From unknown Fri Jun 20 07:09:03 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#61709 <61709@debbugs.gnu.org> To: bug#61709 <61709@debbugs.gnu.org> Subject: Status: [PATCH] Security hardening: safely invoke `shell-command*' function. Reply-To: bug#61709 <61709@debbugs.gnu.org> Date: Fri, 20 Jun 2025 14:09:03 +0000 retitle 61709 [PATCH] Security hardening: safely invoke `shell-command*' fu= nction. reassign 61709 emacs submitter 61709 Xi Lu severity 61709 normal tag 61709 patch thanks From debbugs-submit-bounces@debbugs.gnu.org Wed Feb 22 09:37:30 2023 Received: (at submit) by debbugs.gnu.org; 22 Feb 2023 14:37:30 +0000 Received: from localhost ([127.0.0.1]:58441 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pUqFO-0004JM-6h for submit@debbugs.gnu.org; Wed, 22 Feb 2023 09:37:30 -0500 Received: from lists.gnu.org ([209.51.188.17]:47248) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pUqFK-0004JC-Kt for submit@debbugs.gnu.org; Wed, 22 Feb 2023 09:37:28 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pUqFK-0004Bb-2R for bug-gnu-emacs@gnu.org; Wed, 22 Feb 2023 09:37:26 -0500 Received: from out203-205-251-53.mail.qq.com ([203.205.251.53]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pUqFE-0001AD-Dv for bug-gnu-emacs@gnu.org; Wed, 22 Feb 2023 09:37:24 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512; t=1677076632; bh=jD0gGg6U8RMo8V5TBfPDowkDryACZO/WhibiYUcwRj0=; h=From:To:Cc:Subject:Date; b=OZuW+3uE2pC2SZmZ4CtKuhVx7bdnkMJ8Ek1Qj5gbyMBFwH4B4iVFu9+4qwmufVAZc HSmvPU0Sl4QuLWJBevQP6fMMHSXHI2JtALlKpWHj2cPkvVAl30XOjOfSdLyQ+RYIcM BU3cujoLSnIRfQPiP50yf5hIDVhs8enCIx4Pqkak= Received: from lx-pc ([240e:399:e6f:ee32:f815:4044:ba50:97f9]) by newxmesmtplogicsvrszc2-0.qq.com (NewEsmtp) with SMTP id 9020CEE2; Wed, 22 Feb 2023 22:36:02 +0800 X-QQ-mid: xmsmtpt1677076562tyyk7zj8j Message-ID: X-QQ-XMAILINFO: NyTsQ4JOu2J2aSrbyG1XKffUsncbBEuUaN4Q9qF8Qye1dbp2cdM5rEzXNl+sU3 4Dk2JubcBeKAB+eAYtSPg9FO+X2s5MJNUxy3e4Dc1/zAJOHQN55YDNo/cq4vhZPhLfdjDlm98o6g z5N5QkAlfKgQXFDoU6cU9leLfe31ZFAnd3MKkkQvnIbCtscBxpz0dtvihNHicqLbD+G399Ewa9kp IYtMOHLJXVNDnB0dKyhFxjgTcUNB8JrNsjexMjEJ5dWlChJ4RYEyLBh4gPoA/jzn1V1fAA86XdAF vfFu5/yHc5LnzhbmQ9Ss1pfR5x9bqQ4tQcL4VCAf4798GRjNbJbnAAsgqOS5v0m80XJgjy+eUMmP NVhOPUf316WqUz1ZjY29yGFX+YqnmlEQccIyy156r4l1lurLOS4LG7PYmsdRvcXiLcMlnjZ99TQj I+sXj3cy6ly9sH3FR5AY+iyIKH0zyaCuDsUGJr0Frho7EIY+yaFn6PedyvtDHfi9t3W7CN52ZgAb 5+yn97nt8UU8BS3iNXOVrK2VSmkmCFVF1H0Erk+Ss3GcquLvt3CzEqkuCEybOr6V/rwJu8tyLiNq QIKPeXpDum6N2AXB0EoBcsg/v4PJcgug2u4uS/GpLBsw1oZSxcK1fE7DpcG/WiaaP7sfbC5rKz3j 8un6tntxudOOqCAwqYw5FYU0ElMJINhJL+YHsyRNc86zvvD/j2blon0s9O8P5hDFKEEaOBWLJkue csVUAnK5aixJtN+WzlNKCiMu/QCaXTgohTZGOEo8yLqzN7t2oYMhF5NxYqitzz96ifSANm3SB2HB FiDDNpCZ6x4uBqAQBCxfUsEdEpOMsew+OeWIokrNFmW5NI81Q18ypOlDyabijYdBKkPmPk7ua1VA /qkkJyTZNHY1lmlPQEpKWCgNyA38At+O8uJv4YtQ3ifUNp/WgO07u7s4kjZR6aC97LEu/2vrTabF nx6i3zMfv/Vuf9HzC6fqlnwSbVk2hNvhC9WOh93vjd79Dg69tSkQ== From: Xi Lu To: bug-gnu-emacs@gnu.org Subject: [PATCH] Security hardening: safely invoke `shell-command*' function. Date: Wed, 22 Feb 2023 22:35:54 +0800 X-OQ-MSGID: <20230222143554.171500-1-lx@shellcodes.org> X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Received-SPF: none client-ip=203.205.251.53; envelope-from=lx@shellcodes.org; helo=out203-205-251-53.mail.qq.com X-Spam_score_int: 10 X-Spam_score: 1.0 X-Spam_bar: + X-Spam_report: (1.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HELO_DYNAMIC_IPADDR=1.951, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RDNS_DYNAMIC=0.982, SPF_HELO_NONE=0.001, SPF_NONE=0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: submit Cc: Xi Lu X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) * lisp/filesets.el: (filesets-select-command, filesets-which-command, filesets-spawn-external-viewer, filesets-run-cmd): Add `shell-quote-argument' --- lisp/filesets.el | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/lisp/filesets.el b/lisp/filesets.el index 1b7e6ffa81f..96ac11bb40b 100644 --- a/lisp/filesets.el +++ b/lisp/filesets.el @@ -165,14 +165,15 @@ filesets-select-command "Select one command from CMD-LIST -- a string with space separated names." (let ((this (shell-command-to-string (format "which --skip-alias %s 2> %s | head -n 1" - cmd-list null-device)))) + (shell-quote-argument cmd-list) + (shell-quote-argument null-device))))) (if (equal this "") nil (file-name-nondirectory (substring this 0 (- (length this) 1)))))) (defun filesets-which-command (cmd) "Call \"which CMD\"." - (shell-command-to-string (format "which %s" cmd))) + (shell-command-to-string (format "which %s" (shell-quote-argument cmd)))) (defun filesets-which-command-p (cmd) "Call \"which CMD\" and return non-nil if the command was found." @@ -1264,9 +1265,11 @@ filesets-spawn-external-viewer (funcall vwr file) nil) (co-flag - (shell-command-to-string (format "%s %s" vwr args))) + (shell-command-to-string (shell-quote-argument + (format "%s %s" vwr args)))) (t - (shell-command (format "%s %s&" vwr args)) + (shell-command (shell-quote-argument + (format "%s %s&" vwr args))) nil)))) (if co-flag (progn @@ -1578,7 +1581,7 @@ filesets-run-cmd " ")) (cmd (concat fn " " args))) (filesets-cmd-show-result - cmd (shell-command-to-string cmd)))) + cmd (shell-command-to-string (shell-quote-argument cmd))))) ((symbolp fn) (apply fn (mapcan (lambda (this) -- 2.39.2 From debbugs-submit-bounces@debbugs.gnu.org Wed Feb 22 10:29:19 2023 Received: (at 61709) by debbugs.gnu.org; 22 Feb 2023 15:29:19 +0000 Received: from localhost ([127.0.0.1]:60103 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pUr3W-00065e-ON for submit@debbugs.gnu.org; Wed, 22 Feb 2023 10:29:19 -0500 Received: from eggs.gnu.org ([209.51.188.92]:56072) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pUr3V-00065S-An for 61709@debbugs.gnu.org; Wed, 22 Feb 2023 10:29:17 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pUr3O-0006Ab-Ft; Wed, 22 Feb 2023 10:29:10 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date: mime-version; bh=J3srG3Msa8m3MznblIdS4/whAk3VT0NEwZSTwHSriNE=; b=XvKioFo6XXNz aE6o/mBamy/f7fqUImJ8oaQSwihuBjAephdvcy3lYUKSGOs6zeb9dIFAMzR1Ml1wbvvvhyhe2d3LI 52SZZ40480buYyp19Du3nKZFeQOepOZDxxD5CqEe/PrGOCavqqcxitCWUfFueHohMonKDlFrZZTN1 4W6E9XoTWfoXW0dHF0GG/jwY0lz+WvXhEYmijLAIMmGmJ9gh+m48ZF5GlbXk3c96GvgKPsO6tCxuN bc/Z1PAYknS05iSJHXOVS3hBH7Te5PImOd6odf6mP/RAd1Uq5GxjtUYRSpJdnGOJlN+bS/GUn4iwT EmN83rVLmlWIgAGTWBVASQ==; Received: from [87.69.77.57] (helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pUr3N-0003id-NV; Wed, 22 Feb 2023 10:29:10 -0500 Date: Wed, 22 Feb 2023 17:29:23 +0200 Message-Id: <83y1opra5o.fsf@gnu.org> From: Eli Zaretskii To: Xi Lu In-Reply-To: (message from Xi Lu on Wed, 22 Feb 2023 22:35:54 +0800) Subject: Re: bug#61709: [PATCH] Security hardening: safely invoke `shell-command*' function. References: X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 61709 Cc: 61709@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) > Cc: Xi Lu > From: Xi Lu > Date: Wed, 22 Feb 2023 22:35:54 +0800 > > (defun filesets-which-command-p (cmd) > "Call \"which CMD\" and return non-nil if the command was found." > @@ -1264,9 +1265,11 @@ filesets-spawn-external-viewer > (funcall vwr file) > nil) > (co-flag > - (shell-command-to-string (format "%s %s" vwr args))) > + (shell-command-to-string (shell-quote-argument > + (format "%s %s" vwr args)))) > (t > - (shell-command (format "%s %s&" vwr args)) > + (shell-command (shell-quote-argument > + (format "%s %s&" vwr args))) > nil)))) These two cannot be right: you are quoting several separate command-line arguments. > (if co-flag > (progn > @@ -1578,7 +1581,7 @@ filesets-run-cmd > " ")) > (cmd (concat fn " " args))) > (filesets-cmd-show-result > - cmd (shell-command-to-string cmd)))) > + cmd (shell-command-to-string (shell-quote-argument cmd))))) > ((symbolp fn) > (apply fn > (mapcan (lambda (this) I think this is also wrong: cmd is not a single word. In general, you cannot quote arbitrary parts of a shell command, you can only quote each command-line argument separately. From debbugs-submit-bounces@debbugs.gnu.org Thu Feb 23 08:18:41 2023 Received: (at 61709) by debbugs.gnu.org; 23 Feb 2023 13:18:41 +0000 Received: from localhost ([127.0.0.1]:33380 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pVBUe-0004mx-EL for submit@debbugs.gnu.org; Thu, 23 Feb 2023 08:18:41 -0500 Received: from out203-205-221-190.mail.qq.com ([203.205.221.190]:48615) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pVBUc-0004mh-GD for 61709@debbugs.gnu.org; Thu, 23 Feb 2023 08:18:39 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512; t=1677158304; bh=Pbmyic4lP+txhIN/wfxMlMN22ZeloX4VbxEYXMy82g8=; h=Subject:From:To:Cc:Date:In-Reply-To:References; b=uRYJcgyMiQGEWJmbkizt/S3CKCH6MUe29TUhItcaZi5kmUvN7bz8iUjiObzzmtV3F WqEhwBJLEBgTs5TKi8AEEiE4UGQsNVvW5GZyA25dFFdf8GF6yrhKx693iWfugl0Izv IY7JqnGSEa68Mj+XdIzn32J/hHjFQTXeq/h73VC4= Received: from [IPv6:240e:399:e6f:ee32:f815:4044:ba50:97f9] ([240e:399:e6f:ee32:f815:4044:ba50:97f9]) by newxmesmtplogicsvrszb1-0.qq.com (NewEsmtp) with SMTP id 44D3141A; Thu, 23 Feb 2023 21:17:13 +0800 X-QQ-mid: xmsmtpt1677158233tkpaseh01 Message-ID: X-QQ-XMAILINFO: NiDupExshEc7yP5D8gCvf34E2gmdql2rxDXfutWgLC2IF9wcvk3nzn+oFnGX3F uxXHS446JM9IObVQgbxJMYcnXucJwMaByDXMsqXQM0YS4ZaUpix7x8JBjfNHfQeW+UVaa+9eECGd 0okcXhS1dX88FM6UuRPhjMCOioWR3Toovb8fWsAEY2uKws7AdyqFs2jZhbClKvwC6Dq8jfQJ/Ya+ nWE2tjoNhcCQ855wjd4m9eZy0I5Vnagi/L0i/LwKSuZ58DuyKVKCjq1+b4qVSqc56zrNhpwhlqJw Jg9NqYqmcmUFKQf0vCCIJXho6sfjbfxSUpOwctoJOluKPYY1BmVGnpFOtwU7b9FrvQytIZT+LEK3 3hd66DOBrieG8P7ENGApYzS+QYsiNHbfdkNUMxP8K/SEyH8IExa+YE4K183DlfHWmcGlOA6nrkyB 