[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Structurally fixing command injection bugs
|
From: |
lux |
|
Subject: |
Re: Structurally fixing command injection bugs |
|
Date: |
Wed, 22 Feb 2023 20:01:14 +0800 |
|
User-agent: |
Evolution 3.46.4 (3.46.4-1.fc37) |
On Wed, 2023-02-22 at 11:08 +0100, Vasilij Schneidermann wrote:
> I've come across a few recent bugfixes arising from the same
> underlying problem
> recently:
>
> - Command injection in etags via system(3): CVE-2022-45939
> - Command injection in htmlfontify.el via `shell-command-to-string`
> - Command injection in ruby-mode.el via `shell-command-to-string`
>
> The issue is well-known: Passing user input containing shell control
> characters to system(3) is dangerous. Quoting the argument strings is
> a
> band-aid solution. The text-book solution is to avoid using the shell
> in
> the first place whenever possible. Emacs even provides a convenient
> function for this, `process-lines`. It does not use the shell,
> accepts
> several argument strings, raises errors (rather than failing
> silently)
> and returns its output as a list of lines, thereby removing the need
> for
> removing the trailing newline.
>
> I see several options for moving forward:
>
> - Keep using `shell-command-to-string` and `shell-quote-argument`
> - Migrate existing use of `shell-command-to-string` to `process-
> lines`
> - Come up with a different replacement working much like
> `process-lines`, but returning a string instead (I have no idea
> what
> an appropriate name would be, maybe `command-to-string`?)
I've been working on these things lately. You are welcome to submit
patches to make Emacs more secure.