswugyoq.fsf@HIDDEN> <83jzryz6op.fsf@HIDDEN>
Date: Sat, 07 Oct 2023 19:45:18 +0200
Message-ID: <87a5sugwcx.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain
X-Provags-ID: V03:K1:wz4lze4LeE3MMAyaW5FauJ2/gCc7LKeAt5Coo0n5MmTumLzY7qp
 IHsVZEjNGdpWvv2OobFQl74oUL+JEQF3Pieen/JChWy3wEAx3GfCJC7MfBofbQaud+5gHK0
 2cV5cAqO3ffRu9kKCFe1K2nvGjluIapaUvXHCOxt5Y6BWRJBE+ojMS28XLdH0SJzQvGsRM3
 iwQ0y2jpkr+UTsHcBBXIA==
X-Spam-Flag: NO
UI-OutboundReport: notjunk:1;M01:P0:vGbXLoYhKZA=;yJ8PWt2J22uMtZhmI5JVX/bParc
 5OBKwAOyzEP+UbBmxyEw6Pce7HnD/Aywsu6k9mf4jMQ5bqovvI2vUpz4d/YXkIovycAMoCEQn
 PaUG/w5F6XwkQaCRwDN6M/5RhUL7wf7DMQ8noCTB5iPy8v45fIgur0SFaXdgK9SevERsQvQ0r
 rkm/OaGZvTx5/fMiBn+PS1ZRs5pJ3Aox0nCZfVuBzD68sjJIkCXCeiK7ffUpp3vLXd5esVDyW
 aYFEyqUgqg/ZL8OhykPKXV3U+ivWa+7qVCq7FrU8IOScBuCXDy+LocuvE7k2RKuidD3cIOnU8
 FCjsJS9lizZyyv0kxu402bqsvn7+HR7GYHdSuN6WEG743OTv93D/afaqLnGCkvuU0EZKb99Y8
 uGKlOFRWZ9IFX8JjyqbfoMRoghCu0z9Xdox5BYi0XrduzZPouqcYjIr7FhzYmocUXDooWfLOT
 Y03FEJ8/BwgPPvXlHXFWD4jeOfZoaq9ak/YS7fk5MXFJThMMz9hBGYACpfLDwvlJk+dTckv8i
 V66vMvswT0fOD8EAy801o+rCxzGMUYF222DahHAW2CHCvrXRMZCmW5+7RE/u3H5BCPXwBFBbh
 U+E4hjuIE3RQwmiYkH5RblR82FONSds6tzGZyWtaBzaAdTa7kKiMMiwDYILfeO3uLTqPOfSIE
 LUUU8jypKHJF0OR3vPHBiwqT3IcZa6bE8+N/QwnQJOu7uMcaP2TBR8qKt9ukLcBbyzeNIjLY5
 lOQQRDHF4LS+gh7dMmM992P1UFUyStnCDad8QB+KUgsEUu7kvkFCUddPHnhbsg4YfQxBnObWx
 SotTvnxvfjIjX3eetHWFJ0ocYwA91VAHBuLLna8giqcYx+fR7eeluWvy+9nch7WpmjXnb96HS
 raiYwMnudquHNK30OYNSVUaBsjN8e+zDMLGkN+LmMsZwmXPRE5ehPWhDMiKsTPm5NBwpnQDQA
 3IvUtSkbQ/rJGmATYFKTlAab2I0=
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 66390
Cc: manikulin@HIDDEN, 66390 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

Eli Zaretskii <eliz@HIDDEN> writes:

Hi Eli,

>> On argument syntax for man. It is documented.
>
> For what versions of 'man'?  There are a lot of different versions; I
> myself wrote a clone, for example.

I haven't written such a thing, so you will always beat me. And if you
oppose my proposals, I will happily accept it.

>> > And what kind of shell would we assume when rejecting that?
>>
>> It isn't a problem of the shell. Man-translate-references manipulates
>> the arguments such a way that no shell quoting is neded.
>
> Then there's no problem to begin with, since the OP claims the problem
> is with the shell?

The OP claims that the arguments could be misused, bypassing exotic
strings which would do terrific work in the shell man is using.

>> > Once again, interactive invocations should let the user type whatever
>> > she wants, and if that fails in strange ways, it's on the user, not o=
n
>> > us.
>>
>> Yes, if the user types nonsense it shall fail. The point is where to
>> fail. I believe it shall fail already in Man-translate-references, and
>> not from the man invocation with a shell.
>
> We cannot do that, unless we implement the entire behavior of 'man' in
> Emacs.
>
>> The docstring of man explains already, which kind of arguments are
>> expected.
>
> Yes, and we update that all the time, given how the systems stretch
> these specs.

No, the docstring speaks about -a, -k and -l. That's what we shall do.

> There's only madness down that road.

Well, if you still believe there's nothing to do for us I will be quiet.

Best regards, Michael.
Information forwarded to bug-gnu-emacs@HIDDEN:
bug#66390; Package emacs. Full text available.

Message received at 66390 <at> debbugs.gnu.org:


Received: (at 66390) by debbugs.gnu.org; 7 Oct 2023 17:25:17 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Oct 07 13:25:17 2023
Received: from localhost ([127.0.0.1]:55853 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1qpB3E-0007z4-Sv
	for submit <at> debbugs.gnu.org; Sat, 07 Oct 2023 13:25:17 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:37232)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eliz@HIDDEN>) id 1qpB3D-0007yq-AV
 for 66390 <at> debbugs.gnu.org; Sat, 07 Oct 2023 13:25:16 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@HIDDEN>)
 id 1qpB2o-0007ND-D3; Sat, 07 Oct 2023 13:24:50 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date:
 mime-version; bh=WVQ9oUa87IKAx5v7LYP0EgiameK/vg1PlnfKZY9NmzA=; b=kH9TVbWmWwzE
 bWVD6Hp53fAATQfpCykt9dVx6HkBSdISutk2sSimziYx+WvnFyXWuCAutO6LIECQbr9UngAGl8ZeP
 X70jCkk6/taxGhBrO+LrPUkCmfxfuym5SxD4XtT00sC6iXIu3zH01QMtzW5Si6/PUKu+27Rb5RAWN
 wSeEQCFZg+OAdrTZoPikRf8n6uA412pEKeWzUjzxpPH3RFfRh9uEDNZxnvw5be7/NSlNntF8qp39O
 kF/1Aq9OU4bGMEky4deirByN8nS34nfbUeOOMtbNagbVKYvB5HPnB5aeVkOOnWbAB1g50kBApqbwm
 elj3FIqCJ2sDMVQF4+tJmQ==;
Date: Sat, 07 Oct 2023 20:24:54 +0300
Message-Id: <83jzryz6op.fsf@HIDDEN>
From: Eli Zaretskii <eliz@HIDDEN>
To: Michael Albinus <michael.albinus@HIDDEN>
In-Reply-To: <87mswugyoq.fsf@HIDDEN> (message from Michael Albinus on Sat, 07
 Oct 2023 18:55:01 +0200)
Subject: Re: bug#66390: `man' allows to inject arbitrary shell code
References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN>
 <83wmvyzir2.fsf@HIDDEN>
 <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN>
 <83v8bizf9r.fsf@HIDDEN>
 <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN>
 <875y3iigua.fsf@HIDDEN> <83o7hazap7.fsf@HIDDEN> <87mswugyoq.fsf@HIDDEN>
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 66390
Cc: manikulin@HIDDEN, 66390 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> From: Michael Albinus <michael.albinus@HIDDEN>
> Cc: manikulin@HIDDEN,  66390 <at> debbugs.gnu.org
> Date: Sat, 07 Oct 2023 18:55:01 +0200
> 
> Eli Zaretskii <eliz@HIDDEN> writes:
> 
> Hi Eli,
> 
> >> The function `Man-translate-references' tries to do it. For example, it
> >> translates the argument "cat(1)" into "1 cat", which doesn't pose a
> >> problem. The function should check stronger, and it should reject
> >> arguments like "File:\\:UserDirs(3pm)".
> >
> > Based on what would we reject such arguments?
> 
> On argument syntax for man. It is documented.

