From unknown Sun Jun 15 08:28:11 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#21702 <21702@debbugs.gnu.org> To: bug#21702 <21702@debbugs.gnu.org> Subject: Status: shell-quote-argument semantics and safety Reply-To: bug#21702 <21702@debbugs.gnu.org> Date: Sun, 15 Jun 2025 15:28:11 +0000 retitle 21702 shell-quote-argument semantics and safety reassign 21702 emacs submitter 21702 taylanbayirli@gmail.com (Taylan Ulrich Bay=C4=B1rl=C4=B1/Ka= mmer) severity 21702 normal thanks From debbugs-submit-bounces@debbugs.gnu.org Sun Oct 18 08:36:15 2015 Received: (at submit) by debbugs.gnu.org; 18 Oct 2015 12:36:15 +0000 Received: from localhost ([127.0.0.1]:54926 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1ZnnCB-00037O-2z for submit@debbugs.gnu.org; Sun, 18 Oct 2015 08:36:15 -0400 Received: from eggs.gnu.org ([208.118.235.92]:38859) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1ZnnC7-00037F-D7 for submit@debbugs.gnu.org; Sun, 18 Oct 2015 08:36:12 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ZnnC5-0008V1-LB for submit@debbugs.gnu.org; Sun, 18 Oct 2015 08:36:11 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,FREEMAIL_FROM, T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:52927) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZnnC5-0008Ux-IP for submit@debbugs.gnu.org; Sun, 18 Oct 2015 08:36:09 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:48865) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZnnC4-0005Uc-8c for bug-gnu-emacs@gnu.org; Sun, 18 Oct 2015 08:36:09 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ZnnC3-0008Uj-2K for bug-gnu-emacs@gnu.org; Sun, 18 Oct 2015 08:36:08 -0400 Received: from mail-wi0-x22d.google.com ([2a00:1450:400c:c05::22d]:33258) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZnnC2-0008Uf-Oq for bug-gnu-emacs@gnu.org; Sun, 18 Oct 2015 08:36:06 -0400 Received: by wijp11 with SMTP id p11so64647142wij.0 for ; Sun, 18 Oct 2015 05:36:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:date:message-id:user-agent:mime-version :content-type; bh=0QZYKI6l0EXkHkDo2goYU6n+ut86W9e/soUiukJjXZM=; b=GOIUamkthQelE+6YY54+LdgqswQwrIqPUcjpwpc96zbprhdrTjAIXeQdsYq1mevQbP sJZaK+oTKY+hy6s4JiS1UuzLWXwGoStbbGHA9hCAwdt4fVk0sdTbPoQzYH6nCDGM86da o8FHLcfp5pRXfLhiXLCh3BIkR6HVdxmZDarP2aVCg7h0R2kQDe7b5F4UdpgqdU48Mf02 Bl4IXTWM8WNgJAUnXv3HW2Uw1o0Q7ce/OH7N6t4IeO7cBMDW7TrOvwcPCMneOmLzftnM jiIVJaunx6usVjvStb2mXswg/EkabSGnBDSi8wFz0SHMq5DLy85rspnJiV1rvMbj1zlx kddQ== X-Received: by 10.194.171.3 with SMTP id aq3mr27733519wjc.54.1445171765842; Sun, 18 Oct 2015 05:36:05 -0700 (PDT) Received: from T420.taylan ([2a02:908:c32:4740:221:ccff:fe66:68f0]) by smtp.gmail.com with ESMTPSA id uq5sm33840863wjc.3.2015.10.18.05.36.04 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 18 Oct 2015 05:36:04 -0700 (PDT) From: taylanbayirli@gmail.com (Taylan Ulrich =?utf-8?Q?Bay=C4=B1rl=C4=B1?= =?utf-8?Q?=2FKammer?=) To: bug-gnu-emacs@gnu.org Subject: shell-quote-argument semantics and safety Date: Sun, 18 Oct 2015 14:36:03 +0200 Message-ID: <871tcstkuk.fsf@T420.taylan> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.0 (----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.0 (----) --=-=-= Content-Type: text/plain The documentation of shell-quote-argument only says Quote ARGUMENT for passing as argument to an inferior shell. It's unclear for which shells this is supposed to work. In a recent thread in emacs-devel, it has been demonstrated that if the result is passed to csh, it can allow an attacker to execute an arbitrary shell command, although without arguments: (let ((argument (read untrusted-source))) (assert (stringp argument)) (call-process "csh" nil t nil "-c" (concat "echo " (shell-quote-argument argument)))) ;; If untrusted-source gives us "\nevil-command\n", we get: ;; evil-command: Command not found. The function should clearly document 1) for which shells will the quoting work absolutely, i.e. lead to the given string to appear *verbatim* in an element of the ARGV of the called command, 2) optionally, for which shells will the quoting at least prevent code injection, 3) optionally, for which shells and character sets for ARGUMENT will the quoting work absolutely, 4) optionally, for which shells and character sets for ARGUMENT will the quoting at least prevent code injection, 5) optionally, for which shells will the quoting work at all even if it provides no clear semantics, such that one can at least use it with data coming from trusted sources (e.g. other parts of Emacs's source code, or the user sitting in front of Emacs), where it's the user's/programmer's responsibility to stick to values for ARGUMENT that are intuitively known to be unproblematic even if the character set isn't well-defined. Currently #5 seems to be implied for all shells, for lack of further documentation. Possibly, the function was never meant to be used with untrusted data, but there's no warning against doing so either. I stress-tested the strategy it uses for POSIX shells with the following horrible hack; the results are positive, i.e. the strategy seems to meet the criteria #1 above for POSIX shells. for i in {0..999} do dd if=/dev/urandom of=/dev/stdout bs=1K count=1 2>/dev/null | tr -d '\000' > randomfile # NULL bytes in ARGV are impossible emacs -q --batch --eval \ "(with-temp-buffer (insert-file-contents-literally \"randomfile\") (let ((data (replace-regexp-in-string \"\\n\" \"'\\n'\" (replace-regexp-in-string \"[^-0-9a-zA-Z_./\\n]\" \"\\\\\\\\\\\\&\" (buffer-substring (point-min) (point-max)))))) (erase-buffer) (insert \"printf %s \") (insert data) (write-region (point-min) (point-max) \"commandfile\")))" sh - < commandfile > output # tested with bash, dash, and ksh diff randomfile output || exit done There's also wording in POSIX which seems to guarantee the safety of the strategy: http://pubs.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html#tag_18_02_01 "A that is not quoted shall preserve the literal value of the following character, with the exception of a . [...]" For now, here's a trivial patch improving the docstring. If anyone is confident in the safety of the function for shells other than those conforming to POSIX sh, feel free to change the docstring accordingly. --=-=-= Content-Type: text/x-diff Content-Disposition: inline; filename=0001-lisp-subr.el-shell-quote-argument-Improve-documentat.patch >From dedcb603da981dcab8f576dea2f36d58fd2ddcfa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Taylan=20Ulrich=20Bay=C4=B1rl=C4=B1/Kammer?= Date: Sun, 18 Oct 2015 14:23:35 +0200 Subject: [PATCH] * lisp/subr.el (shell-quote-argument): Improve documentation. --- lisp/subr.el | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/lisp/subr.el b/lisp/subr.el index e176907..940ebe6 100644 --- a/lisp/subr.el +++ b/lisp/subr.el @@ -2711,7 +2711,11 @@ Note: :data and :device are currently not supported on Windows." (declare-function w32-shell-dos-semantics "w32-fns" nil) (defun shell-quote-argument (argument) - "Quote ARGUMENT for passing as argument to an inferior shell." + "Quote ARGUMENT for passing as argument to an inferior shell. + +This is safe for shells conforming to POSIX sh. No guarantees +regarding code injection are made for other shells, but csh, +MS-DOS and Windows NT are supported for simple cases as well." (cond ((eq system-type 'ms-dos) ;; Quote using double quotes, but escape any existing quotes in -- 2.5.0 --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Sun Oct 18 11:26:24 2015 Received: (at 21702) by debbugs.gnu.org; 18 Oct 2015 15:26:24 +0000 Received: from localhost ([127.0.0.1]:55277 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Znpqp-000717-Uc for submit@debbugs.gnu.org; Sun, 18 Oct 2015 11:26:24 -0400 Received: from mail-wi0-f179.google.com ([209.85.212.179]:33212) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Znpqn-00070z-UZ for 21702@debbugs.gnu.org; Sun, 18 Oct 2015 11:26:22 -0400 Received: by wijp11 with SMTP id p11so67836959wij.0 for <21702@debbugs.gnu.org>; Sun, 18 Oct 2015 08:26:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:references:date:in-reply-to:message-id:user-agent :mime-version:content-type:content-transfer-encoding; bh=xW33n5NEBhVQIFapgO+ysA2SNBfsLoMxFLCwMduK01A=; b=OyXH/sNwhLU8YVCYJvPugr6kMuKdafuCddDVZWEJMMV9vqkS8mpoU+V11rbSonR2tE Z0HdqNjn1Lc8MtxRG3+0PDczGhsRgdfhXnz6jCURB17PHbqDygGGGGFbuUnaqYj+hJvN +oEq4r5KZLxTkujMkz6HZkvmV815RdqBiCWx47iLizbNCY22xeACxdAoncjTBtop9FPN f+J32tYBp2mxGvK3nsr7JL7LaR6+/T63YSLmVbYR82w1xEFR/YPueGXymB8RIg5oFJJR i/vNozQWTGrdP/2S1bB05/IpiCwpyXonj1Jdbcgx8Fm2J+lknSfjbBTkRhxDGWb/1aQx Idww== X-Received: by 10.194.192.6 with SMTP id hc6mr27284056wjc.33.1445181981379; Sun, 18 Oct 2015 08:26:21 -0700 (PDT) Received: from T420.taylan ([2a02:908:c32:4740:221:ccff:fe66:68f0]) by smtp.gmail.com with ESMTPSA id p4sm11293528wia.15.2015.10.18.08.26.19 for <21702@debbugs.gnu.org> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 18 Oct 2015 08:26:20 -0700 (PDT) From: taylanbayirli@gmail.com (Taylan Ulrich =?utf-8?Q?Bay=C4=B1rl=C4=B1?= =?utf-8?Q?=2FKammer?=) To: 21702@debbugs.gnu.org Subject: Re: bug#21702: shell-quote-argument semantics and safety References: <871tcstkuk.fsf@T420.taylan> Date: Sun, 18 Oct 2015 17:26:19 +0200 In-Reply-To: (GNU bug Tracking System's message of "Sun, 18 Oct 2015 12:37:02 +0000") Message-ID: <87y4f0qjtw.fsf_-_@T420.taylan> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 21702 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) On the development list it has been pointed out that the Info manual contains more verbose documentation on this function, although it doesn't clarify the semantics much either. =3D=3D=3D snip =3D=3D=3D Lisp programs sometimes need to run a shell and give it a command that contains file names that were specified by the user. These programs ought to be able to support any valid file name. But the shell gives special treatment to certain characters, and if these characters occur in the file name, they will confuse the shell. To handle these characters, use the function =E2=80=98shell-quote-argument=E2=80=99: -- Function: shell-quote-argument argument This function returns a string that represents, in shell syntax, an argument whose actual contents are ARGUMENT. It should work reliably to concatenate the return value into a shell command and then pass it to a shell for execution. Precisely what this function does depends on your operating system. The function is designed to work with the syntax of your system=E2=80= =99s standard shell; if you use an unusual shell, you will need to redefine this function. ;; This example shows the behavior on GNU and Unix systems. (shell-quote-argument "foo > bar") =E2=87=92 "foo\\ \\>\\ bar" ;; This example shows the behavior on MS-DOS and MS-Windows. (shell-quote-argument "foo > bar") =E2=87=92 "\"foo > bar\"" Here=E2=80=99s an example of using =E2=80=98shell-quote-argument=E2=80= =99 to construct a shell command: (concat "diff -c " (shell-quote-argument oldfile) " " (shell-quote-argument newfile)) =3D=3D=3D /snip =3D=3D=3D I'm not sure if that needs change, given the change to the docstring, which counts as the more authoritative documentation of the precise semantics if I'm not mistaken. Taylan From debbugs-submit-bounces@debbugs.gnu.org Sun Oct 18 13:16:59 2015 Received: (at 21702) by debbugs.gnu.org; 18 Oct 2015 17:17:00 +0000 Received: from localhost ([127.0.0.1]:55300 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1ZnrZr-0001Hw-B4 for submit@debbugs.gnu.org; Sun, 18 Oct 2015 13:16:59 -0400 Received: from mtaout22.012.net.il ([80.179.55.172]:43313) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1ZnrZo-0001Hm-3a for 21702@debbugs.gnu.org; Sun, 18 Oct 2015 13:16:57 -0400 Received: from conversion-daemon.a-mtaout22.012.net.il by a-mtaout22.012.net.il (HyperSendmail v2007.08) id <0NWF00300EAZF200@a-mtaout22.012.net.il> for 21702@debbugs.gnu.org; Sun, 18 Oct 2015 20:16:53 +0300 (IDT) Received: from HOME-C4E4A596F7 ([84.94.185.246]) by a-mtaout22.012.net.il (HyperSendmail v2007.08) with ESMTPA id <0NWF003XPEO5FQ00@a-mtaout22.012.net.il>; Sun, 18 Oct 2015 20:16:53 +0300 (IDT) Date: Sun, 18 Oct 2015 20:16:54 +0300 From: Eli Zaretskii Subject: Re: bug#21702: shell-quote-argument semantics and safety In-reply-to: <871tcstkuk.fsf@T420.taylan> X-012-Sender: halo1@inter.net.il To: taylanbayirli@gmail.com (Taylan Ulrich =?utf-8?Q?Bay=C4=B1rl=C4=B1=2FK?= =?utf-8?Q?ammer?=) Message-id: <83pp0chzax.fsf@gnu.org> MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Content-transfer-encoding: 8BIT References: <871tcstkuk.fsf@T420.taylan> X-Spam-Score: 1.0 (+) X-Debbugs-Envelope-To: 21702 Cc: 21702@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: Eli Zaretskii List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.0 (+) > From: taylanbayirli@gmail.com (Taylan Ulrich > Bayırlı/Kammer) > Date: Sun, 18 Oct 2015 14:36:03 +0200 > > The documentation of shell-quote-argument only says > > Quote ARGUMENT for passing as argument to an inferior shell. > > It's unclear for which shells this is supposed to work. I fixed the doc string to clarify that this function works correctly with the system's standard shell. > In a recent thread in emacs-devel, it has been demonstrated that if > the result is passed to csh, it can allow an attacker to execute an > arbitrary shell command As I understand it, csh is not the standard shell on Posix systems, so the fixed doc string now says not to expect it to work with csh. > The function should clearly document > > 1) for which shells will the quoting work absolutely, i.e. lead to > the given string to appear *verbatim* in an element of the ARGV of > the called command, > > 2) optionally, for which shells will the quoting at least prevent > code injection, > > 3) optionally, for which shells and character sets for ARGUMENT will > the quoting work absolutely, > > 4) optionally, for which shells and character sets for ARGUMENT will > the quoting at least prevent code injection, > > 5) optionally, for which shells will the quoting work at all even if > it provides no clear semantics, such that one can at least use it > with data coming from trusted sources (e.g. other parts of Emacs's > source code, or the user sitting in front of Emacs), where it's the > user's/programmer's responsibility to stick to values for ARGUMENT > that are intuitively known to be unproblematic even if the character > set isn't well-defined. > > Currently #5 seems to be implied for all shells, for lack of further > documentation. Possibly, the function was never meant to be used with > untrusted data, but there's no warning against doing so either. I thin 1) is now covered, and the rest are optional. In particular, our way to provide better safety is not by documenting APIs that could be maliciously abused, but by marking the related variables as unsafe unless they have special predefined values. So I don't think we should extend this particular doc string with safety information. > (defun shell-quote-argument (argument) > - "Quote ARGUMENT for passing as argument to an inferior shell." > + "Quote ARGUMENT for passing as argument to an inferior shell. > + > +This is safe for shells conforming to POSIX sh. No guarantees > +regarding code injection are made for other shells, but csh, > +MS-DOS and Windows NT are supported for simple cases as well." Thanks, but I think this is no longer needed, after the change I made. From debbugs-submit-bounces@debbugs.gnu.org Sun Oct 18 15:12:41 2015 Received: (at 21702) by debbugs.gnu.org; 18 Oct 2015 19:12:41 +0000 Received: from localhost ([127.0.0.1]:55364 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1ZntNo-0005aK-Di for submit@debbugs.gnu.org; Sun, 18 Oct 2015 15:12:40 -0400 Received: from mail-wi0-f169.google.com ([209.85.212.169]:36270) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1ZntNk-0005aB-Ua for 21702@debbugs.gnu.org; Sun, 18 Oct 2015 15:12:37 -0400 Received: by wicfx6 with SMTP id fx6so23220924wic.1 for <21702@debbugs.gnu.org>; Sun, 18 Oct 2015 12:12:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version:content-type:content-transfer-encoding; bh=3mpjrz6f0vUOLpBmQJLUMUbQz3Z+Ad0bV9E/rxyKVM4=; b=LLp0R69lrJqiWCt6ATStSHwxxoOwR6bi9yK4lO7JoPzymPlRnBEbX45lpFPaPpUoae QQSfrTqGzQGSOqgiCRV557wT3/hFIbzuAaHqfU3vo4FwqVlDlYGgq8bvyH2TqEFi9J1n KpZlp5E1tCt4YFPx0YzJTI+pc00Yvp6/gYilUr5iLQ/Qs+8KLkDJ6DwSasRh2YeqVjla rIBsn639VuRJC+rt+2HPLHtiQKulILCq6F7WUHh3V4XKrxxqjwvY90uSQyK82bpZA4r1 RBc4xw5YYzwUDE4mYOeyIvMmc5yu6laoqCKYKEV0gFT8rrwIxVWwgaWa5sDp3XuGUY8p qfCQ== X-Received: by 10.180.102.135 with SMTP id fo7mr4585949wib.0.1445195556214; Sun, 18 Oct 2015 12:12:36 -0700 (PDT) Received: from T420.taylan ([2a02:908:c32:4740:221:ccff:fe66:68f0]) by smtp.gmail.com with ESMTPSA id uq5sm35557308wjc.3.2015.10.18.12.12.34 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 18 Oct 2015 12:12:35 -0700 (PDT) From: taylanbayirli@gmail.com (Taylan Ulrich =?utf-8?Q?Bay=C4=B1rl=C4=B1?= =?utf-8?Q?=2FKammer?=) To: Eli Zaretskii Subject: Re: bug#21702: shell-quote-argument semantics and safety References: <871tcstkuk.fsf@T420.taylan> <83pp0chzax.fsf@gnu.org> Date: Sun, 18 Oct 2015 21:12:34 +0200 In-Reply-To: <83pp0chzax.fsf@gnu.org> (Eli Zaretskii's message of "Sun, 18 Oct 2015 20:16:54 +0300") Message-ID: <874mhoq9ct.fsf@T420.taylan> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 21702 Cc: 21702@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) Eli Zaretskii writes: >> From: taylanbayirli@gmail.com (Taylan Ulrich >> Bay=C4=B1rl=C4=B1/Kammer) >> Date: Sun, 18 Oct 2015 14:36:03 +0200 >>=20 >> The documentation of shell-quote-argument only says >>=20 >> Quote ARGUMENT for passing as argument to an inferior shell. >>=20 >> It's unclear for which shells this is supposed to work. > > I fixed the doc string to clarify that this function works correctly > with the system's standard shell. > >> In a recent thread in emacs-devel, it has been demonstrated that if >> the result is passed to csh, it can allow an attacker to execute an >> arbitrary shell command > > As I understand it, csh is not the standard shell on Posix systems, so > the fixed doc string now says not to expect it to work with csh. > >> The function should clearly document >>=20 >> 1) for which shells will the quoting work absolutely, i.e. lead to >> the given string to appear *verbatim* in an element of the ARGV of >> the called command, >>=20 >> 2) optionally, for which shells will the quoting at least prevent >> code injection, >>=20 >> 3) optionally, for which shells and character sets for ARGUMENT will >> the quoting work absolutely, >>=20 >> 4) optionally, for which shells and character sets for ARGUMENT will >> the quoting at least prevent code injection, >>=20 >> 5) optionally, for which shells will the quoting work at all even if >> it provides no clear semantics, such that one can at least use it >> with data coming from trusted sources (e.g. other parts of Emacs's >> source code, or the user sitting in front of Emacs), where it's the >> user's/programmer's responsibility to stick to values for ARGUMENT >> that are intuitively known to be unproblematic even if the character >> set isn't well-defined. >>=20 >> Currently #5 seems to be implied for all shells, for lack of further >> documentation. Possibly, the function was never meant to be used with >> untrusted data, but there's no warning against doing so either. > > I thin 1) is now covered, and the rest are optional. In particular, > our way to provide better safety is not by documenting APIs that could > be maliciously abused, but by marking the related variables as unsafe > unless they have special predefined values. So I don't think we > should extend this particular doc string with safety information. Hm, there seems to be a fundamental difference in mindset here in how one might use Elisp. I'd like to point out that (in the most extreme cases) people have actually been writing web servers and other such programs in Elisp for which one would normally use a general-purpose language. That is, "APIs that could be maliciously abused" is not the right way to look at it. It's not about the Elisp programmer abusing the API, it's about a malicious data source exploiting a (potential) flaw in an Elisp function, which Elisp programmers have relied on and thus made their programs vulnerable to code injection. That's why I was being so careful with regard to the safety guarantees of the "shell-quasiquote" package I contributed. I would like people to be able to use that as part of a general-purpose Elisp language, and so being safe against code injection is an absolute must. They might after all use it as part of a network-facing service. Actually that might also apply when using e.g. TRAMP, which also communicates with remote hosts and is a normal part of Emacs. I've been told it receives file names from remote hosts and passes them through shell-quote-argument before giving them to a shell. So maybe my concerns apply there as well. Given that, "I think 1) is now covered" is not very relieving to hear. It amounts to "I think this is safe against code injection" which is rather alarming to hear. Either it's very confidently known to be safe and so one may use it for network-facing code, or it's not confidently known to be safe and so one shouldn't use it for network-facing code. This should be documented clearly especially so that users who aren't very aware of injection attacks won't nonchalantly use the function for their network-facing code (when the function isn't known to be safe for this), but also so that users who are aware of such issues know they can use the function and don't instead invent their own thing (when it is known to be safe). Does that make sense? Taylan From debbugs-submit-bounces@debbugs.gnu.org Sun Oct 18 15:48:19 2015 Received: (at 21702) by debbugs.gnu.org; 18 Oct 2015 19:48:19 +0000 Received: from localhost ([127.0.0.1]:55419 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1ZntwI-0006V1-Lq for submit@debbugs.gnu.org; Sun, 18 Oct 2015 15:48:19 -0400 Received: from mtaout24.012.net.il ([80.179.55.180]:36552) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1ZntwF-0006Ur-QQ for 21702@debbugs.gnu.org; Sun, 18 Oct 2015 15:48:17 -0400 Received: from conversion-daemon.mtaout24.012.net.il by mtaout24.012.net.il (HyperSendmail v2007.08) id <0NWF00600L5K2700@mtaout24.012.net.il> for 21702@debbugs.gnu.org; Sun, 18 Oct 2015 22:41:30 +0300 (IDT) Received: from HOME-C4E4A596F7 ([84.94.185.246]) by mtaout24.012.net.il (HyperSendmail v2007.08) with ESMTPA id <0NWF002C2LD6QG30@mtaout24.012.net.il>; Sun, 18 Oct 2015 22:41:30 +0300 (IDT) Date: Sun, 18 Oct 2015 22:48:15 +0300 From: Eli Zaretskii Subject: Re: bug#21702: shell-quote-argument semantics and safety In-reply-to: <874mhoq9ct.fsf@T420.taylan> X-012-Sender: halo1@inter.net.il To: taylanbayirli@gmail.com (Taylan Ulrich =?utf-8?Q?Bay=C4=B1rl=C4=B1=2FK?= =?utf-8?Q?ammer?