bug-gnu-emacs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#59817: [PATCH] Fix etags local command injection vulnerability

From: lux
Subject: bug#59817: [PATCH] Fix etags local command injection vulnerability
Date: Tue, 6 Dec 2022 23:49:05 +0800 
On Tue, 06 Dec 2022 16:52:40 +0200
Eli Zaretskii <eliz@gnu.org> wrote:

> Windows file names cannot include quote characters, so don't use
> them.  And it's TEMP value that you need to tweak, not the file names
> etags scans.

Thank you, fixed.
 
> I don't understand why you need an extra pair of quotes in the
> expanded string.
> 
>   $ echo \''hello; world'
>   'hello; world
> 
> As you see, the semi-colon was successfully hidden from the shell.
> 
> What am I missing?

$ echo Emacs > "'hello'world"
$ cat '\''hello\''world'     <---- use \'', error
cat: '\hello\world': No such file or directory
$ cat ''\''hello'\''world'    <---- use '\''
Emacs

You can also refer to:

1.
https://stackoverflow.com/questions/48970174/escape-single-quote-in-command-argument-to-sh-c

2. And I found a similar function in PHP:

$ cat test.php
<?php
        echo escapeshellarg("'hello'world");

$ php test.php
''\''hello'\''world'

Attachment: 0001-Fix-etags-local-command-injection-vulnerability.patch
Description: Text Data

reply via email to
[Prev in Thread] Current Thread [Next in Thread]