For what versions of 'man'?  There are a lot of different versions; I
myself wrote a clone, for example.

> > And what kind of shell would we assume when rejecting that?
> 
> It isn't a problem of the shell. Man-translate-references manipulates
> the arguments such a way that no shell quoting is neded.

Then there's no problem to begin with, since the OP claims the problem
is with the shell?

> > Once again, interactive invocations should let the user type whatever
> > she wants, and if that fails in strange ways, it's on the user, not on
> > us.
> 
> Yes, if the user types nonsense it shall fail. The point is where to
> fail. I believe it shall fail already in Man-translate-references, and
> not from the man invocation with a shell.

We cannot do that, unless we implement the entire behavior of 'man' in
Emacs.

> The docstring of man explains already, which kind of arguments are
> expected.

Yes, and we update that all the time, given how the systems stretch
these specs.

There's only madness down that road.
Information forwarded to bug-gnu-emacs@HIDDEN:
bug#66390; Package emacs. Full text available.

Message received at 66390 <at> debbugs.gnu.org:


Received: (at 66390) by debbugs.gnu.org; 7 Oct 2023 16:55:30 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Oct 07 12:55:30 2023
Received: from localhost ([127.0.0.1]:55825 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1qpAaQ-0006rd-81
	for submit <at> debbugs.gnu.org; Sat, 07 Oct 2023 12:55:30 -0400
Received: from mout.gmx.net ([212.227.17.22]:41733)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <michael.albinus@HIDDEN>) id 1qpAaO-0006rM-Ce
 for 66390 <at> debbugs.gnu.org; Sat, 07 Oct 2023 12:55:29 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.de; s=s31663417;
 t=1696697702; x=1697302502; i=michael.albinus@HIDDEN;
 bh=z/CkIqllwI8AHKTEnwJsgXAn98JCF9Eom5d55E63it4=;
 h=X-UI-Sender-Class:From:To:Cc:Subject:In-Reply-To:References:Date;
 b=PNngtl/vv3Fdiwx+nUMGvIbVnt1uzvV4aw6edPxxWEpDrf0Phq3GGj6Xs70+nwMvuVBuQReTLhX
 n5oQXImQLgE4e7ZugOA5wDtfGwdZNPyI8DaFE5OGCrDwuCRxfE7HEt6esjUOUR+4cghMo4J8/8BT0
 gCVAVD2NC9gSm1iTaEzSHs5Jq5eGtCnKDcgoMjgeRokfewNeeL16eYF/UMz1SsJXfVYSwDVvJ1ByV
 FxXDcq581J7Mr837gQ3HN83z3L6NgPHclds+TLHbnjc3lf7M229cXpEb+dWBzdla3F+k6+kGcC8uc
 iHVwuPF/fN1LRe8ZodlB4Q1LJ+zbg84dMKew==
X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a
Received: from gandalf.gmx.de ([185.89.39.30]) by mail.gmx.net (mrgmx105
 [212.227.17.168]) with ESMTPSA (Nemesis) id 1MOREc-1rF5pI1uZC-00PusO; Sat, 07
 Oct 2023 18:55:02 +0200
From: Michael Albinus <michael.albinus@HIDDEN>
To: Eli Zaretskii <eliz@HIDDEN>
Subject: Re: bug#66390: `man' allows to inject arbitrary shell code
In-Reply-To: <83o7hazap7.fsf@HIDDEN> (Eli Zaretskii's message of "Sat, 07 Oct
 2023 18:58:12 +0300")
References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN>
 <83wmvyzir2.fsf@HIDDEN>
 <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN>
 <83v8bizf9r.fsf@HIDDEN>
 <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN>
 <875y3iigua.fsf@HIDDEN> <83o7hazap7.fsf@HIDDEN>
Date: Sat, 07 Oct 2023 18:55:01 +0200
Message-ID: <87mswugyoq.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain
X-Provags-ID: V03:K1:+fjlMYo2TLT4zWuBnSPg8eEJt9ctdIHRx2URoWxZcaelwYEl0Td
 p4gBKgqvF3v7sPjEnVa1yU2CFrpW3bC9kWt6pVaSN3lC486rdrzSbkinxW0juzil1krR2Vr
 7KtUvmMh6HjTDHkZpnCTytqj2c6AUC5ZURhSIuRG19l0XWynVTKtm1WcoV7jByiCagfWN4R
 Pd7AdthyROjb01KUx0I+A==
X-Spam-Flag: NO
UI-OutboundReport: notjunk:1;M01:P0:bgkuVHH4sis=;sWgg8QeNk2KRExQLbNG2a+fwVrI
 LfckgBXOibMOxuckdbFudh72waSDgIR7V8NRu4yoDy/ho6kisq7Si9GKUUeDzLnUigRYwBcvO
 uVh96nG4nMu9w6uGAafVbMVHo7AdO1I+IGYkgheQYZFpGTqzC1hXmc65pqCow2psLS9w2iR1p
 NBadStzqEdjuAB+eLp734zpio/Hv/uNF9LhmBAOHGz8i5wlWka2IyKuWhOYE2PxwtMVwvAKma
 +iyU9E//zHmk0sU4TLHj8poD2CSn3UYgPZqXRrgjF9otiPWuvVRhd8Yo23tD6usy4IizDpSjJ
 ec6u4hjWfd8Q/9OIRh0x5X998qwdibGJHCQFeoSxjjYwuzFUJw6GiHPWxgNoJ7emfoP/m36wA
 rVmqv9Gi5qtfKuiU+lw3OjWbtGcKLrSuMvC3HMv3+aZvAghdXefruecHB33SI4Dz7Z1cobCwR
 Qhu7v/vFuE6YGzkUWrnFW1Bfa7SwZ6HLuQ1CyNgn863RgHbsben9WVXntH09Ddgy6fouf0Em9
 bswGX+wv9mPB2IMOK43AkZRWC923cPtme7whqK5zOlVa4ZUT7gucqQpQUEGW6CK0eDjFxKwEA
 rIHQzoYL5zZBIzmoFZ/B6/sn5M/bRfqJoJ1pRK2n3PZsTC9DIhPCLchA7DLlSP0rAJQlVa/u4
 mg1jmmv5AwPaGpBwvpebvWjIptY4iSqP0KgWAw6ZEHLkJVK9CYBQ0y26S3wBB4QUmk8r31+bP
 8fkl0HbVN7j/m9Z6m9PtpPGUAg5VQ/kRiFwxWZm2dbNR0QL8gMT7HUjehwCOblv5fWcxtkxnF
 REBFB0zGUHcyWk5DyPVwhMXkvppVe8kkN/OI4BLHeTL0depVdq0A5uDt2dRuxfxp/k3NwUmzT
 UCgNMuk3D4Jdr6QbVq2Prp58+EjAaxuxNhvT5QjbWdiOsKutw0hih/Gz58znhWXIvtETisM2i
 7VFPkbuTXSrDi9XQXbEW2Tjk7yY=
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 66390
Cc: manikulin@HIDDEN, 66390 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