=) Message-id: <83h9lohsao.fsf@gnu.org> MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Content-transfer-encoding: 8BIT References: <871tcstkuk.fsf@T420.taylan> <83pp0chzax.fsf@gnu.org> <874mhoq9ct.fsf@T420.taylan> X-Spam-Score: 1.0 (+) X-Debbugs-Envelope-To: 21702 Cc: 21702@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: Eli Zaretskii List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.0 (+) > From: taylanbayirli@gmail.com (Taylan Ulrich Bayırlı/Kammer) > Cc: 21702@debbugs.gnu.org > Date: Sun, 18 Oct 2015 21:12:34 +0200 > > I'd like to point out that (in the most extreme cases) people have > actually been writing web servers and other such programs in Elisp for > which one would normally use a general-purpose language. > > That is, "APIs that could be maliciously abused" is not the right way to > look at it. It's not about the Elisp programmer abusing the API, it's > about a malicious data source exploiting a (potential) flaw in an Elisp > function, which Elisp programmers have relied on and thus made their > programs vulnerable to code injection. > > > That's why I was being so careful with regard to the safety guarantees > of the "shell-quasiquote" package I contributed. I would like people to > be able to use that as part of a general-purpose Elisp language, and so > being safe against code injection is an absolute must. They might after > all use it as part of a network-facing service. > > > Actually that might also apply when using e.g. TRAMP, which also > communicates with remote hosts and is a normal part of Emacs. I've been > told it receives file names from remote hosts and passes them through > shell-quote-argument before giving them to a shell. So maybe my > concerns apply there as well. > > > Given that, "I think 1) is now covered" is not very relieving to hear. Item 1 was this: > >> The function should clearly document > >> > >> 1) for which shells will the quoting work absolutely, i.e. lead to > >> the given string to appear *verbatim* in an element of the ARGV of > >> the called command, There's nothing about safety here, only about correctness. That is the aspect that I think is now covered, as the doc string now says for which shells one can have correct results. > It amounts to "I think this is safe against code injection" which is > rather alarming to hear. Either it's very confidently known to be safe > and so one may use it for network-facing code, or it's not confidently > known to be safe and so one shouldn't use it for network-facing code. > This should be documented clearly especially so that users who aren't > very aware of injection attacks won't nonchalantly use the function for > their network-facing code (when the function isn't known to be safe for > this), but also so that users who are aware of such issues know they can > use the function and don't instead invent their own thing (when it is > known to be safe). > > Does that make sense? Maybe it does, but only if we start documenting these aspects project-wide. It makes little sense to me to do that for a single API, and not an important one at that. But that's me. From debbugs-submit-bounces@debbugs.gnu.org Mon Oct 19 03:34:22 2015 Received: (at 21702) by debbugs.gnu.org; 19 Oct 2015 07:34:22 +0000 Received: from localhost ([127.0.0.1]:55667 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Zo4xZ-00060W-HY for submit@debbugs.gnu.org; Mon, 19 Oct 2015 03:34:22 -0400 Received: from mail-wi0-f171.google.com ([209.85.212.171]:34919) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Zo4xW-00060L-E6 for 21702@debbugs.gnu.org; Mon, 19 Oct 2015 03:34:19 -0400 Received: by wicll6 with SMTP id ll6so82791913wic.0 for <21702@debbugs.gnu.org>; Mon, 19 Oct 2015 00:34:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version:content-type:content-transfer-encoding; bh=RaITETtAoEVLjXrrfgBmgUNbGs9NHUbFrlUXrI8cy9s=; b=QKej1Bu777yLbrft3mdkDFJneSW8DxXlNc+CJyjMUCOV8HZbKkpDbThELQbE1R30eA hPKMOVGiU5ETQvFrHLvvbRPJ8a/4wtb2YFQrkBzp1q8PA537xXRlmXdFbNnXx6jAFeHN GEsZsEFDD4ExNlDKG2yHlsVG8csFYBY9WwzTTn94QcXveF6rp1GVl7PJbDQtESYFs75p YBmY6XuQ6G9NGvj/78fTdx6jdRanKb/1wI1HC6E8JauFkJM5NHYLTwbtdFdoV3c+J2WS wqOkqJ2QiARKu2xSKOox5ZAYUDd4Gs/jLTZp4wVAjEYXvK/YeU5GXtZPGhFreJzrXjLN JzxA== X-Received: by 10.180.211.176 with SMTP id nd16mr19573351wic.83.1445240057551; Mon, 19 Oct 2015 00:34:17 -0700 (PDT) Received: from T420.taylan ([2a02:908:c32:4740:221:ccff:fe66:68f0]) by smtp.gmail.com with ESMTPSA id bk4sm38368531wjc.1.2015.10.19.00.34.15 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 19 Oct 2015 00:34:16 -0700 (PDT) From: taylanbayirli@gmail.com (Taylan Ulrich =?utf-8?Q?Bay=C4=B1rl=C4=B1?= =?utf-8?Q?=2FKammer?=) To: Eli Zaretskii Subject: Re: bug#21702: shell-quote-argument semantics and safety References: <871tcstkuk.fsf@T420.taylan> <83pp0chzax.fsf@gnu.org> <874mhoq9ct.fsf@T420.taylan> <83h9lohsao.fsf@gnu.org> Date: Mon, 19 Oct 2015 09:34:15 +0200 In-Reply-To: <83h9lohsao.fsf@gnu.org> (Eli Zaretskii's message of "Sun, 18 Oct 2015 22:48:15 +0300") Message-ID: <87h9lnpb0o.fsf@T420.taylan> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 21702 Cc: 21702@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) Eli Zaretskii writes: >> From: taylanbayirli@gmail.com (Taylan Ulrich Bay=C4=B1rl=C4=B1/Kammer) >> Cc: 21702@debbugs.gnu.org >> Date: Sun, 18 Oct 2015 21:12:34 +0200 >>=20 >> I'd like to point out that (in the most extreme cases) people have >> actually been writing web servers and other such programs in Elisp for >> which one would normally use a general-purpose language. >>=20 >> That is, "APIs that could be maliciously abused" is not the right way to >> look at it. It's not about the Elisp programmer abusing the API, it's >> about a malicious data source exploiting a (potential) flaw in an Elisp >> function, which Elisp programmers have relied on and thus made their >> programs vulnerable to code injection. >>=20 >>=20 >> That's why I was being so careful with regard to the safety guarantees >> of the "shell-quasiquote" package I contributed. I would like people to >> be able to use that as part of a general-purpose Elisp language, and so >> being safe against code injection is an absolute must. They might after >> all use it as part of a network-facing service. >>=20 >>=20 >> Actually that might also apply when using e.g. TRAMP, which also >> communicates with remote hosts and is a normal part of Emacs. I've been >> told it receives file names from remote hosts and passes them through >> shell-quote-argument before giving them to a shell. So maybe my >> concerns apply there as well. >>=20 >>=20 >> Given that, "I think 1) is now covered" is not very relieving to hear. > > Item 1 was this: > >> >> The function should clearly document >> >>=20 >> >> 1) for which shells will the quoting work absolutely, i.e. lead to >> >> the given string to appear *verbatim* in an element of the ARGV of >> >> the called command, > > There's nothing about safety here, only about correctness. That is > the aspect that I think is now covered, as the doc string now says for > which shells one can have correct results. Usually it's indeed correctness that protects against injection attacks. A quoting mechanism that's correct is automatically safe. Another way to make it safe would be to error when the given string contains characters outside of a limited character set. Either way, the safeness should be documented clearly, either implicitly through a clear documentation of the correctness, or explicitly. In your patch, correctness is implied, but the complexity of the problem domain (and thus the function itself) and the importance of possible repercussions of an incorrect implementation leave clearer documentation to be desired. While any function is really implied to be correct by its existence, any function is also implied to very possibly contain bugs, as is natural for software. In many cases these bugs are unimportant. In this case not. I would propose something along the lines of: It is guaranteed that ARGUMENT will be parsed as a single