GNU bug report logs - #59817
[PATCH] Fix etags local command injection vulnerability

Previous Next

Package: emacs;

Reported by: lux <lx <at> shellcodes.org>

Date: Sun, 4 Dec 2022 13:52:01 UTC

Severity: normal

Tags: patch

Done: Eli Zaretskii <eliz <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

Message #44 received at 59817 <at> debbugs.gnu.org (full text, mbox):

From: Francesco Potortì <pot <at> gnu.org>
To: Eli Zaretskii <eliz <at> gnu.org>
Cc: lux <lx <at> shellcodes.org>, 59817 <at> debbugs.gnu.org, stefankangas <at> gmail.com
Subject: Re: bug#59817: [PATCH] Fix etags local command injection vulnerability
Date: Tue, 06 Dec 2022 16:19:32 +0100

>I don't understand why you need an extra pair of quotes in the expanded
>string.
>
>  $ echo \''hello; world'
>  'hello; world
>
>As you see, the semi-colon was successfully hidden from the shell.
>
>What am I missing?

That only works at the beginning or end of a string.  In general, inside a single-quoted string, single quotes are not allowed.  So, to include a single quote inside a single-quoted string, you have to:
- close the quoted string using '
- put a literal single quote usign \'
- reopen the quoted string using '

If you want to avoid checking for the special cases of a stray single string at beginning or end of the original string, you just quote everything qith a single quote at beginning and end, and then substitute each ' with '\''.

This bug report was last modified 2 years and 167 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #59817 [PATCH] Fix etags local command injection vulnerability

GNU bug report logs - #59817
[PATCH] Fix etags local command injection vulnerability