Eli Zaretskii <eliz@HIDDEN> writes:

Hi Eli,

>> The function `Man-translate-references' tries to do it. For example, it
>> translates the argument "cat(1)" into "1 cat", which doesn't pose a
>> problem. The function should check stronger, and it should reject
>> arguments like "File:\\:UserDirs(3pm)".
>
> Based on what would we reject such arguments?

On argument syntax for man. It is documented.

> And what kind of shell would we assume when rejecting that?

It isn't a problem of the shell. Man-translate-references manipulates
the arguments such a way that no shell quoting is neded.

> Once again, interactive invocations should let the user type whatever
> she wants, and if that fails in strange ways, it's on the user, not on
> us.

Yes, if the user types nonsense it shall fail. The point is where to
fail. I believe it shall fail already in Man-translate-references, and
not from the man invocation with a shell.

The docstring of man explains already, which kind of arguments are
expected. Whe should simply follow with the
implementation. "File:\\:UserDirs(3pm)" is not a valid argument, and
shall be rejected on Lisp level.

Best regards, Michael.
Information forwarded to bug-gnu-emacs@HIDDEN:
bug#66390; Package emacs. Full text available.

Message received at 66390 <at> debbugs.gnu.org:


Received: (at 66390) by debbugs.gnu.org; 7 Oct 2023 15:58:26 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Oct 07 11:58:26 2023
Received: from localhost ([127.0.0.1]:55721 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1qp9hC-0002Q6-BV
	for submit <at> debbugs.gnu.org; Sat, 07 Oct 2023 11:58:26 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:40664)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eliz@HIDDEN>) id 1qp9hA-0002Pt-Ot
 for 66390 <at> debbugs.gnu.org; Sat, 07 Oct 2023 11:58:25 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@HIDDEN>)
 id 1qp9gl-0000th-QV; Sat, 07 Oct 2023 11:57:59 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date:
 mime-version; bh=0ZSADVPzyKmzFAsiy4hBl6q37m048vl4rGqqqdBFjYU=; b=jfAyUWMeLkOm
 2H3WQkUiFNISDYuCGX0Muop7P8lqOKFeXlezyerhIK7BsL5Qfr8UMQRHPod9VUVrbTFM/MyK9oPTH
 Hz8OOvI5KukwkJSaCni+CaKQm1pzKkckSOVNjCAjX3d+JUT1MhEZ6fdUjuMEtQbtLKcEUq6oZEjyC
 ZjjXfGWfq0gN46cDfZmwGe29lzNijmWfB9Ev8CenzN6XiarvGvkxggs6i2GNvUsmd9T14yNyER/Ax
 y6nT26QsAgiWzA2yacIPFltAEvsTgz0JEhE58mcEstJSc8x2PJroRAxflvV4jLEZXT2EN+JtdiT5c
 et9bSYvnoMA2wX/BzpkUiQ==;
Date: Sat, 07 Oct 2023 18:58:12 +0300
Message-Id: <83o7hazap7.fsf@HIDDEN>
From: Eli Zaretskii <eliz@HIDDEN>
To: Michael Albinus <michael.albinus@HIDDEN>
In-Reply-To: <875y3iigua.fsf@HIDDEN> (message from Michael Albinus on Sat, 07
 Oct 2023 17:37:33 +0200)
Subject: Re: bug#66390: `man' allows to inject arbitrary shell code
References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN>
 <83wmvyzir2.fsf@HIDDEN>
 <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN>
 <83v8bizf9r.fsf@HIDDEN>
 <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN> <875y3iigua.fsf@HIDDEN>
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 66390
Cc: manikulin@HIDDEN, 66390 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> From: Michael Albinus <michael.albinus@HIDDEN>
> Cc: Eli Zaretskii <eliz@HIDDEN>,  66390 <at> debbugs.gnu.org
> Date: Sat, 07 Oct 2023 17:37:33 +0200
> 
> The function `Man-translate-references' tries to do it. For example, it
> translates the argument "cat(1)" into "1 cat", which doesn't pose a
> problem. The function should check stronger, and it should reject
> arguments like "File:\\:UserDirs(3pm)".

Based on what would we reject such arguments?

And what kind of shell would we assume when rejecting that?

Once again, interactive invocations should let the user type whatever
she wants, and if that fails in strange ways, it's on the user, not on
us.
Information forwarded to bug-gnu-emacs@HIDDEN:
bug#66390; Package emacs. Full text available.

