emacs-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] Add shell-quasiquote.


From: Stephen J. Turnbull
Subject: Re: [PATCH] Add shell-quasiquote.
Date: Mon, 19 Oct 2015 13:32:51 +0900

Eli Zaretskii writes:
 > Random832 writes:

 > > Yes, sorry. A typical Windows program (at least, one compiled with
 > > MSVC's setargv.obj) will try to interpret wildcards in any part of
 > > CommandLineToArgv's result which contains a ? or * character, with
 > > no provision to prevent it from doing so. (In particular, double
 > > quotes have no effect).
 > 
 > This actually depends on the startup code.  The latest release of
 > mingw.org's MinGW runtime does allow you to quote wildcard characters.
 > And on Windows XP and older even the other runtimes allow that.
 > 
 > In any case, this is not an Emacs problem.

Of course it is, in a security context.  I don't think it matters
anywhere near as much as code injection, but if Emacs is built with
one of those runtimes that doesn't allow wildcards to be disabled, its
users will be affected.

I think it probably can be immediately judged irrelevant (and perhaps
that's what you meant) if Emacs is normally built with a runtime that
doesn't interpret quoted wildcards, and the runtimes that always
interpret wildcards are not supported.  But if Emacs is to meet modern
security standards, that kind of thing needs to be considered and
confirmed, and to that extent it *is* Emacs's problem.  Clearly some
developers of Emacs Lisp applications want Emacs to meet those
standards.  YMMV, and mine does:

IMHO Emacs is unlikely to meet modern security standards in my
lifetime.  I am discouraged from even thinking about it when the
advocates of security are passing strings to an unknown shell program
and then complaining that Emacs's quoting function may be insecure.
Putting a shell in the loop is already saying "Security?  What, me
worry??"  After all, even if you check for POSIX, it might be a
slightly dated installation of GNU Bash. :-(




reply via email to

[Prev in Thread] Current Thread [Next in Thread]