token by shells X, Y, and Z, as long as it is separated from other text via a delimiter in the syntax of the respective shell. (That's even better than the patch I proposed, which didn't mention the problem of delimiting.) I think it's also important to provide some explicit enumeration of shells for which the function is safe, because the systems Emacs supports may change over time, and there is no guarantee that a change to this function will not entail bugs. If we add wording like the above, then any programmer who sits down to expand the function's semantics to another shell will be forced to think very hard about what they're doing; otherwise they might try to do a "good enough" job but not make sure that all edge-cases are handled. "Designed to work with" is after all not an absolute claim of correctness and absence of bugs. >> It amounts to "I think this is safe against code injection" which is >> rather alarming to hear. Either it's very confidently known to be safe >> and so one may use it for network-facing code, or it's not confidently >> known to be safe and so one shouldn't use it for network-facing code. >> This should be documented clearly especially so that users who aren't >> very aware of injection attacks won't nonchalantly use the function for >> their network-facing code (when the function isn't known to be safe for >> this), but also so that users who are aware of such issues know they can >> use the function and don't instead invent their own thing (when it is >> known to be safe). >>=20 >> Does that make sense? > > Maybe it does, but only if we start documenting these aspects > project-wide. It makes little sense to me to do that for a single > API, and not an important one at that. But that's me. This is an API which if its implementation is imperfect will result in programs prone to code injection attacks when these programs face untrusted input sources. Why do you say it's not an important one? Taylan From debbugs-submit-bounces@debbugs.gnu.org Mon Oct 19 03:48:32 2015 Received: (at 21702) by debbugs.gnu.org; 19 Oct 2015 07:48:32 +0000 Received: from localhost ([127.0.0.1]:55672 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Zo5BH-0006KB-Ks for submit@debbugs.gnu.org; Mon, 19 Oct 2015 03:48:32 -0400 Received: from mtaout26.012.net.il ([80.179.55.182]:43771) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Zo5BE-0006K2-Ob for 21702@debbugs.gnu.org; Mon, 19 Oct 2015 03:48:30 -0400 Received: from conversion-daemon.mtaout26.012.net.il by mtaout26.012.net.il (HyperSendmail v2007.08) id <0NWG00100IYYSK00@mtaout26.012.net.il> for 21702@debbugs.gnu.org; Mon, 19 Oct 2015 10:50:40 +0300 (IDT) Received: from HOME-C4E4A596F7 ([84.94.185.246]) by mtaout26.012.net.il (HyperSendmail v2007.08) with ESMTPA id <0NWG00OMIJ4FXD20@mtaout26.012.net.il>; Mon, 19 Oct 2015 10:50:40 +0300 (IDT) Date: Mon, 19 Oct 2015 10:47:28 +0300 From: Eli Zaretskii Subject: Re: bug#21702: shell-quote-argument semantics and safety In-reply-to: <87h9lnpb0o.fsf@T420.taylan> X-012-Sender: halo1@inter.net.il To: taylanbayirli@gmail.com (Taylan Ulrich =?utf-8?Q?Bay=C4=B1rl=C4=B1=2FK?= =?utf-8?Q?ammer?=) Message-id: <83twpnguzz.fsf@gnu.org> MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Content-transfer-encoding: 8BIT References: <871tcstkuk.fsf@T420.taylan> <83pp0chzax.fsf@gnu.org> <874mhoq9ct.fsf@T420.taylan> <83h9lohsao.fsf@gnu.org> <87h9lnpb0o.fsf@T420.taylan> X-Spam-Score: 1.0 (+) X-Debbugs-Envelope-To: 21702 Cc: 21702@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: Eli Zaretskii List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.0 (+) > From: taylanbayirli@gmail.com (Taylan Ulrich Bayırlı/Kammer) > Cc: 21702@debbugs.gnu.org > Date: Mon, 19 Oct 2015 09:34:15 +0200 > > > Item 1 was this: > > > >> >> The function should clearly document > >> >> > >> >> 1) for which shells will the quoting work absolutely, i.e. lead to > >> >> the given string to appear *verbatim* in an element of the ARGV of > >> >> the called command, > > > > There's nothing about safety here, only about correctness. That is > > the aspect that I think is now covered, as the doc string now says for > > which shells one can have correct results. > > Usually it's indeed correctness that protects against injection attacks. > A quoting mechanism that's correct is automatically safe. And that is the current situation, AFAIU. > Another way to make it safe would be to error when the given string > contains characters outside of a limited character set. What limited set would you suggest that will not make the function useless in real-life scenarios? In any case, I think quoting is better than rejecting, as it supports more use cases. > Either way, the safeness should be documented clearly, either implicitly > through a clear documentation of the correctness, or explicitly. Like I said, this convention should be adopted project-wide. Doing so only in a few doc strings, let alone one, will only confuse, because the user will not know whether the lack of such documentation means the API is safe or unsafe. > I would propose something along the lines of: > > It is guaranteed that ARGUMENT will be parsed as a single token by > shells X, Y, and Z, as long as it is separated from other text via a > delimiter in the syntax of the respective shell. I don't think we want to mention specific shells explicitly, because maintaining such a list would be a burden. The standard shell of each OS is well defined and known to the users of the respective systems. Moreover, Emacs by default uses that shell automatically. > >> Does that make sense? > > > > Maybe it does, but only if we start documenting these aspects > > project-wide. It makes little sense to me to do that for a single > > API, and not an important one at that. But that's me. > > This is an API which if its implementation is imperfect will result in > programs prone to code injection attacks when these programs face > untrusted input sources. Why do you say it's not an important one? Because there are many much more important ones that can do much more harm more easily. In particular, a shell command doesn't need to be quoted to be harmful or malicious. From debbugs-submit-bounces@debbugs.gnu.org Mon Oct 19 05:22:24 2015 Received: (at 21702) by debbugs.gnu.org; 19 Oct 2015 09:22:24 +0000 Received: from localhost ([127.0.0.1]:55743 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Zo6e7-0008W7-Cc for submit@debbugs.gnu.org; Mon, 19 Oct 2015 05:22:23 -0400 Received: from mail-lb0-f172.google.com ([209.85.217.172]:33068) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Zo6e4-0008Vx-Un for 21702@debbugs.gnu.org; Mon, 19 Oct 2015 05:22:21 -0400 Received: by lbbpp2 with SMTP id pp2so109397097lbb.0 for <21702@debbugs.gnu.org>; Mon, 19 Oct 2015 02:22:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version:content-type; bh=Vi51fmYrhGA9t4fAB005FgZH7FbEvJeV3JI1eYueBeE=; b=0EyLlyfXhxa+HTrL9WDhMi3Chk7wEBlPvrWe91ik7iUXOc7HEaw3MBEWOJOlHcOT4d I5Fu1f4GVcXBPIrTiLxTUN2lVS0V6lnsTYztUa3EhVigKdB4ituZlGzigxDiv4xy3n3Q 7e/DHWaJ92LhE/0mkwWJua0f3M5h+Pwjig3mjKKxl0NesbBmBXdbrTeCvMlWvoXMiyMD TfCxnaJtmLc8Ee4lM/VDZZrh95+vFOmE9EDnXskIEbGdc9NsvqNT0Jqp4QaV7jTtm8+5 08TaXrFNqXe8CPydIS86TMxqa6g/g73doN9ihPPBiUZPvu7LDGbNz/Bb/Qz0EP4iJTAR bVbg== X-Received: by 10.194.104.200 with SMTP id gg8mr34719672wjb.144.1445246539441; Mon, 19 Oct 2015 02:22:19 -0700 (PDT) Received: from T420.taylan ([2a02:908:c32:4740:221:ccff:fe66:68f0]) by smtp.gmail.com with ESMTPSA id cc8sm38963472wjc.46.2015.10.19.02.22.17 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 19 Oct 2015 02:22:17 -0700 (PDT) From: taylanbayirli@gmail.com (Taylan Ulrich =?utf-8?Q?Bay=C4=B1rl=C4=B1?= =?utf-8?Q?=2FKammer?