Message received at 66390 <at> debbugs.gnu.org:


Received: (at 66390) by debbugs.gnu.org; 7 Oct 2023 15:38:03 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Oct 07 11:38:03 2023
Received: from localhost ([127.0.0.1]:55691 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1qp9NS-0001hm-Q6
	for submit <at> debbugs.gnu.org; Sat, 07 Oct 2023 11:38:03 -0400
Received: from mout.gmx.net ([212.227.17.20]:37391)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <michael.albinus@HIDDEN>) id 1qp9NQ-0001hD-NA
 for 66390 <at> debbugs.gnu.org; Sat, 07 Oct 2023 11:38:01 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.de; s=s31663417;
 t=1696693054; x=1697297854; i=michael.albinus@HIDDEN;
 bh=wDih6mQ2gTn4wUByERnnqtH/ZzxiA3NzzdrieOpntU4=;
 h=X-UI-Sender-Class:From:To:Cc:Subject:In-Reply-To:References:Date;
 b=kEuZ8sekTquqwjitHzsdSML4qjFZ2wgIlCX9Kz96PW3WQkA2vFayOMogJMEa1RBejrpRr3HqfSM
 jJkY8FhG1RMW7HkMCgdewD4P8/m7aAWBvKw8Pa5mG9IYmhXkIaVS1SMtlqRnuRnR4Ba5ykhJ2W/v8
 QEmEmZbc9znaoGbMG3bXS5SAkSSrWc9us677xO8qNO3TxhQ1ps1lasnPKMaNIS8vHSOGVrW7IKXnY
 4VQykBitLcOJenDK+uCfPhnHnZI/V9eCjbA1Uc8v8FJY5d0LdORDmuCJxaX1AzobwAqDPdtt988qH
 TY9b+N/pwl68HcKBfLqhAmevaSGjENImF5Zw==
X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a
Received: from gandalf.gmx.de ([185.89.39.30]) by mail.gmx.net (mrgmx104
 [212.227.17.168]) with ESMTPSA (Nemesis) id 1MWzjt-1r490J1fSL-00XI8L; Sat, 07
 Oct 2023 17:37:34 +0200
From: Michael Albinus <michael.albinus@HIDDEN>
To: Max Nikulin <manikulin@HIDDEN>
Subject: Re: bug#66390: `man' allows to inject arbitrary shell code
In-Reply-To: <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN> (Max Nikulin's
 message of "Sat, 7 Oct 2023 21:29:12 +0700")
References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN>
 <83wmvyzir2.fsf@HIDDEN>
 <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN>
 <83v8bizf9r.fsf@HIDDEN>
 <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN>
Date: Sat, 07 Oct 2023 17:37:33 +0200
Message-ID: <875y3iigua.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain
X-Provags-ID: V03:K1:3Jl4KJ0ftrxgcGJ1r9eVz1l4JrsG1+7QTCAoXmg+JGySUb98r1q
 0WJDpyoUJ8rl3wETaNmWOKj6/axuPmRumJQovyLRSXlYobsV2WdXlEvV5lgUkAx64bd5UUh
 9WTpzm1/Ugsf8GNHJWBm2LsVvdxxZhqE9AeTMh9Im87I84ftLVKHoETsZkQlDymJBsaM754
 eH+cKqBNZEsU1vYsxsXgA==
X-Spam-Flag: NO
UI-OutboundReport: notjunk:1;M01:P0:fDtAC9PJ8qE=;B+bmJw+zEfHlUMo2sUHgzYaE2V6
 rO0pIrJUZ9Kwj8wt/5y1flpfkwYCpE3F6S/dcsii1F+c1ZcH2Ue7QPZqefcBXD/OuTF1o7YCA
 Wk0an8x4wsyoWtBhIfowM8tMvbcXDBudDCiKVrrO72ic/Qq6T7TWUPsA6MSgwJpqDRq3uf9+x
 Q5Y3e3KIimePVkcMZMeFqasOLvQLxIHpMi8Xx3fhEhMTNxLzA296IXvmg1tuAOaNvBvVtLsI4
 J36wuMp9KwdGfgdE5wyW4ChNVjjD4KPSCqh2elUgktjNHVq0i4HDZIe3mvl1sgNC9JLe3P7c1
 ylvKfopRJSxLz2fld7ldvCbzNFwljFl82qXishdcjHsN83LsqQ8Ag0+9TpAjPnwTiqBphizhv
 lF/+4QMLHKKECu7lFZdtrRic40r1kWxzILTZvYCfv4VXsc+ljeh3DgkMUF/jSCFX+fccPW3P5
 OqfDdfwIqoZMBrs+x/01HTrp9bakaBGfALMU62qgJWA4xvAtzJ+tJaFYNAB7KS56eotUZytPt
 FAmjkJgSmSpcFzOngj/6hv2/Y05HLjtgRjP3NNM3ZgEcnx+V2QhFwaKb7XXN5UReNVOfumj56
 3LjaHYM3aUOna4vS14KK437FTRWbJP/WmUwUYaJpPHmkqnQRgoIEtdDZxuVeJ6RneF2JmITp2
 KQiBVttdJCtEV1JlfQtX4jfOeBJQsW1/9wGieE7ACNudwE0wDxQbToOHOUI5bxmypCJP6EWhM
 4nRdEnKUmRZmlNxlr9PHPQtq3CW6R+BSdaD6nDVQ5k4uuJMlmjVSPYNEYhWq8ZC/COE00Pq0U
 PB+YrCllJ4s80now9EacUVGqkiQrC0pQVDzKrcF9fob389uT1IKEi3vsuI0yLfNjtjUrVH105
 YG/IOp4mNk0hz+ecO+rFk41deZ3MCnhfGlXobx6c0dyJC8EoRLddqwVAhRoo6xxv19INwgdqg
 ed6CA7ZbQfnigCxwJzxIuwxMRr0=
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 66390
Cc: Eli Zaretskii <eliz@HIDDEN>, 66390 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

Max Nikulin <manikulin@HIDDEN> writes:

Hi,

>> Sorry, I disagree.  'man' is an interactive command, so it should
>> not
>> second-guess the user who invokes it.  Commands that call 'man'
>> non-interactively should make sure they call 'man' with a valid
>> argument, especially when the argument comes from some file.
>
> Does man.el provide a function that opens references to man pages, but
> that is safe in respect to shell specials?
>
> Calling of shell commands belongs to implementation details of man.el
> and effectively you require that callers must be aware of it.

I tend to agree with both :-) The caller of a shell command (`man ARGS') is
responsible for proper quoting of the arguments.

The function `Man-translate-references' tries to do it. For example, it
translates the argument "cat(1)" into "1 cat", which doesn't pose a
problem. The function should check stronger, and it should reject
arguments like "File:\\:UserDirs(3pm)". ol-man.el should be busy to
offer only valid arguments to `man' according to the man page man(1).

Oh man ...

Best regards, Michael.
Information forwarded to bug-gnu-emacs@HIDDEN:
bug#66390; Package emacs. Full text available.