9QLe4dyW6zzLloQV7gmJVqEz9eyNvd+w1imS5Z04VMM+gIaY8UXz/DHUfaSi/G/JKnAWWviJfx99 sMwOF+ZNZepjJvwq4UZyRH0iAkFymzJBjIiDF5WcYuH7S+tj7SCu+bQlawvvHUUBzncP/kZqAV5A PHAnF19zq4Jq0fuuS6Q3mEg5Xm9g0oCMx3nRaq4laUkksnHEj/KMJrIfKBLuU5AMepRUA+4lA4Xx fXj6fkBxA/0SnMSpi7WB3U9JNO9nan2mhRGmPIrJYC/3bm9hy6Or0NQRTH5dpWXoEXXfzZvYZea1 ireAK8MJce+0CY1NGdr1lt4MOqnUGpGz2P0giKyh/goee++DoDEOYayGBYppiPi9e94kayPUboU7 q9Moh1eNPngrNc58dhuFrssAwGpExsa/9pDaotmI+6SLcXfrfHhGBW4NUK/iWGDxIZzlAGxa9MXC 2+l8/PBSu6GArqs8VyDHq+VDHRBaEVueKPbwqDgKj3iBRH9PIzhuvigKv3k4TQVGQpPhS7558WDC JYda6ooHvdoFFSWoSO+JRkhWO9LrG1 X-OQ-MSGID: <10bf7130a4259ee2328f13e389190e99b78ade8b.camel@shellcodes.org> Subject: Re: bug#61709: [PATCH] Security hardening: safely invoke `shell-command*' function. From: lux To: Eli Zaretskii Date: Thu, 23 Feb 2023 21:17:12 +0800 In-Reply-To: <83y1opra5o.fsf@gnu.org> References: <83y1opra5o.fsf@gnu.org> Content-Type: multipart/mixed; boundary="=-f1v5vPZinDNwDyN0VQHQ" User-Agent: Evolution 3.46.4 (3.46.4-1.fc37) MIME-Version: 1.0 X-Spam-Score: 3.6 (+++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: On Wed, 2023-02-22 at 17:29 +0200, Eli Zaretskii wrote: > > Cc: Xi Lu > > From: Xi Lu > > Date: Wed, 22 Feb 2023 22:35:54 +0800 > > > >  (defun filesets-which- [...] Content analysis details: (3.6 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [203.205.221.190 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [203.205.221.190 listed in wl.mailspike.net] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.4 RDNS_DYNAMIC Delivered to internal network by host with dynamic-looking rDNS 3.2 HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP addr 1) X-Debbugs-Envelope-To: 61709 Cc: 61709@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 2.6 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: On Wed, 2023-02-22 at 17:29 +0200, Eli Zaretskii wrote: > > Cc: Xi Lu > > From: Xi Lu > > Date: Wed, 22 Feb 2023 22:35:54 +0800 > > > >  (defun filesets-which- [...] Content analysis details: (2.6 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [203.205.221.190 listed in wl.mailspike.net] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [203.205.221.190 listed in list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.4 RDNS_DYNAMIC Delivered to internal network by host with dynamic-looking rDNS 3.2 HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP addr 1) -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager --=-f1v5vPZinDNwDyN0VQHQ Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: base64 T24gV2VkLCAyMDIzLTAyLTIyIGF0IDE3OjI5ICswMjAwLCBFbGkgWmFyZXRza2lpIHdyb3RlOgo+ ID4gQ2M6IFhpIEx1IDxseEBzaGVsbGNvZGVzLm9yZz4KPiA+IEZyb206IFhpIEx1IDxseEBzaGVs bGNvZGVzLm9yZz4KPiA+IERhdGU6IFdlZCwgMjIgRmViIDIwMjMgMjI6MzU6NTQgKzA4MDAKPiA+ IAo+ID4gwqAoZGVmdW4gZmlsZXNldHMtd2hpY2gtY29tbWFuZC1wIChjbWQpCj4gPiDCoMKgICJD YWxsIFwid2hpY2ggQ01EXCIgYW5kIHJldHVybiBub24tbmlsIGlmIHRoZSBjb21tYW5kIHdhcwo+ ID4gZm91bmQuIgo+ID4gQEAgLTEyNjQsOSArMTI2NSwxMSBAQCBmaWxlc2V0cy1zcGF3bi1leHRl cm5hbC12aWV3ZXIKPiA+IMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqAgKGZ1bmNh bGwgdndyIGZpbGUpCj4gPiDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgIG5pbCkK PiA+IMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgIChjby1mbGFnCj4gPiAtwqDCoMKg wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqAgKHNoZWxsLWNvbW1hbmQtdG8tc3RyaW5nIChmb3Jt YXQgIiVzICVzIiB2d3IKPiA+IGFyZ3MpKSkKPiA+ICvCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC oMKgwqDCoCAoc2hlbGwtY29tbWFuZC10by1zdHJpbmcgKHNoZWxsLXF1b3RlLWFyZ3VtZW50Cj4g PiArwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqAgKGZvcm1hdCAiJXMgJXMiIHZ3cgo+ID4g YXJncykpKSkKPiA+IMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgICh0Cj4gPiAtwqDC oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqAgKHNoZWxsLWNvbW1hbmQgKGZvcm1hdCAiJXMg JXMmIiB2d3IgYXJncykpCj4gPiArwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqAgKHNo ZWxsLWNvbW1hbmQgKHNoZWxsLXF1b3RlLWFyZ3VtZW50Cj4gPiArwqDCoMKgwqDCoMKgwqDCoMKg wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgIChmb3JtYXQg IiVzICVzJiIgdndyIGFyZ3MpKSkKPiA+IMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg wqAgbmlsKSkpKQo+IAo+IFRoZXNlIHR3byBjYW5ub3QgYmUgcmlnaHQ6IHlvdSBhcmUgcXVvdGlu ZyBzZXZlcmFsIHNlcGFyYXRlCj4gY29tbWFuZC1saW5lIGFyZ3VtZW50cy4KPiAKPiA+IMKgwqDC oMKgwqDCoMKgwqDCoCAoaWYgY28tZmxhZwo+ID4gwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqAg KHByb2duCj4gPiBAQCAtMTU3OCw3ICsxNTgxLDcgQEAgZmlsZXNldHMtcnVuLWNtZAo+ID4gwqDC oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg wqDCoMKgwqAgIiAiKSkKPiA+IMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqAgKGNtZCAoY29uY2F0IGZuICIgIiBhcmdzKSkpCj4g PiDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqAg KGZpbGVzZXRzLWNtZC1zaG93LXJlc3VsdAo+ID4gLcKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKg wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoCBjbWQgKHNoZWxsLWNvbW1hbmQtdG8tc3RyaW5n IGNtZCkpKSkKPiA+ICvCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC oMKgwqDCoMKgwqAgY21kIChzaGVsbC1jb21tYW5kLXRvLXN0cmluZyAoc2hlbGwtCj4gPiBxdW90 ZS1hcmd1bWVudCBjbWQpKSkpKQo+ID4gwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC oMKgwqDCoMKgwqDCoMKgICgoc3ltYm9scCBmbikKPiA+IMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDC oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgIChhcHBseSBmbgo+ID4gwqDCoMKgwqDCoMKgwqDC oMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoCAobWFwY2Fu IChsYW1iZGEgKHRoaXMpCj4gCj4gSSB0aGluayB0aGlzIGlzIGFsc28gd3Jvbmc6IGNtZCBpcyBu b3QgYSBzaW5nbGUgd29yZC4KPiAKPiBJbiBnZW5lcmFsLCB5b3UgY2Fubm90IHF1b3RlIGFyYml0 cmFyeSBwYXJ0cyBvZiBhIHNoZWxsIGNvbW1hbmQsIHlvdQo+IGNhbiBvbmx5IHF1b3RlIGVhY2gg Y29tbWFuZC1saW5lIGFyZ3VtZW50IHNlcGFyYXRlbHkuCj4gCj4gCj4gCgpZb3UncmUgcmlnaHQs IHRoYW5rIHlvdS4gSSByZXdyaXRlZCB0aGlzIHBhdGNoLgoKTGV0IG1lIGJyaWVmbHkgZXhwbGFp biB0aGlzIHBhdGNoOgoKMS4gSSB0aGluayBgZmlsZXNldHMtc2VsZWN0LWNvbW1hbmQnIG5vdCBu ZWVkIGZpeGVkLCBiZWNhdXNlIGl0IG5vdAp1c2VkLCBhbmQgSSBjbGVhbmVkIHVwIHJlbGV2YW50 IG9sZCBjb21tZW50cyBpbiBgZmlsZXNldHMtZXh0ZXJuYWwtCnZpZXdlcnMnLgoKMi4gVXNpbmcg YHNoZWxsLXF1b3RlLWFyZ3VtZW50JyB0byByZXBsYWNlIGBmaWxlc2V0cy1xdW90ZScgYW5kCmAo Zm9ybWF0ICIlUyIgLi4uKScuIEJlY2F1c2UgaW4gdGhlIHNoZWxsLCBkb3VibGUgcXVvdGF0aW9u IG1hcmtzIGNhbgpzdGlsbCBleGVjdXRlIHVuZXhwZWN0ZWQgY29kZSwgc3VjaCBhcyAkKCksIGBj b21tYW5kYCBhbmQgJHZhci4KCgoK --=-f1v5vPZinDNwDyN0VQHQ Content-Disposition: attachment; filename*0=0001-Security-hardening-safely-invoke-shell-command-funct.pat; filename*1=ch Content-Type: text/x-patch; name="0001-Security-hardening-safely-invoke-shell-command-funct.patch"; charset="UTF-8" Content-Transfer-Encoding: base64 RnJvbSA2Yjg1YWJiMmRlNTQ1MDk0YTM3MjVkMDAzYTRkZGI3NDRiMWUxZWVjIE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBYaSBMdSA8bHhAc2hlbGxjb2Rlcy5vcmc+CkRhdGU6IFRodSwg MjMgRmViIDIwMjMgMjA6NTg6MDAgKzA4MDAKU3ViamVjdDogW1BBVENIXSBTZWN1cml0eSBoYXJk ZW5pbmc6IHNhZmVseSBpbnZva2UgYHNoZWxsLWNvbW1hbmQqJyBmdW5jdGlvbi4KCiogbGlzcC9m aWxlc2V0cy5lbDoKKGZpbGVzZXRzLXNlbGVjdC1jb21tYW5kLCBmaWxlc2V0cy1xdW90ZSk6IFJl bW92ZSB1bnVzZWQgZnVuY3Rpb24uCihmaWxlc2V0cy1leHRlcm5hbC12aWV3ZXJzKTogUmVtb3Zl IG9sZCBjb21tZW50cy4KKGZpbGVzZXRzLXdoaWNoLWNvbW1hbmQsIGZpbGVzZXRzLWdldC1xdW90 ZWQtc2VsZWN0aW9uLApmaWxlc2V0cy1zcGF3bi1leHRlcm5hbC12aWV3ZXIpOiBBZGQgYHNoZWxs LXF1b3RlLWFyZ3VtZW50Jy4KLS0tCiBsaXNwL2ZpbGVzZXRzLmVsIHwgNDAgKysrKysrKysrLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQogMSBmaWxlIGNoYW5nZWQsIDkgaW5zZXJ0aW9u cygrKSwgMzEgZGVsZXRpb25zKC0pCgpkaWZmIC0tZ2l0IGEvbGlzcC9maWxlc2V0cy5lbCBiL2xp c3AvZmlsZXNldHMuZWwKaW5kZXggMWI3ZTZmZmE4MWYuLmM0ZDUxY2NhZjRhIDEwMDY0NAotLS0g YS9saXNwL2ZpbGVzZXRzLmVsCisrKyBiL2xpc3AvZmlsZXNldHMuZWwKQEAgLTE2MSwxOCArMTYx LDkgQEAgJ2ZpbGVzZXRzLXNvbWUKIChkZWZpbmUtb2Jzb2xldGUtZnVuY3Rpb24tYWxpYXMgJ2Zp bGVzZXRzLW1lbWJlciAjJ2NsLW1lbWJlciAiMjguMSIpCiAoZGVmaW5lLW9ic29sZXRlLWZ1bmN0 aW9uLWFsaWFzICdmaWxlc2V0cy1zdWJsaXN0ICMnc2VxLXN1YnNlcSAiMjguMSIpCiAKLShkZWZ1 biBmaWxlc2V0cy1zZWxlY3QtY29tbWFuZCAoY21kLWxpc3QpCi0gICJTZWxlY3Qgb25lIGNvbW1h bmQgZnJvbSBDTUQtTElTVCAtLSBhIHN0cmluZyB3aXRoIHNwYWNlIHNlcGFyYXRlZCBuYW1lcy4i Ci0gIChsZXQgKCh0aGlzIChzaGVsbC1jb21tYW5kLXRvLXN0cmluZwotCSAgICAgICAoZm9ybWF0 ICJ3aGljaCAtLXNraXAtYWxpYXMgJXMgMj4gJXMgfCBoZWFkIC1uIDEiCi0JCSAgICAgICBjbWQt bGlzdCBudWxsLWRldmljZSkpKSkKLSAgICAoaWYgKGVxdWFsIHRoaXMgIiIpCi0JbmlsCi0gICAg ICAoZmlsZS1uYW1lLW5vbmRpcmVjdG9yeSAoc3Vic3RyaW5nIHRoaXMgMCAoLSAobGVuZ3RoIHRo aXMpIDEpKSkpKSkKLQogKGRlZnVuIGZpbGVzZXRzLXdoaWNoLWNvbW1hbmQgKGNtZCkKICAgIkNh bGwgXCJ3aGljaCBDTURcIi4iCi0gIChzaGVsbC1jb21tYW5kLXRvLXN0cmluZyAoZm9ybWF0ICJ3 aGljaCAlcyIgY21kKSkpCisgIChzaGVsbC1jb21tYW5kLXRvLXN0cmluZyAoZm9ybWF0ICJ3aGlj aCAlcyIgKHNoZWxsLXF1b3RlLWFyZ3VtZW50IGNtZCkpKSkKIAogKGRlZnVuIGZpbGVzZXRzLXdo aWNoLWNvbW1hbmQtcCAoY21kKQogICAiQ2FsbCBcIndoaWNoIENNRFwiIGFuZCByZXR1cm4gbm9u LW5pbCBpZiB0aGUgY29tbWFuZCB3YXMgZm91bmQuIgpAQCAtNTUxLDE2ICs1NDIsNiBAQCBmaWxl c2V0cy1jb21tYW5kcwogCiAoZGVmY3VzdG9tIGZpbGVzZXRzLWV4dGVybmFsLXZpZXdlcnMKICAg KGxldAotICAgICAgOzsgKChwcy1jbWQgIChvciAoYW5kIChib3VuZHAgJ215LXBzLXZpZXdlcikg bXktcHMtdmlld2VyKQotICAgICAgOzsgICAgCSAgICAoZmlsZXNldHMtc2VsZWN0LWNvbW1hbmQg ImdndiBndiIpKSkKLSAgICAgIDs7ICAocGRmLWNtZCAob3IgKGFuZCAoYm91bmRwICdteS1wcy12 aWV3ZXIpIG15LXBkZi12aWV3ZXIpCi0gICAgICA7OyAgICAJICAgIChmaWxlc2V0cy1zZWxlY3Qt Y29tbWFuZCAieHBkZiBhY3JvcmVhZCIpKSkKLSAgICAgIDs7ICAoZHZpLWNtZCAob3IgKGFuZCAo Ym91bmRwICdteS1wcy12aWV3ZXIpIG15LWR2aS12aWV3ZXIpCi0gICAgICA7OyAgICAJICAgIChm aWxlc2V0cy1zZWxlY3QtY29tbWFuZCAieGR2aSB0a2R2aSIpKSkKLSAgICAgIDs7ICAoZG9jLWNt ZCAob3IgKGFuZCAoYm91bmRwICdteS1wcy12aWV3ZXIpIG15LWRvYy12aWV3ZXIpCi0gICAgICA7 OyAgICAJICAgIChmaWxlc2V0cy1zZWxlY3QtY29tbWFuZCAiYW50aXdvcmQiKSkpCi0gICAgICA7 OyAgKHBpYy1jbWQgKG9yIChhbmQgKGJvdW5kcCAnbXktcHMtdmlld2VyKSBteS1waWMtdmlld2Vy KQotICAgICAgOzsgICAgCSAgICAoZmlsZXNldHMtc2VsZWN0LWNvbW1hbmQgImdxdmlldyBlZSBk aXNwbGF5IikpKSkKICAgICAgICgocHMtY21kICAiZ2d2IikKICAgICAgICAocGRmLWNtZCAieHBk ZiIpCiAgICAgICAgKGR2aS1jbWQgInhkdmkiKQpAQCAtMTA4OSwxMCArMTA3MCw2IEBAIGZpbGVz ZXRzLWRpcmVjdG9yeS1maWxlcwogICAgKHQKICAgICAoZXJyb3IgIkZpbGVzZXRzOiAlcyBkb2Vz IG5vdCBleGlzdCIgZGlyKSkpKQogCi0oZGVmdW4gZmlsZXNldHMtcXVvdGUgKHR4dCkKLSAgIlJl dHVybiBUWFQgaW4gcXVvdGVzLiIKLSAgKGNvbmNhdCAiXCIiIHR4dCAiXCIiKSkKLQogKGRlZnVu IGZpbGVzZXRzLWdldC1zZWxlY3Rpb24gKCkKICAgIkdldCB0aGUgdGV4dCBiZXR3ZWVuIG1hcmsg YW5kIHBvaW50IC0tIGkuZS4gdGhlIHNlbGVjdGlvbiBvciByZWdpb24uIgogICAobGV0ICgobSAo bWFyaykpCkBAIC0xMTAzLDcgKzEwODAsNyBAQCBmaWxlc2V0cy1nZXQtc2VsZWN0aW9uCiAKIChk ZWZ1biBmaWxlc2V0cy1nZXQtcXVvdGVkLXNlbGVjdGlvbiAoKQogICAiUmV0dXJuIHRoZSBjdXJy ZW50bHkgc2VsZWN0ZWQgdGV4dCBpbiBxdW90ZXMuIgotICAoZmlsZXNldHMtcXVvdGUgKGZpbGVz ZXRzLWdldC1zZWxlY3Rpb24pKSkKKyAgKHNoZWxsLXF1b3RlLWFyZ3VtZW50IChmaWxlc2V0cy1n ZXQtc2VsZWN0aW9uKSkpCiAKIChkZWZ1biBmaWxlc2V0cy1nZXQtc2hvcnRjdXQgKG4pCiAgICJD cmVhdGUgbWVudSBzaG9ydGN1dHMgYmFzZWQgb24gbnVtYmVyIE4uIgpAQCAtMTI1MCwxMiArMTIy NywxMyBAQCBmaWxlc2V0cy1zcGF3bi1leHRlcm5hbC12aWV3ZXIKIAkJICAgICAgIChpZiBmbXQK IAkJCSAgIChtYXBjb25jYXQKIAkJCSAgICAobGFtYmRhICh0aGlzKQotCQkJICAgICAgKGlmIChz dHJpbmdwIHRoaXMpIChmb3JtYXQgdGhpcyBmaWxlKQotCQkJCShmb3JtYXQgIiVTIiAoaWYgKGZ1 bmN0aW9ucCB0aGlzKQotCQkJCSAgICAgICAgICAgICAgICAgKGZ1bmNhbGwgdGhpcykKLQkJCQkg ICAgICAgICAgICAgICB0aGlzKSkpKQorCQkJICAgICAgKGlmIChzdHJpbmdwIHRoaXMpCisgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgKGZvcm1hdCB0aGlzIChzaGVsbC1xdW90ZS1h cmd1bWVudCBmaWxlKSkKKwkJCQkoc2hlbGwtcXVvdGUtYXJndW1lbnQgKGlmIChmdW5jdGlvbnAg dGhpcykKKwkJCQkgICAgICAgICAgICAgICAgICAgICAgICAgIChmdW5jYWxsIHRoaXMpCisJCQkJ ICAgICAgICAgICAgICAgICAgICAgICAgdGhpcykpKSkKIAkJCSAgICBmbXQgIiIpCi0JCQkgKGZv cm1hdCAiJVMiIGZpbGUpKSkpCisJCQkgKHNoZWxsLXF1b3RlLWFyZ3VtZW50IGZpbGUpKSkpCiAJ ICAgICAgIChvdXRwdXQKIAkJKGNvbmQKIAkJICgoYW5kIChmdW5jdGlvbnAgdndyKSBjby1mbGFn KQpAQCAtMTI2NCw3ICsxMjQyLDcgQEAgZmlsZXNldHMtc3Bhd24tZXh0ZXJuYWwtdmlld2VyCiAJ CSAgKGZ1bmNhbGwgdndyIGZpbGUpCiAJCSAgbmlsKQogCQkgKGNvLWZsYWcKLQkJICAoc2hlbGwt Y29tbWFuZC10by1zdHJpbmcgKGZvcm1hdCAiJXMgJXMiIHZ3ciBhcmdzKSkpCisgICAgICAgICAg ICAgICAgICAoc2hlbGwtY29tbWFuZC10by1zdHJpbmcgKGZvcm1hdCAiJXMgJXMiIHZ3ciBhcmdz KSkpCiAJCSAodAogCQkgIChzaGVsbC1jb21tYW5kIChmb3JtYXQgIiVzICVzJiIgdndyIGFyZ3Mp KQogCQkgIG5pbCkpKSkKLS0gCjIuMzkuMgoK --=-f1v5vPZinDNwDyN0VQHQ-- From debbugs-submit-bounces@debbugs.gnu.org Thu Feb 23 10:59:11 2023 Received: (at 61709) by debbugs.gnu.org; 23 Feb 2023 15:59:11 +0000 Received: from localhost ([127.0.0.1]:35067 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pVDzy-0000zY-W3 for submit@debbugs.gnu.org; Thu, 23 Feb 2023 10:59:11 -0500 Received: from eggs.gnu.org ([209.51.188.92]:34452) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pVDzx-0000zM-6B for 61709@debbugs.gnu.org; Thu, 23 Feb 2023 10:59:09 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pVDzr-00051E-MU; Thu, 23 Feb 2023 10:59:03 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date: mime-version; bh=nxfBxzwgMVP8lFwK8l9XOPuPjszKZ05RZwXHRLVOo2c=; b=M24YY5n/GWQS bFeoD4E3Qye+IdondBMz1Dc2NkNVoo8aQQJuKREBWcV/5l4Q6Wk3Un9OKigRkxUh5qyayA+9NOf4I 1IiJkVPvmt/wXqEKEjMM/DSVy6TQmSzn/ZIinNKifF7wBuNRXqFk7PTyVekRlhk/qK7i8lgFqKQ1E UJueBS0ymjYF2nzkOZ+s1BLoPxauyOSZZuX5YnWIDBkyAta8fdallb+yeQTlOA8qqCKA2dOC11fln yxN5LKJIzUWywZcb64Ob4K2spMFQLLQ3SU4RiBSwZb5GxjUFth5ROVGTfpqhUJE8K1S+XPqeByiRW EeGUzE4uScjMtfZJJL5Oog==; Received: from [87.69.77.57] (helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pVDzo-0002ec-Tx; Thu, 23 Feb 2023 10:59:03 -0500 Date: Thu, 23 Feb 2023 17:58:58 +0200 Message-Id: <83sfewpe4d.fsf@gnu.org> From: Eli Zaretskii To: lux In-Reply-To: (message from lux on Thu, 23 Feb 2023 21:17:12 +0800) Subject: Re: bug#61709: [PATCH] Security hardening: safely invoke `shell-command*' function. References: <83y1opra5o.fsf@gnu.org> X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 61709 Cc: 61709@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) > From: lux > Cc: 61709@debbugs.gnu.org > Date: Thu, 23 Feb 2023 21:17:12 +0800 > > You're right, thank you. I rewrited this patch. > > Let me briefly explain this patch: > > 1. I think `filesets-select-command' not need fixed, because it not > used, and I cleaned up relevant old comments in `filesets-external- > viewers'. > > 2. Using `shell-quote-argument' to replace `filesets-quote' and > `(format "%S" ...)'