[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Structurally fixing command injection bugs

From: Vasilij Schneidermann
Subject: Re: Structurally fixing command injection bugs
Date: Wed, 22 Feb 2023 11:34:30 +0100

On 02/22/23 at 06:20pm, lux wrote:
> > PS: Where should I report analogous misuse of `shell-command-to-
> > string`?  I cannot submit patches currently because I've changed
> > employers and need to renew copyright assignment, again (that would
> > be the third time already).
> You can send to bug-gnu-emacs@gnu.org

Yes, usually I'd just use M-x report-emacs-bug, but in this case it's
different because I plan to develop proof of concept code (PoC) and
submit it to the responsible maintainer for verifying the vulnerability
and the fix. Publicly disclosing PoC code is usually frowned upon, no
matter how trivial/exploitable the issue is.

Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]