Message received at 66390 <at> debbugs.gnu.org:


Received: (at 66390) by debbugs.gnu.org; 7 Oct 2023 15:10:52 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Oct 07 11:10:52 2023
Received: from localhost ([127.0.0.1]:55659 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1qp8xA-0006eT-Et
	for submit <at> debbugs.gnu.org; Sat, 07 Oct 2023 11:10:52 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:58060)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eliz@HIDDEN>) id 1qp8x8-0006eF-46
 for 66390 <at> debbugs.gnu.org; Sat, 07 Oct 2023 11:10:50 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@HIDDEN>)
 id 1qp8wj-00010X-C8; Sat, 07 Oct 2023 11:10:25 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date:
 mime-version; bh=pfBG008920iZqFRvdLwbuEJ/JGDgmA1KfKeRu+HWlFY=; b=W9KtxMA+DUE/
 zuvrmR9zeHQg9CZFcP6YIlOyVxhfZ5qbqSCdlt3Z+naEsD2c/NP0vsm3VJU3bhDi7FNdAy3pC/ldU
 Q7X1Ha9Wrhq1Oo5g8MOmQnnLPUV5RssWxLq0jNIQInQPduBCP0Cix+DCs6i/Jd+qh4g4aOToI+hfC
 MawGVKpBPlrnc1gzjgeQTshNrYDhpVdM2kgO80mi+nDDyZrFVXQ7sCAfKCgRwfVldyyiixZtLJL+5
 u9Q7vz0wIa6zIraxoIL5mLM2XLLqlZ/nds550/V2fWFc5uJz2k8XNPuhDDHou17cc8/8lb7dUQ1d9
 3TFJ7V2KAqrJmI30YYro2w==;
Date: Sat, 07 Oct 2023 18:10:36 +0300
Message-Id: <83r0m6zcwj.fsf@HIDDEN>
From: Eli Zaretskii <eliz@HIDDEN>
To: Max Nikulin <manikulin@HIDDEN>
In-Reply-To: <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN> (message from
 Max Nikulin on Sat, 7 Oct 2023 21:29:12 +0700)
Subject: Re: bug#66390: `man' allows to inject arbitrary shell code
References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN>
 <83wmvyzir2.fsf@HIDDEN> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN>
 <83v8bizf9r.fsf@HIDDEN> <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN>
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 66390
Cc: 66390 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> Date: Sat, 7 Oct 2023 21:29:12 +0700
> Cc: 66390 <at> debbugs.gnu.org
> From: Max Nikulin <manikulin@HIDDEN>
> 
> On 07/10/2023 21:19, Eli Zaretskii wrote:
> > 
> > Sorry, I disagree.  'man' is an interactive command, so it should not
> > second-guess the user who invokes it.  Commands that call 'man'
> > non-interactively should make sure they call 'man' with a valid
> > argument, especially when the argument comes from some file.
> 
> Does man.el provide a function that opens references to man pages, but 
> that is safe in respect to shell specials?
> 
> Calling of shell commands belongs to implementation details of man.el 
> and effectively you require that callers must be aware of it.

No, I just expect the callers to call 'man' with valid arguments.
Information forwarded to bug-gnu-emacs@HIDDEN:
bug#66390; Package emacs. Full text available.

Message received at 66390 <at> debbugs.gnu.org:


Received: (at 66390) by debbugs.gnu.org; 7 Oct 2023 14:29:40 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Oct 07 10:29:40 2023
Received: from localhost ([127.0.0.1]:55610 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1qp8JI-000528-IH
	for submit <at> debbugs.gnu.org; Sat, 07 Oct 2023 10:29:40 -0400
Received: from mail-lj1-x22c.google.com ([2a00:1450:4864:20::22c]:48289)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <manikulin@HIDDEN>) id 1qp8JG-00051s-Uh
 for 66390 <at> debbugs.gnu.org; Sat, 07 Oct 2023 10:29:39 -0400
Received: by mail-lj1-x22c.google.com with SMTP id
 38308e7fff4ca-2c28e35752cso38848321fa.0
 for <66390 <at> debbugs.gnu.org>; Sat, 07 Oct 2023 07:29:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1696688953; x=1697293753; darn=debbugs.gnu.org;
 h=content-transfer-encoding:in-reply-to:from:references:cc:to
 :content-language:subject:user-agent:mime-version:date:message-id
 :sender:from:to:cc:subject:date:message-id:reply-to;
 bh=bWOmA/DfzlgPqsfO6iZbfb9gccLU1+S78DR+uge49no=;
 b=G3ptf0g2QJc8WCdnxFBUcHS4dwKiMRnpFe/3SLhWllVCmGOxaZuCf6qvlQMC4hWNuk
 ryzL+ZsbADbQcHYD+Y93oNxQ7xVfQb8HFSDoem65s0p1dLkGSgVdNbHHtX8AZScJYSn9
 JVkcbqPYpvxXDVAghFbIZ8B5AWGAc83HLch1egnMOTe3vsFJfCzewimz3a5jPla7hJhi
 Bzsx9tve4/HEZFRPnHUiVoM0gxa4mmAb8ekN8pBfGgSsnjS7PUFMYEolsorAgpANPpp5
 2AJNMZeTsY19dKU6EMLumKUFzo/ymtCu3YJAW7JzxG804KdbpAiNx4IVw0xG+s8VYb+x
 CTPA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1696688953; x=1697293753;
 h=content-transfer-encoding:in-reply-to:from:references:cc:to
 :content-language:subject:user-agent:mime-version:date:message-id
 :sender:x-gm-message-state:from:to:cc:subject:date:message-id
 :reply-to;
 bh=bWOmA/DfzlgPqsfO6iZbfb9gccLU1+S78DR+uge49no=;
 b=NQdhseivwtb67UKnlrzvYdGjXKfdWxv7NaUXmL4UYBV1XNrRLbrpuY+uH1qV5P2Oud
 EgRZt6NNsKMncbMEBlJSUuBDaaSRDEU1QSqeS8D4ZaEGU2AQ2GgAUeGylzrXoF/F4G7f
 n1WMYXtXU6N8fxkoQq5Pb2xKfDtbgs6vW+mD1QVpwXW4OQNMimJU4svvSAorqcdJstGG
 Jb5vWN1zoBM+B29unMi+Kg8dZJDELu2HsBE3elzzp9KeF/DMFgQj9dKun1jIHOY3/EX8
 Xjto9DJZp2sJ1B4J/3faBfgmzYe7Edr/MHGGwtHL6FYzsArTV/mcZ6XeoHcogEUIjRvq
 SSoA==
X-Gm-Message-State: AOJu0Ywt36mFWFwxrSCjNgHtVl6n+DK3zA7gcq+83my+lV4/MhHFh6MM
 f/0zpZJOhs+KIMyuSH/ZNrs=
X-Google-Smtp-Source: AGHT+IGcRXTH5FBgubyk7xe5XrkrCV6K3yaMtdc94E5G/uROQZgqka1KE+auicMB/9Wlv3RsLTQVFA==
X-Received: by 2002:a2e:87d7:0:b0:2bc:c750:d9be with SMTP id
 v23-20020a2e87d7000000b002bcc750d9bemr9716682ljj.29.1696688953305; 
 Sat, 07 Oct 2023 07:29:13 -0700 (PDT)
Received: from [192.168.0.101] (nat-0-0.nsk.sibset.net. [5.44.169.188])
 by smtp.googlemail.com with ESMTPSA id
 u15-20020a2e9b0f000000b002b9f1214394sm1208989lji.13.2023.10.07.07.29.12
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
 Sat, 07 Oct 2023 07:29:13 -0700 (PDT)
Message-ID: <1865abb8-16cd-4570-9a8a-87cf9430583d@HIDDEN>
Date: Sat, 7 Oct 2023 21:29:12 +0700
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: bug#66390: `man' allows to inject arbitrary shell code
Content-Language: en-US, ru-RU
To: Eli Zaretskii <eliz@HIDDEN>
References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN>
 <83wmvyzir2.fsf@HIDDEN> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN>
 <83v8bizf9r.fsf@HIDDEN>
From: Max Nikulin <manikulin@HIDDEN>
In-Reply-To: <83v8bizf9r.fsf@HIDDEN>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 66390
Cc: 66390 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

On 07/10/2023 21:19, Eli Zaretskii wrote:
> 
> Sorry, I disagree.  'man' is an interactive command, so it should not
> second-guess the user who invokes it.  Commands that call 'man'
> non-interactively should make sure they call 'man' with a valid
> argument, especially when the argument comes from some file.