=) To: Eli Zaretskii Subject: Re: bug#21702: shell-quote-argument semantics and safety References: <871tcstkuk.fsf@T420.taylan> <83pp0chzax.fsf@gnu.org> <874mhoq9ct.fsf@T420.taylan> <83h9lohsao.fsf@gnu.org> <87h9lnpb0o.fsf@T420.taylan> <83twpnguzz.fsf@gnu.org> Date: Mon, 19 Oct 2015 11:22:16 +0200 In-Reply-To: <83twpnguzz.fsf@gnu.org> (Eli Zaretskii's message of "Mon, 19 Oct 2015 10:47:28 +0300") Message-ID: <87vba3nrg7.fsf@T420.taylan> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 21702 Cc: 21702@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Eli Zaretskii writes: >> From: taylanbayirli@gmail.com (Taylan Ulrich Bay=C4=B1rl=C4=B1/Kammer) >> Cc: 21702@debbugs.gnu.org >> Date: Mon, 19 Oct 2015 09:34:15 +0200 >>=20 >> > Item 1 was this: >> > >> >> >> The function should clearly document >> >> >>=20 >> >> >> 1) for which shells will the quoting work absolutely, i.e. lea= d to >> >> >> the given string to appear *verbatim* in an element of the ARG= V of >> >> >> the called command, >> > >> > There's nothing about safety here, only about correctness. That is >> > the aspect that I think is now covered, as the doc string now says for >> > which shells one can have correct results. >>=20 >> Usually it's indeed correctness that protects against injection attacks. >> A quoting mechanism that's correct is automatically safe. > > And that is the current situation, AFAIU. > >> Another way to make it safe would be to error when the given string >> contains characters outside of a limited character set. > > What limited set would you suggest that will not make the function > useless in real-life scenarios? > > In any case, I think quoting is better than rejecting, as it supports > more use cases. > >> Either way, the safeness should be documented clearly, either implicitly >> through a clear documentation of the correctness, or explicitly. > > Like I said, this convention should be adopted project-wide. Doing so > only in a few doc strings, let alone one, will only confuse, because > the user will not know whether the lack of such documentation means > the API is safe or unsafe. Yes, it should be done for every function for which the concerns I've explained apply. So let's start from this one. >> I would propose something along the lines of: >>=20 >> It is guaranteed that ARGUMENT will be parsed as a single token by >> shells X, Y, and Z, as long as it is separated from other text via a >> delimiter in the syntax of the respective shell. > > I don't think we want to mention specific shells explicitly, because > maintaining such a list would be a burden. The standard shell of each > OS is well defined and known to the users of the respective systems. > Moreover, Emacs by default uses that shell automatically. For instance: POSIX sh, MS-DOS, and Windows NT, is not a long list. (I don't really know what shells MS-DOS and Windows NT use; a more precise naming would be good.) The payoff of the small burden is having clear safety guarantees. >> >> Does that make sense? >> > >> > Maybe it does, but only if we start documenting these aspects >> > project-wide. It makes little sense to me to do that for a single >> > API, and not an important one at that. But that's me. >>=20 >> This is an API which if its implementation is imperfect will result in >> programs prone to code injection attacks when these programs face >> untrusted input sources. Why do you say it's not an important one? > > Because there are many much more important ones that can do much more > harm more easily. In particular, a shell command doesn't need to be > quoted to be harmful or malicious. There being other important cases, does not make this a less important case. It is exactly as important as I've already said. I don't understand what "a shell command doesn't need to be quoted to be harmful" is supposed to mean; quoting is what *makes* the arguments harmless, by ensuring they cleanly end up in the ARGV of a called command instead of causing arbitrary behavior of the shell. Here's a patch doing an improvement to the documentation like the one I proposed. Of course, if you have verified that shells other than POSIX sh are fully safe, feel free to improve the docstring accordingly. Taylan --=-=-= Content-Type: text/x-diff Content-Disposition: inline; filename=0001-lisp-subr.el-shell-quote-argument-Improve-documentat.patch >From bb746be5638a17c99e1647ecc178e3b9d97e4ba3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Taylan=20Ulrich=20Bay=C4=B1rl=C4=B1/Kammer?= Date: Sun, 18 Oct 2015 14:23:35 +0200 Subject: [PATCH] * lisp/subr.el (shell-quote-argument): Improve documentation. --- lisp/subr.el | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/lisp/subr.el b/lisp/subr.el index c903ee3..e55647b 100644 --- a/lisp/subr.el +++ b/lisp/subr.el @@ -2713,8 +2713,14 @@ Note: :data and :device are currently not supported on Windows." (defun shell-quote-argument (argument) "Quote ARGUMENT for passing as argument to an inferior shell. -This function is designed to work with the syntax of your system's -standard shell, and might produce incorrect results with unusual shells." +This is safe for shells conforming to POSIX sh. No safety +guarantees are made for other shells, but the standard MS-DOS and +Windows NT shells are supported as well. + +Being safe in this context means that as long as the result is +surrounded by delimiters in the syntax of the respective shell, +it's guaranteed that it will be parsed as one token and that the +value of the token will be exactly ARGUMENT." (cond ((eq system-type 'ms-dos) ;; Quote using double quotes, but escape any existing quotes in -- 2.5.0 --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Mon Oct 19 05:32:26 2015 Received: (at 21702) by debbugs.gnu.org; 19 Oct 2015 09:32:26 +0000 Received: from localhost ([127.0.0.1]:55749 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Zo6nq-0000Js-9n for submit@debbugs.gnu.org; Mon, 19 Oct 2015 05:32:26 -0400 Received: from mtaout26.012.net.il ([80.179.55.182]:44651) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Zo6nn-0000Jj-Vn for 21702@debbugs.gnu.org; Mon, 19 Oct 2015 05:32:25 -0400 Received: from conversion-daemon.mtaout26.012.net.il by mtaout26.012.net.il (HyperSendmail v2007.08) id <0NWG00700NWT6F00@mtaout26.012.net.il> for 21702@debbugs.gnu.org; Mon, 19 Oct 2015 12:35:34 +0300 (IDT) Received: from HOME-C4E4A596F7 ([84.94.185.246]) by mtaout26.012.net.il (HyperSendmail v2007.08) with ESMTPA id <0NWG00MR6NZ9NM90@mtaout26.012.net.il>; Mon, 19 Oct 2015 12:35:34 +0300 (IDT) Date: Mon, 19 Oct 2015 12:32:22 +0300 From: Eli Zaretskii Subject: Re: bug#21702: shell-quote-argument semantics and safety In-reply-to: <87vba3nrg7.fsf@T420.taylan> X-012-Sender: halo1@inter.net.il To: taylanbayirli@gmail.com (Taylan Ulrich =?utf-8?Q?Bay=C4=B1rl=C4=B1=2FK?= =?utf-8?Q?ammer?