. Because in the shell, double quotation marks can > still execute unexpected code, such as $(), `command` and $var. Thanks. I hesitate installing this because I don't myself use filesets, and we don't have tests for it. So I'm not sure how to ensure that we don't break this package. Does someone else here use filesets? From debbugs-submit-bounces@debbugs.gnu.org Mon Feb 05 01:13:58 2024 Received: (at 61709) by debbugs.gnu.org; 5 Feb 2024 06:13:58 +0000 Received: from localhost ([127.0.0.1]:50414 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rWsEw-00046M-2Y for submit@debbugs.gnu.org; Mon, 05 Feb 2024 01:13:58 -0500 Received: from out162-62-57-49.mail.qq.com ([162.62.57.49]:41209) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rWsEr-000465-Vy for 61709@debbugs.gnu.org; Mon, 05 Feb 2024 01:13:57 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512; t=1707113610; bh=izfwIGuX0EvqW2NlcEJPdZg7xWWU79bXUSZt9izpdyU=; h=Subject:From:To:Cc:Date:In-Reply-To:References; b=eVLSzQPq59TkS5HdG0slSHb82afcyBp0zuHnbYQXC/hFYiUXCXJkAubKs13NV+u/m bMDRf6a+DFH/PZE698jum+jdxEHVPmp6NOr7zgcbASydpAPvHSyw89fFCK22zmteIv 0C9XRamkdaoTWOa+5Hi0rmmETGhkCfJ+8S37SbII= Received: from [10.8.166.101] ([171.217.24.55]) by newxmesmtplogicsvrsza7-0.qq.com (NewEsmtp) with SMTP id 35C8F672; Mon, 05 Feb 2024 14:13:28 +0800 X-QQ-mid: xmsmtpt1707113608t5bwvy9pp Message-ID: X-QQ-XMAILINFO: NqKQEH5Qi/uhE3WIsFSBU4fipi1z9I0l/04Q49WoCl87Gp9XLrOdFcUh1vWIs8 MSzeii4Gep+NePcYk/jHnGyE6B8KcZRHZMUL1DcP9G00t3ROzWwqnlSmOMgHJVi7ytz8Qi1SWqMm obrQLjWKOC4g2EYTgYVN79Ny9nybLh/NkPo2kxfkQGjBr+w99/Oni70ACv4StF3sfCEt5HVJG+vd GK+T9cEeOgLmxU/F9Cxb+2TJ+FyTosI1sMF1MqQQnDeal7Th74unvOeg30BCqkWv3MuI5rQ1VxNz nr/vix/l/zpy06Qs3V8AgqFBNbSu52lWOzf84myqfQ3/FmrCUS33NAVQECCU7ItSNHfYBXXS4HaY X7rFrYhv4Dug6cjouoKh1xUGRnr+3o8/s5dMAxR3dH3ubWzVv/SCugivcCdQBY4JEICPiVfclXa2 rWtEm6aPEO9ULtFZ8in0nBG50Lhs01e7hz49jfFJ71OWJyTo6CgChBvUlAkAzsQ9W6z0Lf942ViP Ue6/47p9VGcxMWDfpQAGT5Ed19IaNrco5D9bpvxVTYr5JNwb31PqAvUg08Hifg+vMpC1zc2nPxkY FXHkCpXCOXoIYx8LbmSwwbBarg4eyR8A/1dR11eMmv24/kMFXH+IXnMSEAqRkuwx0CZkiG+yRsGw vlY78Y6PP0DYgERcyd/V8GQ3FZ+CPw4PkBkzvL6s78K+tYPpa/okMpFkzIsScd3ruGbv/gLO6zsH O76GQgqL9nuSKgY0AQqIjOAxV7bmdY2HAjgg89mKTanTxriNHSYp1Q0NE+oFkwu1mBpoYNlkfDT5 2LhtLu/XFAMuN2GpCz4Yyqfst+Zwyd3DNZStLLOLTB7IcgrqxtgE2/m/fOYtSG+MVXn4zxg/z52D JKE/2fnbdyGC0FUxCLer//WFaSiJ5nPAk5ZMtZczlNmJN3BPPNVg0cDQTRQ45GC6xjhTH3v94H87 oCUhemcPJXv+hSvxClY9Z3UmWgfUQ7 X-QQ-XMRINFO: OWPUhxQsoeAVDbp3OJHYyFg= X-OQ-MSGID: <50b887d28cf1f97e9b4a0a54d87f2012674105fc.camel@shellcodes.org> Subject: Re: bug#61709: [PATCH] Security hardening: safely invoke `shell-command*' function. From: lux To: Eli Zaretskii Date: Mon, 05 Feb 2024 14:13:28 +0800 In-Reply-To: <83y1opra5o.fsf@gnu.org> References: <83y1opra5o.fsf@gnu.org> Autocrypt: addr=lx@shellcodes.org; prefer-encrypt=mutual; keydata=mQENBF9ZlQQBCADp/JGo1JwVC86MQCSKI9Z2zeUOU2nItnuhfNfGLF3xueuL3QojOfPiBDdk14PqxXoZI6r2dS/YY2Nsr1iYch/ldkA1m9D8siwIzuWdkxntmuP56dtJVt6zGnMf+aijN4diRYPCmcENcdIly4aRPqcQZcftJRpLhsu+zDOT8LC+vCP9A5IEfqv1oFAbxt0pE/Lwymn/jzuqRnaEV5TA2+c+fMNhzfhaMp0FxrpO6sZIqU+c7r/d9ZJ98k3g8eq9MkK2s6ZQRnZUbngZ9p2c3zYB0BwHWovzDsGCl8pmUiUHEhGLhu6N2OGnQdUUuSU/Fdoq/zVsDfMz70II00pxSYOJABEBAAG0GWx1NG54IDxseEBzaGVsbGNvZGVzLm9yZz6JAU4EEwEIADgWIQSwvd/kky9UAikm2YRcdI5fNjiBRQUCX1mVBAIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRBcdI5fNjiBRTVbCAC510aF/8rpCzyAlBdxRlBzcz5FLw8ZS2VHn6FwxZbdk9USQPlnbtPSMzWRk7KLdzkUvvdRE8C8Z4JwnWOuNp3oDob5UEfLHQfL1+o/yHQqo2n5Wf9BFjIgvB2UThd2nxk1lW0yAnPsUrWX1Dy63hHtyAbpSMOXEjrn//EIH7If7BRTT5VYUEnhqMogWYWX8mE/ZrfFFY3LVyelHK86iYnIgW18Efg7g8k+Kys66tCSOdz19jhsxjbOKMrCISs5aQH5TNO0mqZq2eOdEi+nc6yLu1FLfUYeTXhIwA8jujSYdqswNU+2OU/JazMBFBK4duhHo5YqvneGwAt7Ksc4bRP7uQENBF9ZlQQBCADCAmMMp+tCYA32TIBRT+5yZjUeePgFkh7b+fvxfShyzgcsCFpFVzt+9YE7UjKMnb9fc3nAq2tHvphEDDreKN+FJKshzoziTriLvAnq9vV9QZmTbJ93R7io5i2EmnvB8 356kgVTl5RwZtX3DjTZ+rv4Wn0qAowa/S3NZq8U87AuQ1z9s3Q2Jm8g1QCTJ3sFIKmg+hYAyaS3RvbKjGeOUOykrg5vRPqDl41Ra4jSiVQfFX+iD/k2grbUnHfn6kpDLQgBFPB4nJfkjj0e4MEg8PIqHs7n/MglJeKQ9ReExwhv4w7zpVgaE9Wv0ONJMyi+PAODCEq4w650KFJ3Yi4p+JSLABEBAAGJATYEGAEIACAWIQSwvd/kky9UAikm2YRcdI5fNjiBRQUCX1mVBAIbDAAKCRBcdI5fNjiBReafCADUXswXiE5Gov2GfQTvBjEpFKNG9AirE3l0mSIUj6+ch+GhTv9bTt2ozZb9t3RGq+BifCO9EVu98fjvAIwg9bHnU54Q+IGevnjUK61I80Not0Kq05o5yMOpK0cB7I9dWpo0Pmtx781ioWqWON4gcPYYGFhTyj7DE7Y0F4+7XSb8Aeuu6y8i1Oxsrh4MwdcNp48lbM/+AZice/f+K1i+oGg037Qal1CykNBfvE0ujPagDbxExZxKtjnrC0yUmj1y09YP+Z0WOpyAdSCSiwMh3zHJUvXnacX+ZlhUwsVEPlrYKtps2DrtgIo9tR/csSfsOOD+1gnedaLM7OfT6vCdwiFtmQINBGUPDqUBEADSEqnlY9wh+avEI1T40IlNg6/hMi5lTHg9KKeF4cEU/XYhh1POIuyZMJbeFyGTCOAN64emcDEhDZqgc007YX5rbdA7juyOjnCkAeezJJl7yuHdhkvOv56qpoLbrqXNXrCPWHYnIffpp2ovmvndgPr++EXXrzxIposgY+PXDekj/EnToNn+iCb4z7Mh4vYIxc8m4CDeoCf4Y/77o4XT84SNfuKMqdld9ktjzkP5thLJ6N2hH6YnXYfwrh7UVP6Pg+dVM/hEmSUJFwvRpDxkErVzkaIqqtv94BOqPHVifOUXIq++SuMSqDqkH4irLBRVXqAVs+0nnKYAk5Fjjn16MF5DI0 