[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Structurally fixing command injection bugs
|
From: |
lux |
|
Subject: |
Re: Structurally fixing command injection bugs |
|
Date: |
Wed, 22 Feb 2023 20:05:27 +0800 |
|
User-agent: |
Evolution 3.46.4 (3.46.4-1.fc37) |
On Wed, 2023-02-22 at 11:34 +0100, Vasilij Schneidermann wrote:
> On 02/22/23 at 06:20pm, lux wrote:
> > > PS: Where should I report analogous misuse of `shell-command-to-
> > > string`? I cannot submit patches currently because I've changed
> > > employers and need to renew copyright assignment, again (that
> > > would
> > > be the third time already).
> >
> > You can send to bug-gnu-emacs@gnu.org
>
> Yes, usually I'd just use M-x report-emacs-bug, but in this case it's
> different because I plan to develop proof of concept code (PoC) and
> submit it to the responsible maintainer for verifying the
> vulnerability
> and the fix. Publicly disclosing PoC code is usually frowned upon, no
> matter how trivial/exploitable the issue is.
At present, there is no better channel.I feel open the PoCs good for
developers to understand, fix vulnerability and improving the code
security. Make the problem public instead of hiding it.
I also want to hear the thoughts of others.