=) Message-id: <83io63gq55.fsf@gnu.org> MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Content-transfer-encoding: 8BIT References: <871tcstkuk.fsf@T420.taylan> <83pp0chzax.fsf@gnu.org> <874mhoq9ct.fsf@T420.taylan> <83h9lohsao.fsf@gnu.org> <87h9lnpb0o.fsf@T420.taylan> <83twpnguzz.fsf@gnu.org> <87vba3nrg7.fsf@T420.taylan> X-Spam-Score: 1.0 (+) X-Debbugs-Envelope-To: 21702 Cc: 21702@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: Eli Zaretskii List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.0 (+) > From: taylanbayirli@gmail.com (Taylan Ulrich Bayırlı/Kammer) > Cc: 21702@debbugs.gnu.org > Date: Mon, 19 Oct 2015 11:22:16 +0200 > > > Like I said, this convention should be adopted project-wide. Doing so > > only in a few doc strings, let alone one, will only confuse, because > > the user will not know whether the lack of such documentation means > > the API is safe or unsafe. > > Yes, it should be done for every function for which the concerns I've > explained apply. So let's start from this one. Before we start, we need a _decision_ to do that everywhere. Then we could start doing that piecemeal. Before the decision is made, there's no reason to make any such changes. > >> I would propose something along the lines of: > >> > >> It is guaranteed that ARGUMENT will be parsed as a single token by > >> shells X, Y, and Z, as long as it is separated from other text via a > >> delimiter in the syntax of the respective shell. > > > > I don't think we want to mention specific shells explicitly, because > > maintaining such a list would be a burden. The standard shell of each > > OS is well defined and known to the users of the respective systems. > > Moreover, Emacs by default uses that shell automatically. > > For instance: POSIX sh, MS-DOS, and Windows NT, is not a long list. This list doesn't name shells on DOS and Windows (there are several good candidates). As for Posix, is it only sh? What about Bash? what about zsh? You see, the moment you come up with a list such as above, people will start complaining that their favorite shell is not in the list, and the list will grow. Then we will discover that some shells are not really compatible after all, etc. etc. It's a maintenance burden we had better avoided. Saying "the standard shell" avoids all that nicely, because it refers to a single well-known shell. > I don't understand what "a shell command doesn't need to be quoted to be > harmful" is supposed to mean Something like this: rm -rf /* > Here's a patch doing an improvement to the documentation like the one I > proposed. Of course, if you have verified that shells other than POSIX > sh are fully safe, feel free to improve the docstring accordingly. Thanks. However, like I said, I don't think this change would be correct, or needed. From debbugs-submit-bounces@debbugs.gnu.org Mon Oct 19 05:50:29 2015 Received: (at 21702) by debbugs.gnu.org; 19 Oct 2015 09:50:29 +0000 Received: from localhost ([127.0.0.1]:55760 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Zo75I-0000j2-U4 for submit@debbugs.gnu.org; Mon, 19 Oct 2015 05:50:29 -0400 Received: from mail-lf0-f49.google.com ([209.85.215.49]:34638) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Zo75G-0000it-V5 for 21702@debbugs.gnu.org; Mon, 19 Oct 2015 05:50:27 -0400 Received: by lfaz124 with SMTP id z124so105951257lfa.1 for <21702@debbugs.gnu.org>; Mon, 19 Oct 2015 02:50:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version:content-type:content-transfer-encoding; bh=bW+KDHVaYIGkVCzgDhnMjqDvq+PaOWGldPJGcBD/ojs=; b=pT6vQZfx6wHDlscKDxHH85UsOJ+1mtz7Wt+OoioV7G/tyH8VMeURWsy4vT77yUkhku 7od1Yn0NcoSsVI6+ARuHS9q/L2RrP6FPGSn7Qa5AXKM/suN3q3HDX8CT3Ag3akzvuh/I hQhcDsn42eS9rM5iNr/lE0DKhKH4DjLjkxi8rAwSUG/0PlY41WRArL8g/PSUc3c9ReDO O0zxNiwGDucVjTidATMOu44EOedf5Iv4ySw3hRh1qzdZhW/AoletwbBZfeisHrhlZRMH gbw/aLOdb/5/DK1UhjgQMTm9un5aAapztAaSeD2tIK4wb3z45xsHDNg4wzgPgFq2erhE gL2Q== X-Received: by 10.180.91.70 with SMTP id cc6mr20477374wib.58.1445248225993; Mon, 19 Oct 2015 02:50:25 -0700 (PDT) Received: from T420.taylan ([2a02:908:c32:4740:221:ccff:fe66:68f0]) by smtp.gmail.com with ESMTPSA id r6sm26505757wia.0.2015.10.19.02.50.24 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 19 Oct 2015 02:50:24 -0700 (PDT) From: taylanbayirli@gmail.com (Taylan Ulrich =?utf-8?Q?Bay=C4=B1rl=C4=B1?= =?utf-8?Q?=2FKammer?=) To: Eli Zaretskii Subject: Re: bug#21702: shell-quote-argument semantics and safety References: <871tcstkuk.fsf@T420.taylan> <83pp0chzax.fsf@gnu.org> <874mhoq9ct.fsf@T420.taylan> <83h9lohsao.fsf@gnu.org> <87h9lnpb0o.fsf@T420.taylan> <83twpnguzz.fsf@gnu.org> <87vba3nrg7.fsf@T420.taylan> <83io63gq55.fsf@gnu.org> Date: Mon, 19 Oct 2015 11:50:23 +0200 In-Reply-To: <83io63gq55.fsf@gnu.org> (Eli Zaretskii's message of "Mon, 19 Oct 2015 12:32:22 +0300") Message-ID: <87lhaznq5c.fsf@T420.taylan> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 21702 Cc: 21702@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) Eli Zaretskii writes: >> From: taylanbayirli@gmail.com (Taylan Ulrich Bay=C4=B1rl=C4=B1/Kammer) >> Cc: 21702@debbugs.gnu.org >> Date: Mon, 19 Oct 2015 11:22:16 +0200 >>=20 >> > Like I said, this convention should be adopted project-wide. Doing so >> > only in a few doc strings, let alone one, will only confuse, because >> > the user will not know whether the lack of such documentation means >> > the API is safe or unsafe. >>=20 >> Yes, it should be done for every function for which the concerns I've >> explained apply. So let's start from this one. > > Before we start, we need a _decision_ to do that everywhere. Then we > could start doing that piecemeal. Before the decision is made, > there's no reason to make any such changes. Given all the reasons I listed, I would expect that decision to be obvious. >> >> I would propose something along the lines of: >> >>=20 >> >> It is guaranteed that ARGUMENT will be parsed as a single token by >> >> shells X, Y, and Z, as long as it is separated from other text vi= a a >> >> delimiter in the syntax of the respective shell. >> > >> > I don't think we want to mention specific shells explicitly, because >> > maintaining such a list would be a burden. The standard shell of each >> > OS is well defined and known to the users of the respective systems. >> > Moreover, Emacs by default uses that shell automatically. >>=20 >> For instance: POSIX sh, MS-DOS, and Windows NT, is not a long list. > > This list doesn't name shells on DOS and Windows (there are several > good candidates). As for Posix, is it only sh? What about Bash? what > about zsh? > > You see, the moment you come up with a list such as above, people will > start complaining that their favorite shell is not in the list, and > the list will grow. Then we will discover that some shells are not > really compatible after all, etc. etc. It's a maintenance burden we > had better avoided. > > Saying "the standard shell" avoids all that nicely, because it refers > to a single well-known shell. Dash, Bash and (AFAIK all versions of) ksh are POSIX sh compliant. Zsh not unless when requested IIRC; in any case "POSIX sh" is well-defined. My latest patch says "standard shells of MS-DOS and Windows NT." Feel free to improve that if necessary. >> I don't understand what "a shell command doesn't need to be quoted to be >> harmful" is supposed to mean > > Something like this: > > rm -rf /* What are you trying to say? Of course an arbitrary shell command can do anything. The whole point of shell-quote-argument is to prevent a string which is meant purely as an argument to a command to become equivalent in power to an arbitrary shell command. >> Here's a patch doing an improvement to the documentation like the one I >> proposed. Of course, if you have verified that shells other than POSIX >> sh are fully safe, feel free to improve the docstring accordingly. > > Thanks. However, like I said, I don't think this change would be > correct, or needed. I've explained the need for the change, and it is correct. I don't understand why you're trying to make everything so difficult. If for reasons unclear to me you absolutely refuse to accept these improvements to shell-quote-argument's documentation, I will just continue not using the function, because it cannot be trusted. Taylan From debbugs-submit-bounces@debbugs.gnu.org Mon Oct 19 06:19:27 2015 Received: (at 21702) by debbugs.gnu.org; 19 Oct 2015 10:19:27 +0000 Received: from localhost ([127.0.0.1]:55785 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Zo7XL-0001Ol-Ha for submit@debbugs.gnu.org; Mon, 19 Oct 2015 06:19:27 -0400 Received: from mtaout25.012.net.il ([80.179.55.181]:47262) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Zo7XJ-0001Od-Vm for 21702@debbugs.gnu.org; Mon, 19 Oct 2015 06:19:26 -0400 Received: from conversion-daemon.mtaout25.012.net.il by mtaout25.012.net.il (HyperSendmail v2007.08) id <0NWG00200PVXJ500@mtaout25.012.net.il> for 21702@debbugs.gnu.org; Mon, 19 Oct 2015 13:17:03 +0300 (IDT) Received: from HOME-C4E4A596F7 ([84.94.185.246]) by mtaout25.012.net.il (HyperSendmail v2007.08) with ESMTPA id <0NWG001GGPWF2710@mtaout25.012.net.il>; Mon, 19 Oct 2015 13:17:03 +0300 (IDT) Date: Mon, 19 Oct 2015 13:19:26 +0300 From: Eli Zaretskii Subject: Re: bug#21702: shell-quote-argument semantics and safety In-reply-to: <87lhaznq5c.fsf@T420.taylan> X-012-Sender: halo1@inter.net.il To: taylanbayirli@gmail.com (Taylan Ulrich =?utf-8?Q?Bay=C4=B1rl=C4=B1=2FK?