Does man.el provide a function that opens references to man pages, but 
that is safe in respect to shell specials?

Calling of shell commands belongs to implementation details of man.el 
and effectively you require that callers must be aware of it.
Information forwarded to bug-gnu-emacs@HIDDEN:
bug#66390; Package emacs. Full text available.

Message received at 66390 <at> debbugs.gnu.org:


Received: (at 66390) by debbugs.gnu.org; 7 Oct 2023 14:19:43 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Oct 07 10:19:43 2023
Received: from localhost ([127.0.0.1]:55586 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1qp89e-0004ju-Qq
	for submit <at> debbugs.gnu.org; Sat, 07 Oct 2023 10:19:43 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:46676)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eliz@HIDDEN>) id 1qp89c-0004jg-LP
 for 66390 <at> debbugs.gnu.org; Sat, 07 Oct 2023 10:19:41 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@HIDDEN>)
 id 1qp89D-0000Lh-Nd; Sat, 07 Oct 2023 10:19:15 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date:
 mime-version; bh=9vydu0Kr3EhqU0vWxlgSXyAtUoFpRPe/nlfyZfqpAXQ=; b=Edvck+A+H655
 w3GRTg4aA1GGiK9XLMQJVaRIq9KwiwlLVt7sAAD5p5ERJ9EldKzWa+WtmUky/QsGzlfhNGeFpK5SF
 Z9FWroK8a5zJfxYU7hm42rUb98tkbAW1L34pxJtY51ZBiqnDdLwkqWNUTelV66w3rpC32RHpavkfW
 LMGkrUzmiJjhLXGzMX5i4Qtt/SRR8SaH0kJXwb2lv3RM/183b7vCe035OYUeZV62xN/PYK1TpCSKI
 QtDldvs4PsbHlG30nQR/AW52IRG9gf7e7PflJ9YdTva+YqI2y49MooCgIhbA1pb4JKXWGqMl3OAI+
 NTuqxMLbYx8WYOus81D26Q==;
Date: Sat, 07 Oct 2023 17:19:28 +0300
Message-Id: <83v8bizf9r.fsf@HIDDEN>
From: Eli Zaretskii <eliz@HIDDEN>
To: Max Nikulin <manikulin@HIDDEN>
In-Reply-To: <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN> (message from
 Max Nikulin on Sat, 7 Oct 2023 21:12:54 +0700)
Subject: Re: bug#66390: `man' allows to inject arbitrary shell code
References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN>
 <83wmvyzir2.fsf@HIDDEN> <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN>
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 66390
Cc: 66390 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> Date: Sat, 7 Oct 2023 21:12:54 +0700
> Cc: 66390 <at> debbugs.gnu.org
> From: Max Nikulin <manikulin@HIDDEN>
> 
> On 07/10/2023 20:04, Eli Zaretskii wrote:
> >> From: Maxim Nikulin
> >> Date: Sat, 7 Oct 2023 19:47:04 +0700
> > 
> >> man.el should prevent substitution of shell specials literally from
> >> `man' arguments into shell commands.
> > 
> > I think callers of 'man' should prevent that instead.
> 
> If it is fixed in man.el then it is fixed for all callers. Otherwise 
> every caller must have notion of structure of references to man pages 
> instead of just treating them as opaque sequence of characters.

Sorry, I disagree.  'man' is an interactive command, so it should not
second-guess the user who invokes it.  Commands that call 'man'
non-interactively should make sure they call 'man' with a valid
argument, especially when the argument comes from some file.
Information forwarded to bug-gnu-emacs@HIDDEN:
bug#66390; Package emacs. Full text available.

Message received at 66390 <at> debbugs.gnu.org:


Received: (at 66390) by debbugs.gnu.org; 7 Oct 2023 14:13:23 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Oct 07 10:13:23 2023
Received: from localhost ([127.0.0.1]:55577 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1qp83X-0001zj-Hl
	for submit <at> debbugs.gnu.org; Sat, 07 Oct 2023 10:13:23 -0400
Received: from mail-lf1-x133.google.com ([2a00:1450:4864:20::133]:56487)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <manikulin@HIDDEN>) id 1qp83V-0001zT-Lu
 for 66390 <at> debbugs.gnu.org; Sat, 07 Oct 2023 10:13:22 -0400
Received: by mail-lf1-x133.google.com with SMTP id
 2adb3069b0e04-5041335fb9cso3950587e87.0
 for <66390 <at> debbugs.gnu.org>; Sat, 07 Oct 2023 07:13:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1696687976; x=1697292776; darn=debbugs.gnu.org;
 h=content-transfer-encoding:in-reply-to:from:references:cc:to
 :content-language:subject:user-agent:mime-version:date:message-id
 :sender:from:to:cc:subject:date:message-id:reply-to;
 bh=GIv+SKdFh8qOIySPg4fktCQD5N310AT3D9MZg4HW+ZU=;
 b=WWnPuekfQ84dsdLxucwNoJlET2XzF+GdxkgyCrP7Tq/Mcg41qMT7+trzNyt2djqrRK
 8/8IkJcBpzzkirsFoTC2cD7qY9DikzDGy7HRHpfYfvB/l82JvYfv9TSiTntscsN80hrh
 wfDX1QVe32ICEwAE4pjn+PMZTD8uK84Surqe/UpCtyqWFbt14ICSuKGs2IdUmAs81YBR
 3ePI76y5zyQhhFLs5LhRblvMsd31ttSqeq8o8gN6kjpBQiqIqP+XqFMYrfpxAaPRe1aA
 xQipvykgE9tTv/clazyDT9XfxSBUHk4Uos25VVTQdFO+8P9G9GG4MNUqglH0/fCR5OTi
 z4eQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1696687976; x=1697292776;
 h=content-transfer-encoding:in-reply-to:from:references:cc:to
 :content-language:subject:user-agent:mime-version:date:message-id
 :sender:x-gm-message-state:from:to:cc:subject:date:message-id
 :reply-to;
 bh=GIv+SKdFh8qOIySPg4fktCQD5N310AT3D9MZg4HW+ZU=;
 b=rJQVk9ozznm3GDOmmdtnX9aZ08zGPKJNsznbPadc1rTghgAsSa9N9KXCeYc37W94qh
 B+K+IuOd1bxgeB2ssUc9yPk2s9WxMkczaY2akXW7+/VrbEaR0Ni5n6b513wtbx9a3twX
 Z9Qx+QfNgPCMJrXiKakknAMOdLec847fpOsmjpvwECBcLBQsv4iit3aAQET/dCiA731t
 P/azTJ8NoMH3QeHj9bTHamHJ6oDwnGsZLTSrFXyKhYlGdC59Vx5fZGxj+DT4xlbQZum9
 BcOuXwORPPzf9IiLbVONOrdK7VL3mflxEss4tnNsrsbl/5NZKs5K+Yx72fehSIchWB9v
 JeWQ==
X-Gm-Message-State: AOJu0Yy5QXV5hWjdVVLyj1+NYEFLSY/8lzcj3cvDjufM8LhDTNfa8UJB
 pm1COW27EQwRV1Q6BU/Yswc=
X-Google-Smtp-Source: AGHT+IFQBI+HaC6Sttg83Ju6nAXGG8Ew7spwhVv9jcHKx45muVepW8YksJvreqbk4BCCEorfrygslA==
X-Received: by 2002:a05:6512:318a:b0:506:8d2a:5653 with SMTP id
 i10-20020a056512318a00b005068d2a5653mr3351926lfe.47.1696687975984; 
 Sat, 07 Oct 2023 07:12:55 -0700 (PDT)
Received: from [192.168.0.101] (nat-0-0.nsk.sibset.net. [5.44.169.188])
 by smtp.googlemail.com with ESMTPSA id
 c28-20020ac2531c000000b00504230b7ae9sm701067lfh.148.2023.10.07.07.12.55
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
 Sat, 07 Oct 2023 07:12:55 -0700 (PDT)
Message-ID: <585dcaf0-358e-4a9d-84d1-6fd9c2c8aec5@HIDDEN>
Date: Sat, 7 Oct 2023 21:12:54 +0700
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: bug#66390: `man' allows to inject arbitrary shell code
Content-Language: en-US, ru-RU
To: Eli Zaretskii <eliz@HIDDEN>
References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN>
 <83wmvyzir2.fsf@HIDDEN>
From: Max Nikulin <manikulin@HIDDEN>
In-Reply-To: <83wmvyzir2.fsf@HIDDEN>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 66390
Cc: 66390 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

On 07/10/2023 20:04, Eli Zaretskii wrote:
>> From: Maxim Nikulin
>> Date: Sat, 7 Oct 2023 19:47:04 +0700
> 
>> man.el should prevent substitution of shell specials literally from
>> `man' arguments into shell commands.
> 
> I think callers of 'man' should prevent that instead.

If it is fixed in man.el then it is fixed for all callers. Otherwise 
every caller must have notion of structure of references to man pages 
instead of just treating them as opaque sequence of characters.
Information forwarded to bug-gnu-emacs@HIDDEN:
bug#66390; Package emacs. Full text available.

Message received at 66390 <at> debbugs.gnu.org:


Received: (at 66390) by debbugs.gnu.org; 7 Oct 2023 13:04:36 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Oct 07 09:04:36 2023
Received: from localhost ([127.0.0.1]:53552 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1qp6yt-0007k0-W2
	for submit <at> debbugs.gnu.org; Sat, 07 Oct 2023 09:04:36 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:51478)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eliz@HIDDEN>) id 1qp6ys-0007jn-Bz
 for 66390 <at> debbugs.gnu.org; Sat, 07 Oct 2023 09:04:31 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@HIDDEN>)
 id 1qp6yS-0001VJ-RC; Sat, 07 Oct 2023 09:04:04 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date:
 mime-version; bh=GyAk9k0GZTCbi+rX3+ssVE0gNUUn8u4dqjlL4xrwINk=; b=Niz19WeTZDSI
 9pMvTUhT4VoBXF+gPfJzUbFjnOxRzYxA0KCm1wwq4w+M2SDkpZ/5/sQNBy71/1KcR7nMWxRFd6lez
 +mZHXR2uaMz/rMCJt02kTYvM+uJMT6PS8ryoG4VngxuZX3nMZxr28V4cAB5Mkihl/TVvqiF3b3lSg
 cwo6x56CBKQtqEtZyaIGAR90NPppJMxO/jhGUjDOihI6//MhanVH9lwgS4WNE8EbDn+xo6s/XUAF0
 pyWQnhdoAQYqwU6crQtbktd2Cl/U40BR9lb+YfSb03Y0bRls1TM4/LcRnpekUivlmxpew88Iq9Ehy
 kuHK4DKxKpNBkeh8H2w79A==;
Date: Sat, 07 Oct 2023 16:04:17 +0300
Message-Id: <83wmvyzir2.fsf@HIDDEN>
From: Eli Zaretskii <eliz@HIDDEN>
To: Maxim Nikulin <m.a.nikulin@HIDDEN>
In-Reply-To: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN> (message from
 Maxim Nikulin on Sat, 7 Oct 2023 19:47:04 +0700)
Subject: Re: bug#66390: `man' allows to inject arbitrary shell code
References: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN>
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 66390
Cc: 66390 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> From: Maxim Nikulin <m.a.nikulin@HIDDEN>
> Date: Sat, 7 Oct 2023 19:47:04 +0700
> 
> man.el does not escape properly shell special characters when `man' is 
> invoked with an argument to open particular manual page. As a result 
> arbitrary shell code may be executed.
> 
> I do not consider it as a real issue when the `man' command is invoked 
> by a user directly. However it is a security vulnerability when other 
> packages calls `man' to open a specific page.
> 
> Consider an Org mode document with the following link and ol-man is loaded
> 
>    <man:File:\:UserDirs(3pm)>
> 
> In response to C-c C-o (`org-open-at-point') an error appears instead of 
> formatted manual page
> 
> --- 8< ---
> /usr/bin/sh: 1: Syntax error: "(" unexpected
> 
> process exited abnormally with code 2
> --- >8 ---
> 
> Alternatively just evaluate
> 
>   (man "File:\\:UserDirs(3pm)")

Why isn't it a problem with the command that invokes 'man', in this
case Org?

> man.el should prevent substitution of shell specials literally from 
> `man' arguments into shell commands.

