bug-gnu-emacs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#61709: [PATCH] Security hardening: safely invoke `shell-command*' fu

From: Eli Zaretskii
Subject: bug#61709: [PATCH] Security hardening: safely invoke `shell-command*' function.
Date: Wed, 22 Feb 2023 17:29:23 +0200 
> Cc: Xi Lu <lx@shellcodes.org>
> From: Xi Lu <lx@shellcodes.org>
> Date: Wed, 22 Feb 2023 22:35:54 +0800
> 
>  (defun filesets-which-command-p (cmd)
>    "Call \"which CMD\" and return non-nil if the command was found."
> @@ -1264,9 +1265,11 @@ filesets-spawn-external-viewer
>                 (funcall vwr file)
>                 nil)
>                (co-flag
> -               (shell-command-to-string (format "%s %s" vwr args)))
> +               (shell-command-to-string (shell-quote-argument
> +                                            (format "%s %s" vwr args))))
>                (t
> -               (shell-command (format "%s %s&" vwr args))
> +               (shell-command (shell-quote-argument
> +                                  (format "%s %s&" vwr args)))
>                 nil))))

These two cannot be right: you are quoting several separate
command-line arguments.

>         (if co-flag
>             (progn
> @@ -1578,7 +1581,7 @@ filesets-run-cmd
>                                  " "))
>                                (cmd (concat fn " " args)))
>                           (filesets-cmd-show-result
> -                          cmd (shell-command-to-string cmd))))
> +                          cmd (shell-command-to-string (shell-quote-argument 
> cmd)))))
>                        ((symbolp fn)
>                         (apply fn
>                                (mapcan (lambda (this)

I think this is also wrong: cmd is not a single word.

In general, you cannot quote arbitrary parts of a shell command, you
can only quote each command-line argument separately.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]