= =?utf-8?Q?ammer?=) Message-id: <83eggrgnyp.fsf@gnu.org> MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Content-transfer-encoding: 8BIT References: <871tcstkuk.fsf@T420.taylan> <83pp0chzax.fsf@gnu.org> <874mhoq9ct.fsf@T420.taylan> <83h9lohsao.fsf@gnu.org> <87h9lnpb0o.fsf@T420.taylan> <83twpnguzz.fsf@gnu.org> <87vba3nrg7.fsf@T420.taylan> <83io63gq55.fsf@gnu.org> <87lhaznq5c.fsf@T420.taylan> X-Spam-Score: 1.0 (+) X-Debbugs-Envelope-To: 21702 Cc: 21702@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: Eli Zaretskii List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.0 (+) > From: taylanbayirli@gmail.com (Taylan Ulrich Bayırlı/Kammer) > Cc: 21702@debbugs.gnu.org > Date: Mon, 19 Oct 2015 11:50:23 +0200 > > I don't understand why you're trying to make everything so difficult. I don't. We just disagree, that's all. I modified the doc string to add the missing information about the shells for which the function was designed. I don't think we should add anything else, for the reasons I pointed out already. > If for reasons unclear to me you absolutely refuse to accept these > improvements to shell-quote-argument's documentation, I will just > continue not using the function, because it cannot be trusted. How can documentation make a function more trustworthy? And what does that have to do with this bug report? This bug report is about the documentation of shell-quote-argument, not whether it is safe and should or should not be used. I think this bug should be closed now. From debbugs-submit-bounces@debbugs.gnu.org Mon Oct 19 06:25:22 2015 Received: (at 21702) by debbugs.gnu.org; 19 Oct 2015 10:25:22 +0000 Received: from localhost ([127.0.0.1]:55789 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Zo7d3-0001a4-VN for submit@debbugs.gnu.org; Mon, 19 Oct 2015 06:25:22 -0400 Received: from mail-qk0-f175.google.com ([209.85.220.175]:34934) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Zo7d2-0001Zu-2S for 21702@debbugs.gnu.org; Mon, 19 Oct 2015 06:25:20 -0400 Received: by qkbl190 with SMTP id l190so19791869qkb.2 for <21702@debbugs.gnu.org>; Mon, 19 Oct 2015 03:25:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version:content-type:content-transfer-encoding; bh=OyRgVvXLQNBSQ+L2U+5gLtl4AhssGJqN87nfaMGur5A=; b=qXEqlZpbNG6xOa4ITry6s4kNLsfpxI7c8nQ//fDLdZy9Bk/NMEx6KVYDjgROu+DPLA 1HKngylY1qnYpxbQ1Ti5hkb1QfTmPMp0iEpGw/oQhfUhuE7mrU6ihALai1cluXsnMQUn d8UhlknT8NKhoLhNzzOjJk2feFYw9OssGEoL6G5Mj404ReGIbzIrxOUI9xcLlt/ONG+h NWAJPJ6o0qA2aoQIcx+3DyMAzfEy8Ac+OkcoiaaY7G/e3k4J671oaUQsuK44nTsp6b5b MqTlRBluPDGBWTvUAiD9KkXrafEQD7ovKaliMG6E/5wiq715oZ3KgoI8btShjaN17v5V 4Blg== X-Received: by 10.194.110.4 with SMTP id hw4mr32296345wjb.135.1445250319503; Mon, 19 Oct 2015 03:25:19 -0700 (PDT) Received: from T420.taylan ([2a02:908:c32:4740:221:ccff:fe66:68f0]) by smtp.gmail.com with ESMTPSA id gd10sm39301866wjb.47.2015.10.19.03.25.18 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 19 Oct 2015 03:25:18 -0700 (PDT) From: taylanbayirli@gmail.com (Taylan Ulrich =?utf-8?Q?Bay=C4=B1rl=C4=B1?= =?utf-8?Q?=2FKammer?=) To: Eli Zaretskii Subject: Re: bug#21702: shell-quote-argument semantics and safety References: <871tcstkuk.fsf@T420.taylan> <83pp0chzax.fsf@gnu.org> <874mhoq9ct.fsf@T420.taylan> <83h9lohsao.fsf@gnu.org> <87h9lnpb0o.fsf@T420.taylan> <83twpnguzz.fsf@gnu.org> <87vba3nrg7.fsf@T420.taylan> <83io63gq55.fsf@gnu.org> <87lhaznq5c.fsf@T420.taylan> <83eggrgnyp.fsf@gnu.org> Date: Mon, 19 Oct 2015 12:25:17 +0200 In-Reply-To: <83eggrgnyp.fsf@gnu.org> (Eli Zaretskii's message of "Mon, 19 Oct 2015 13:19:26 +0300") Message-ID: <87h9lnnoj6.fsf@T420.taylan> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 21702 Cc: 21702@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) Eli Zaretskii writes: >> From: taylanbayirli@gmail.com (Taylan Ulrich Bay=C4=B1rl=C4=B1/Kammer) >> Cc: 21702@debbugs.gnu.org >> Date: Mon, 19 Oct 2015 11:50:23 +0200 >>=20 >> I don't understand why you're trying to make everything so difficult. > > I don't. We just disagree, that's all. > > I modified the doc string to add the missing information about the > shells for which the function was designed. I don't think we should > add anything else, for the reasons I pointed out already. > >> If for reasons unclear to me you absolutely refuse to accept these >> improvements to shell-quote-argument's documentation, I will just >> continue not using the function, because it cannot be trusted. > > How can documentation make a function more trustworthy? And what does > that have to do with this bug report? This bug report is about the > documentation of shell-quote-argument, not whether it is safe and > should or should not be used. > > I think this bug should be closed now. I don't want to repeat myself for the dozenth time so do as you wish, I'll simply continue not using the function nonchalantly and recommend others to do the same. Taylan From debbugs-submit-bounces@debbugs.gnu.org Wed Oct 21 23:50:07 2015 Received: (at 21702-done) by debbugs.gnu.org; 22 Oct 2015 03:50:07 +0000 Received: from localhost ([127.0.0.1]:60006 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Zp6tB-0006lg-PL for submit@debbugs.gnu.org; Wed, 21 Oct 2015 23:50:06 -0400 Received: from zimbra.cs.ucla.edu ([131.179.128.68]:46346) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Zp6sq-0006kq-SA for 21702-done@debbugs.gnu.org; Wed, 21 Oct 2015 23:50:03 -0400 Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id D5A421601AA; Wed, 21 Oct 2015 20:49:43 -0700 (PDT) Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id Z_1t44tdEKiC; Wed, 21 Oct 2015 20:49:42 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id CBB93160D51; Wed, 21 Oct 2015 20:49:42 -0700 (PDT) X-Virus-Scanned: amavisd-new at zimbra.cs.ucla.edu Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id cpjVeRzirMRX; Wed, 21 Oct 2015 20:49:42 -0700 (PDT) Received: from Penguin.CS.UCLA.EDU (Penguin.CS.UCLA.EDU [131.179.64.200]) by zimbra.cs.ucla.edu (Postfix) with ESMTPSA id B207B1601AA; Wed, 21 Oct 2015 20:49:42 -0700 (PDT) To: 21702-done@debbugs.gnu.org From: Paul Eggert Subject: Re: shell-quote-argument semantics and safety Organization: UCLA Computer Science Department Message-ID: <56285CD1.5010104@cs.ucla.edu> Date: Wed, 21 Oct 2015 20:49:37 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.1.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 21702-done Cc: =?UTF-8?Q?Taylan_Ulrich_Bay=c4=b1rl=c4=b1/Kammer?= X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.0 (/) I installed a patch to the Emacs manual that attempts to address the documentation problem, and am boldly closing the bug. The bug report can be reopened if more work is needed re shell-quote-argument's documentation. For the patch, please see: http://git.savannah.gnu.org/cgit/emacs.git/commit/?id=f373e812d95e1822833f88db024e011a769998b4 From unknown Sun Jun 15 08:28:11 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Thu, 19 Nov 2015 12:24:03 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator