bug-gnu-emacs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#19350: #19350 24.4; Incorrect quoting of %-signs for Windows command


From: Demi Obenour
Subject: bug#19350: #19350 24.4; Incorrect quoting of %-signs for Windows command shell
Date: Sun, 14 Aug 2016 20:44:17 -0400

We don't know what this is being used for.  For all we know, someone has written an Emacs plugin that passes a file with an attacker-controlled basename (ex. downloaded from the Internet) and uses this function to escape the filename before passing it to an external command, and in a context where there are unbalanced double quotes (say) in a known env var.  Result: remote execution of arbitrary code.


On Aug 11, 2016 8:41 PM, <address@hidden> wrote:
Demi Obenour <address@hidden> writes:

> I think that this needs to be fixed 100% — it is a security issue.

Doesn't it require the attacker to already control Emacs' environment?


reply via email to

[Prev in Thread] Current Thread [Next in Thread]