kDjqyLJ18pWJFiegy+bBT837oNlPqdTFfG3pYlOC0mN5mYMFU2S2CsRujevBOnO2anQEdAv6T+PNu7LXfD1/Z9AgRn0NzHTkJWlAJ+PT8T0QFrVVW2H6T7WmpXP3FqFyeYbEedJyHbVm3Yd9HtdWJCUHSbTjJYcfhlWc8IeeHtna87Zjn8Ql1RFIo3kV2Pd3dk+IsOq1S3QZUiTTtwgRPP9fsx9OVB0v6k09R5PuvvFYzrccfuwdMvP8lWBNA+1XHX97JFC6nTPGeaPJLxYgcxhcRgXN+kaD8rFXva0YkyvkNgW+GismWimOrpsKgDdyxXzgK87OWL093xWjRlgwARAQABtBlYaSBMdSA8bHhAc2hlbGxjb2Rlcy5vcmc+iQJOBBMBCgA4FiEEdJQucETGhxqWHw3/SCoXYcbax74FAmUPDqUCGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQSCoXYcbax77pjQ/8CUsISqqy7CnbyVxAcarTHL8aw1cymaaqhni/rW2QDslaxmrp/h5NpWXE8TLPu0DH3BgJVztVjAUyx9wKpuSPntb+KwzeFO3SlaKlJyzcF/qKz0TisoGhpgn/BDCswrQyFV3bBtucLovdF6bjQ2JpamD+fOewas4/llU6ChtgRuT7J8wIJx6XfquO8jYcgDCHf9q3F2LF639hnadBaHxye4TEQ6VCWFDn/3kr0dnKSwb7TfeBeLt7wfdjM+AjQiyu1UF618poDp/1AzXHvxV0p9PcgCyHYIo+jjYOnvwYMbx4u0iUfHKwKSLUfgOiyAhRpOou0H3veC7vByDOyGEDhlP3rHD8d664PJMvG1hmp/OAhf7BhBRvvkvSGRSYI+vs5TyC72LLMlR8dx7XCc0ziRrWtmt6XFpDaIHftfGPcR4PEyTsnNFBll6+1EaX0U/oD3yNp4uTW7M5ShUqVBwrHviEiVyiluzEl6csJU4hreoDZ7NRovxDloBttiW tZ+TLgbbBOGHDeUbv7bSJ8+cR7nnL0FOeJwF3IRONDyZz6nQtd0aHbVg9Zpgl/JwQcXuTZrDz8E6qcZGjYtSlA/q8cwpDsen70rjg5S3GCnRfQQDwo1E6LOi3pEuCMy40iFJ/JEHtgxCHHeJ0i5jA+5zuEv02BndqllQkeyT4kkLSXcq5Ag0EZRAa8gEQAMF+frOpFPotOeC9OutnMyZY6jK8LjjqlHmZEFemBxUH8r6eY2P2+cChx6jwfkz9KMzM132gZAVAlE0nBhbiDJodPMGiYblNvs8thvxh2szLmErqWh7GcOF0feCvfY7QWjKwdtDJg1kUIxvgjrhE44k0/H7cvu/d4qWLsULAk0RsTzTLAZDmEBlEN5UlCXgDcjq5c5Lo52QAkWivWqg37k3PaFqmOKH0HKdRYAOgS/P9tdlgC/WDybxZy5tRsvi/d9NBza42WmvGU3PFvd7WDwhSQ7HwSfbMYFb3mSBfC3FR1796WeGAuMOesMCHp8TkaMtHZfUfbqF9VHhRyQf/r6GjTqYKtU5kjrg39gX1/5Ys5KFriNQLM/2cdLRqxBZ89u+Fi/VvnCJQ07NncqILwLmPcrtk8qH35aPOdxBf38/n9TAH44n/msmewjmVosprAfD8qwQjrwKkr8TausrBPrAkic7Vi8VFAyME6kUG77ctUDIv3jxqR08NrSiR1Ftt0AraQHWNUcLg6XVClR5GxVkkx4o+yefpukninIQlYwq3Sy/ZNsFkD2dYub/6OJhnWJxVVRDpVJsdKz9E7vBtgwcx2OPjG695w7L8RKl9qkIoRsKYDQ74Svxiw8vcdkz4O6FLFSayvsLTZgfsY3Krvuens2iFNWHnsBgIWVU+IW91ABEBAAGJAjYEGAEKACAWIQR0lC5wRMaHGpYfDf9IKhdhxtrHvgUCZRAa8gIbDAAKCRBIKhdhxtrHvvpLEADRSTXN0Fm/tdeQMVLy63fcTw8wjxEUelr0bDBzBeEc k328UqFrPDMOMWlREQ4GB/vHbTIvPYbOiCngH5WCPwRWVS/ycY4gCHHbPLlo24Or9NNvPRbkGYSEhP9ezcZD7F29/XCwi8+VfCNzcL6l7+V0BJNUly6Gwy3O4kUwgHlhpJn3cuKvMdSHe/JaJYx/BXu553vSh2s75XFJOMOlI0IC2lzzd2ohrwLEOwhCrFSkSRKXx63zt/uZL6oF2zIzHspGygtRR+KScnx/Gklp0nCGYMAenuRuixVICyaiB0Hkarwxm8kKpDzP6pD+5Zzdhzg3Sqj0RR5oqfqOWkh0hxJ+gblapLFBSXnGQqTT1gHrTHyIOBoBBVOxlaXb95sotfCwSU8VcoN0BexVwCsUFVR0jINlmJqMIpy2N0RNjU35bAnPgeGe5z+Zs5GPcEBK6XX4rQeTwWmVltQccWuM3+oca3sOcQsWD3ZACUWjGZboxTCMwiHkrm0VTxP4kO0CRILM5Ln3cisS/GdikCAv6O8K6jhckLEml1sFB6jCVK6EAInXKFzZGol281nGRPKzeI3V9BpDZmXplqdhe4R0FBGUbu5ffw3b/vNV770xhXLI7aOp0dlkGDh4In4Li5cBRgR8FTrIBEH9+I0l4EjliVr6k/skqVPYK2rKtwx/kjhzAA== Content-Type: multipart/mixed; boundary="=-bhxOSH5o5VkuTNMrlOoZ" User-Agent: Evolution 3.50.3-1 MIME-Version: 1.0 X-Spam-Score: 3.6 (+++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: On Wed, 2023-02-22 at 17:29 +0200, Eli Zaretskii wrote: > > Cc: Xi Lu > > From: Xi Lu > > Date: Wed, 22 Feb 2023 22:35:54 +0800 > > > >  (defun filesets-which- [...] Content analysis details: (3.6 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [162.62.57.49 listed in list.dnswl.org] -0.0 T_SCC_BODY_TEXT_LINE No description available. 0.4 RDNS_DYNAMIC Delivered to internal network by host with dynamic-looking rDNS 3.2 HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP addr 1) X-Debbugs-Envelope-To: 61709 Cc: 61709@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 2.6 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: On Wed, 2023-02-22 at 17:29 +0200, Eli Zaretskii wrote: > > Cc: Xi Lu > > From: Xi Lu > > Date: Wed, 22 Feb 2023 22:35:54 +0800 > > > >  (defun filesets-which- [...] Content analysis details: (2.6 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [162.62.57.49 listed in list.dnswl.org] 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 T_SCC_BODY_TEXT_LINE No description available. 0.4 RDNS_DYNAMIC Delivered to internal network by host with dynamic-looking rDNS -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager 3.2 HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP addr 1) --=-bhxOSH5o5VkuTNMrlOoZ Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Wed, 2023-02-22 at 17:29 +0200, Eli Zaretskii wrote: > > Cc: Xi Lu > > From: Xi Lu > > Date: Wed, 22 Feb 2023 22:35:54 +0800 > >=20 > > =C2=A0(defun filesets-which-command-p (cmd) > > =C2=A0=C2=A0 "Call \"which CMD\" and return non-nil if the command was = found." > > @@ -1264,9 +1265,11 @@ filesets-spawn-external-viewer > > =C2=A0 =C2=A0 (funcall vwr file) > > =C2=A0 =C2=A0 nil) > > =C2=A0 (co-flag > > - =C2=A0 (shell-command-to-string (format "%s %s" vwr args))) > > + =C2=A0 (shell-command-to-string (shell-quote-argument > > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 (format "%s %s" vwr args)))) > > =C2=A0 (t > > - =C2=A0 (shell-command (format "%s %s&" vwr args)) > > + =C2=A0 (shell-command (shell-quote-argument > > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 (format "%s %s&" vwr= args))) > > =C2=A0 =C2=A0 nil)))) >=20 > These two cannot be right: you are quoting several separate > command-line