I think callers of 'man' should prevent that instead.
Information forwarded to bug-gnu-emacs@HIDDEN:
bug#66390; Package emacs. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 7 Oct 2023 12:47:48 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Oct 07 08:47:48 2023
Received: from localhost ([127.0.0.1]:53543 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1qp6iZ-000783-K6
	for submit <at> debbugs.gnu.org; Sat, 07 Oct 2023 08:47:48 -0400
Received: from lists.gnu.org ([2001:470:142::17]:47828)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <m.a.nikulin@HIDDEN>) id 1qp6iY-00077q-0Q
 for submit <at> debbugs.gnu.org; Sat, 07 Oct 2023 08:47:38 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <m.a.nikulin@HIDDEN>)
 id 1qp6i8-0006Dj-My
 for bug-gnu-emacs@HIDDEN; Sat, 07 Oct 2023 08:47:12 -0400
Received: from mail-lj1-x22a.google.com ([2a00:1450:4864:20::22a])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <m.a.nikulin@HIDDEN>)
 id 1qp6i6-0004Yg-7Q
 for bug-gnu-emacs@HIDDEN; Sat, 07 Oct 2023 08:47:12 -0400
Received: by mail-lj1-x22a.google.com with SMTP id
 38308e7fff4ca-2c3ca6ff5a7so12240221fa.1
 for <bug-gnu-emacs@HIDDEN>; Sat, 07 Oct 2023 05:47:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1696682827; x=1697287627; darn=gnu.org;
 h=content-transfer-encoding:subject:content-language:to:user-agent
 :mime-version:date:message-id:from:from:to:cc:subject:date
 :message-id:reply-to;
 bh=euqG3k7UYagtA5HoS+b0jEmOgdMIBONg52wFJ0zBLUk=;
 b=NjqvIioOrcTmHXRLl7q4eSNMThGuhEgqnplXF9UsAFv48MQokv0x0ASB01gwPyvPS4
 eWrTk8KawJDGBNpS/oylwvCi2g79uQxvcpAjQTRqlbo7fyPZNtiLcSIlLaTIbK8EQV7L
 RtTHTONZGe6DTRSEM6NT+13++iBYwQMEbahCVHeDyerLfFUw/Ao1bZJ1nDdx0dJ0HLFN
 /ZqHf5yRj+L1RdGtE/eQtq+3LvddBdZ8dRv3t9l1AGcXwpthK0pNT3K7FB/pTcJaiQNR
 Nv98uKN7BZutdHDZ8h8t5Ng+8BjyDbAee5CXuT2L9NHmP2MKJg4dKPUQGE7V0KHOuZ3Y
 VEsw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1696682827; x=1697287627;
 h=content-transfer-encoding:subject:content-language:to:user-agent
 :mime-version:date:message-id:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=euqG3k7UYagtA5HoS+b0jEmOgdMIBONg52wFJ0zBLUk=;
 b=RahQFlYhHJhIPRN/gnx2WxGE2XJlBcmcHbORUPx/4YunUoMhtrS86EQx2C1gd1gHEn
 8CspMPgVWPq3bFyv4gWE7ICjeH1v9j0GoMNn9N1mC071oPClIMGBk6Uo0i8wbATR4Z6B
 dKdJ7klw4U3PE+OwtFkhRx4myvQLgfIpNXrIAqDHL6/oQSfBW6WeLUM7pn434PSC3kOn
 OPOKzzjazsZm1RRRGVoztkC/mox9OJCqCbHtyuvU+I81uAww3J8Mzh2ywYZ5mMINhyDb
 EZGyy9+LLaFE0Qadqh07anBARZmdg2CM6UnzMIPFjtUTHyp0GVXJEf513lfrGpr+tzXR
 Ea3A==
X-Gm-Message-State: AOJu0YzV1/1Et5Z2vGqrsu353TQN0yc6r9tVOgXQLMUTdVXQ/vd6eojQ
 bd3aa34GvejokZOkfip4WPVHjjsnmgk=
X-Google-Smtp-Source: AGHT+IGTLn52Hk+j0Irx9z7sZWKsUXOeIMUkrK0pfrodO5BDz9sCTjtpxvNQApOatB8as5HAG5t6/A==
X-Received: by 2002:a2e:8709:0:b0:2c0:af3:27db with SMTP id
 m9-20020a2e8709000000b002c00af327dbmr9775017lji.22.1696682826535; 
 Sat, 07 Oct 2023 05:47:06 -0700 (PDT)
Received: from [192.168.0.101] (nat-0-0.nsk.sibset.net. [5.44.169.188])
 by smtp.googlemail.com with ESMTPSA id
 c5-20020a2ea1c5000000b002bcbb464a28sm1157206ljm.59.2023.10.07.05.47.05
 for <bug-gnu-emacs@HIDDEN>
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
 Sat, 07 Oct 2023 05:47:06 -0700 (PDT)
From: Maxim Nikulin <m.a.nikulin@HIDDEN>
X-Google-Original-From: Maxim Nikulin <M.A.Nikulin@HIDDEN>
Message-ID: <f17b9b73-8927-446a-9e54-459aad3b7bee@HIDDEN>
Date: Sat, 7 Oct 2023 19:47:04 +0700
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: bug-gnu-emacs@HIDDEN
Content-Language: en-US, ru-RU
Subject: `man' allows to inject arbitrary shell code
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Received-SPF: pass client-ip=2a00:1450:4864:20::22a;
 envelope-from=m.a.nikulin@HIDDEN; helo=mail-lj1-x22a.google.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 1.0 (+)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.0 (/)

man.el does not escape properly shell special characters when `man' is 
invoked with an argument to open particular manual page. As a result 
arbitrary shell code may be executed.

I do not consider it as a real issue when the `man' command is invoked 
by a user directly. However it is a security vulnerability when other 
packages calls `man' to open a specific page.

Consider an Org mode document with the following link and ol-man is loaded

   <man:File:\:UserDirs(3pm)>

In response to C-c C-o (`org-open-at-point') an error appears instead of 
formatted manual page

--- 8< ---
/usr/bin/sh: 1: Syntax error: "(" unexpected

process exited abnormally with code 2
--- >8 ---

Alternatively just evaluate

  (man "File:\\:UserDirs(3pm)")

A side note: I tried to add backslash due to an issue with ol-man that 
is to be fixed. A workaround in this particular case is to remove 
"(3pm)". Though the real problem is that special characters "()" are not 
quoted.

I would not consider the issue as a severe one unless some users who 
wish to open arbitrary Org files from the net

https://debbugs.gnu.org/cgi/bugreport.cgi?bug=58774#34
> Org files are native to Emacs, I wish to open Org files by using EWW.

man.el should prevent substitution of shell specials literally from 
`man' arguments into shell commands.
Acknowledgement sent to Maxim Nikulin <m.a.nikulin@HIDDEN>:
New bug report received and forwarded. Copy sent to bug-gnu-emacs@HIDDEN. Full text available.
Report forwarded to bug-gnu-emacs@HIDDEN:
bug#66390; Package emacs. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Sat, 21 Oct 2023 09:30:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.