Re: Structurally fixing command injection bugs

emacs-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Structurally fixing command injection bugs

From:	Jim Porter
Subject:	Re: Structurally fixing command injection bugs
Date:	Wed, 22 Feb 2023 10:57:24 -0800

On 2/22/2023 2:08 AM, Vasilij Schneidermann wrote:

I see several options for moving forward:

[snip]

- Come up with a different replacement working much like
   `process-lines`, but returning a string instead (I have no idea what
   an appropriate name would be, maybe `command-to-string`?)

Where possible, I think this is probably best, but there are likelytimes where you really want the benefits of a shell. For example, whatif the command you want to run involves a pipeline? One option for thiswould be to enhance 'shell-command-to-string' so that you can pass itarguments that will be correctly escaped when substituted into the finalcommand string. For example:


  (shell-command-to-string "cat %s | rev" "file with a $weird name.txt")
  ;; Runs "cat 'file with a $weird name.txt' | rev"

(This is similar to what you might do when parameterizing an SQL queryor something.)

[Prev in Thread]

Current Thread

[Next in Thread]

Structurally fixing command injection bugs, Vasilij Schneidermann, 2023/02/22
- Re: Structurally fixing command injection bugs, lux, 2023/02/22
  - Re: Structurally fixing command injection bugs, Vasilij Schneidermann, 2023/02/22
    - Re: Structurally fixing command injection bugs, lux, 2023/02/22
    - Re: Structurally fixing command injection bugs, Gregory Heytings, 2023/02/22
- Re: Structurally fixing command injection bugs, lux, 2023/02/22
- Re: Structurally fixing command injection bugs, Jim Porter <=

Prev by Date: Re: master f7b84345f8 1/2: ; * doc/emacs/vc1-xtra.texi (Editing VC Commands): Fix wording.
Next by Date: Eglot "inlay hints" landed
Previous by thread: Re: Structurally fixing command injection bugs
Next by thread: Emacs 29 manual
Index(es):
- Date
- Thread