GNU bug report logs - #19350
24.4; Incorrect quoting of %-signs for Windows command shell

Previous Next

Package: emacs;

Reported by: Demetrios Obenour <demetriobenour <at> gmail.com>

Date: Thu, 11 Dec 2014 18:45:02 UTC

Severity: minor

Tags: confirmed, wontfix

Found in version 24.4

Done: Noam Postavsky <npostavs <at> users.sourceforge.net>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Demi Obenour <demiobenour <at> gmail.com>
To: Noam Postavsky <npostavs <at> users.sourceforge.net>
Cc: 19350 <at> debbugs.gnu.org
Subject: bug#19350: #19350 24.4; Incorrect quoting of %-signs for Windows command shell
Date: Sun, 14 Aug 2016 20:44:17 -0400

[Message part 1 (text/plain, inline)]

We don't know what this is being used for.  For all we know, someone has
written an Emacs plugin that passes a file with an attacker-controlled
basename (ex. downloaded from the Internet) and uses this function to
escape the filename before passing it to an external command, and in a
context where there are unbalanced double quotes (say) in a known env var.
Result: remote execution of arbitrary code.

On Aug 11, 2016 8:41 PM, <npostavs <at> users.sourceforge.net> wrote:

Demi Obenour <demiobenour <at> gmail.com> writes:

> I think that this needs to be fixed 100% — it is a security issue.

Doesn't it require the attacker to already control Emacs' environment?

[Message part 2 (text/html, inline)]

This bug report was last modified 7 years and 101 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #19350 24.4; Incorrect quoting of %-signs for Windows command shell

GNU bug report logs - #19350
24.4; Incorrect quoting of %-signs for Windows command shell