bug#59817: [PATCH] Fix etags local command injection vulnerability

bug-gnu-emacs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#59817: [PATCH] Fix etags local command injection vulnerability

From:	Francesco Potortì
Subject:	bug#59817: [PATCH] Fix etags local command injection vulnerability
Date:	Tue, 06 Dec 2022 16:05:59 +0100

>I don't understand why you need an extra pair of quotes in the expanded
>string.
>
>  $ echo \''hello; world'
>  'hello; world
>
>As you see, the semi-colon was successfully hidden from the shell.
>
>What am I missing?

That only works at the beginning or end of a string.  In general, inside a 
single-quoted string, single quotes are not allowed.  So, to include a single 
quote inside a single-quoted string, you have to:
- close the quoted string using '
- put a literal single quote usign \'
- reopen the quoted string using '

If you want to avoid checking for the special cases of a stray single string at 
beginning or end of the original string, you just quote everything qith a 
single quote at beginning and end, and then substitute each ' with '\''.

[Prev in Thread]

Current Thread

[Next in Thread]

bug#59817: [PATCH] Fix etags local command injection vulnerability, lux, 2022/12/04
- bug#59817: [PATCH] Fix etags local command injection vulnerability, Eli Zaretskii, 2022/12/04
  - bug#59817: [PATCH] Fix etags local command injection vulnerability, Stefan Kangas, 2022/12/04
    - bug#59817: [PATCH] Fix etags local command injection vulnerability, Eli Zaretskii, 2022/12/04
  - Message not available
    - bug#59817: [PATCH] Fix etags local command injection vulnerability, Eli Zaretskii, 2022/12/05
    - bug#59817: [PATCH] Fix etags local command injection vulnerability, lux, 2022/12/06
    - bug#59817: [PATCH] Fix etags local command injection vulnerability, Eli Zaretskii, 2022/12/06
    - bug#59817: [PATCH] Fix etags local command injection vulnerability, lux, 2022/12/06
    - bug#59817: [PATCH] Fix etags local command injection vulnerability, Eli Zaretskii, 2022/12/06
    - bug#59817: [PATCH] Fix etags local command injection vulnerability, Francesco Potortì <=
    - bug#59817: [PATCH] Fix etags local command injection vulnerability, Francesco Potortì, 2022/12/06
    - bug#59817: [PATCH] Fix etags local command injection vulnerability, lux, 2022/12/06
    - bug#59817: [PATCH] Fix etags local command injection vulnerability, Eli Zaretskii, 2022/12/06
    - bug#59817: [PATCH] Fix etags local command injection vulnerability, Andreas Schwab, 2022/12/06
    - bug#59817: [PATCH] Fix etags local command injection vulnerability, Eli Zaretskii, 2022/12/06
- bug#59817: [PATCH] Fix etags local command injection vulnerability, lux, 2022/12/04

Prev by Date: bug#59832: 30.0.50; [TREESIT] Segfault in treesit_load_language
Next by Date: bug#59797: 30.0.50; [wishlist] Using namespaces in Tramp's kubernetes integration
Previous by thread: bug#59817: [PATCH] Fix etags local command injection vulnerability
Next by thread: bug#59817: [PATCH] Fix etags local command injection vulnerability
Index(es):
- Date
- Thread