GNU bug report logs -
#59817
[PATCH] Fix etags local command injection vulnerability
Previous Next
Reported by: lux <lx <at> shellcodes.org>
Date: Sun, 4 Dec 2022 13:52:01 UTC
Severity: normal
Tags: patch
Done: Eli Zaretskii <eliz <at> gnu.org>
Bug is archived. No further changes may be made.
Full log
Message #47 received at 59817 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Tue, 06 Dec 2022 16:52:40 +0200
Eli Zaretskii <eliz <at> gnu.org> wrote:
> Windows file names cannot include quote characters, so don't use
> them. And it's TEMP value that you need to tweak, not the file names
> etags scans.
Thank you, fixed.
> I don't understand why you need an extra pair of quotes in the
> expanded string.
>
> $ echo \''hello; world'
> 'hello; world
>
> As you see, the semi-colon was successfully hidden from the shell.
>
> What am I missing?
$ echo Emacs > "'hello'world"
$ cat '\''hello\''world' <---- use \'', error
cat: '\hello\world': No such file or directory
$ cat ''\''hello'\''world' <---- use '\''
Emacs
You can also refer to:
1.
https://stackoverflow.com/questions/48970174/escape-single-quote-in-command-argument-to-sh-c
2. And I found a similar function in PHP:
$ cat test.php
<?php
echo escapeshellarg("'hello'world");
$ php test.php
''\''hello'\''world'
[0001-Fix-etags-local-command-injection-vulnerability.patch (text/x-patch, attachment)]
This bug report was last modified 2 years and 167 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.