arguments. >=20 > > =C2=A0 =C2=A0 (if co-flag > > =C2=A0 =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 (progn > > @@ -1578,7 +1581,7 @@ filesets-run-cmd > > =C2=A0 =C2=A0=C2=A0 " ")) > > =C2=A0 (cmd (concat fn " " args))) > > =C2=A0 =C2=A0=C2=A0=C2=A0 (filesets-cmd-show-result > > - =C2=A0=C2=A0=C2=A0=C2=A0 cmd (shell-command-to-string cmd)))) > > + =C2=A0=C2=A0=C2=A0=C2=A0 cmd (shell-command-to-string (shell-quote- > > argument cmd))))) > > =C2=A0 ((symbolp fn) > > =C2=A0 =C2=A0 (apply fn > > =C2=A0 =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 (mapcan (lamb= da (this) >=20 > I think this is also wrong: cmd is not a single word. >=20 > In general, you cannot quote arbitrary parts of a shell command, you > can only quote each command-line argument separately. >=20 >=20 >=20 This patch went unaddressed for a long time, so just to be on the safe side= , I only remove the `filesets-select-command' function. --=-bhxOSH5o5VkuTNMrlOoZ Content-Disposition: attachment; filename*0=0001-Removed-the-filesets-select-command-which-was-unused.pat; filename*1=ch Content-Type: text/x-patch; name="0001-Removed-the-filesets-select-command-which-was-unused.patch"; charset="UTF-8" Content-Transfer-Encoding: base64 RnJvbSA4ZjhkYjA4NTFlOWZkMjY1YTZiYjEwNmYzYWRmMDE2ODE5NTE2MmI4IE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBYaSBMdSA8bHhAc2hlbGxjb2Rlcy5vcmc+CkRhdGU6IE1vbiwg NSBGZWIgMjAyNCAxMzo0MToxMyArMDgwMApTdWJqZWN0OiBbUEFUQ0hdIFJlbW92ZWQgdGhlIGBm aWxlc2V0cy1zZWxlY3QtY29tbWFuZCcsIHdoaWNoIHdhcyB1bnVzZWQgYW5kCiB1bnNhZmUuCgoq IGxpc3AvZmlsZXNldHMuZWw6IFJlbW92ZWQgdGhlIGBmaWxlc2V0cy1zZWxlY3QtY29tbWFuZCcu Ci0tLQogbGlzcC9maWxlc2V0cy5lbCB8IDIyICstLS0tLS0tLS0tLS0tLS0tLS0tLS0KIDEgZmls ZSBjaGFuZ2VkLCAxIGluc2VydGlvbigrKSwgMjEgZGVsZXRpb25zKC0pCgpkaWZmIC0tZ2l0IGEv bGlzcC9maWxlc2V0cy5lbCBiL2xpc3AvZmlsZXNldHMuZWwKaW5kZXggNGUyZGU4ZmVkMWIuLjIz YThkYmM0ZTg1IDEwMDY0NAotLS0gYS9saXNwL2ZpbGVzZXRzLmVsCisrKyBiL2xpc3AvZmlsZXNl dHMuZWwKQEAgLTE2MSwxNSArMTYxLDYgQEAgJ2ZpbGVzZXRzLXNvbWUKIChkZWZpbmUtb2Jzb2xl dGUtZnVuY3Rpb24tYWxpYXMgJ2ZpbGVzZXRzLW1lbWJlciAjJ2NsLW1lbWJlciAiMjguMSIpCiAo ZGVmaW5lLW9ic29sZXRlLWZ1bmN0aW9uLWFsaWFzICdmaWxlc2V0cy1zdWJsaXN0ICMnc2VxLXN1 YnNlcSAiMjguMSIpCiAKLShkZWZ1biBmaWxlc2V0cy1zZWxlY3QtY29tbWFuZCAoY21kLWxpc3Qp Ci0gICJTZWxlY3Qgb25lIGNvbW1hbmQgZnJvbSBDTUQtTElTVCAtLSBhIHN0cmluZyB3aXRoIHNw YWNlIHNlcGFyYXRlZCBuYW1lcy4iCi0gIChsZXQgKCh0aGlzIChzaGVsbC1jb21tYW5kLXRvLXN0 cmluZwotCSAgICAgICAoZm9ybWF0ICJ3aGljaCAtLXNraXAtYWxpYXMgJXMgMj4gJXMgfCBoZWFk IC1uIDEiCi0JCSAgICAgICBjbWQtbGlzdCBudWxsLWRldmljZSkpKSkKLSAgICAoaWYgKGVxdWFs IHRoaXMgIiIpCi0JbmlsCi0gICAgICAoZmlsZS1uYW1lLW5vbmRpcmVjdG9yeSAoc3Vic3RyaW5n IHRoaXMgMCAoLSAobGVuZ3RoIHRoaXMpIDEpKSkpKSkKLQogKGRlZnVuIGZpbGVzZXRzLXdoaWNo LWNvbW1hbmQgKGNtZCkKICAgIkNhbGwgXCJ3aGljaCBDTURcIi4iCiAgIChzaGVsbC1jb21tYW5k LXRvLXN0cmluZyAoZm9ybWF0ICJ3aGljaCAlcyIgY21kKSkpCkBAIC01NDYsMTggKzUzNyw3IEBA IGZpbGVzZXRzLWNvbW1hbmRzCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAoZnVuY3Rpb24gOnRhZyAiRnVuY3Rpb24iKSkpKSkpCiAKIChkZWZjdXN0b20gZmlsZXNldHMt ZXh0ZXJuYWwtdmlld2VycwotICAobGV0Ci0gICAgICA7OyAoKHBzLWNtZCAgKG9yIChhbmQgKGJv dW5kcCAnbXktcHMtdmlld2VyKSBteS1wcy12aWV3ZXIpCi0gICAgICA7OyAgICAJICAgIChmaWxl c2V0cy1zZWxlY3QtY29tbWFuZCAiZ2d2IGd2IikpKQotICAgICAgOzsgIChwZGYtY21kIChvciAo YW5kIChib3VuZHAgJ215LXBzLXZpZXdlcikgbXktcGRmLXZpZXdlcikKLSAgICAgIDs7ICAgIAkg ICAgKGZpbGVzZXRzLXNlbGVjdC1jb21tYW5kICJ4cGRmIGFjcm9yZWFkIikpKQotICAgICAgOzsg IChkdmktY21kIChvciAoYW5kIChib3VuZHAgJ215LXBzLXZpZXdlcikgbXktZHZpLXZpZXdlcikK LSAgICAgIDs7ICAgIAkgICAgKGZpbGVzZXRzLXNlbGVjdC1jb21tYW5kICJ4ZHZpIHRrZHZpIikp KQotICAgICAgOzsgIChkb2MtY21kIChvciAoYW5kIChib3VuZHAgJ215LXBzLXZpZXdlcikgbXkt ZG9jLXZpZXdlcikKLSAgICAgIDs7ICAgIAkgICAgKGZpbGVzZXRzLXNlbGVjdC1jb21tYW5kICJh bnRpd29yZCIpKSkKLSAgICAgIDs7ICAocGljLWNtZCAob3IgKGFuZCAoYm91bmRwICdteS1wcy12 aWV3ZXIpIG15LXBpYy12aWV3ZXIpCi0gICAgICA7OyAgICAJICAgIChmaWxlc2V0cy1zZWxlY3Qt Y29tbWFuZCAiZ3F2aWV3IGVlIGRpc3BsYXkiKSkpKQotICAgICAgKChwcy1jbWQgICJnZ3YiKQor ICAobGV0ICgocHMtY21kICAiZ2d2IikKICAgICAgICAocGRmLWNtZCAieHBkZiIpCiAgICAgICAg KGR2aS1jbWQgInhkdmkiKQogICAgICAgIChkb2MtY21kICJhbnRpd29yZCIpCi0tIAoyLjQzLjAK Cg== --=-bhxOSH5o5VkuTNMrlOoZ-- From debbugs-submit-bounces@debbugs.gnu.org Mon Feb 05 02:30:18 2024 Received: (at 61709-done) by debbugs.gnu.org; 5 Feb 2024 07:30:18 +0000 Received: from localhost ([127.0.0.1]:50465 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rWtQo-00068Y-BY for submit@debbugs.gnu.org; Mon, 05 Feb 2024 02:30:18 -0500 Received: from mail-lj1-x22c.google.com ([2a00:1450:4864:20::22c]:53714) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rWtQl-00068G-Lf for 61709-done@debbugs.gnu.org; Mon, 05 Feb 2024 02:30:17 -0500 Received: by mail-lj1-x22c.google.com with SMTP id 38308e7fff4ca-2d090c83d45so24615381fa.3 for <61709-done@debbugs.gnu.org>; Sun, 04 Feb 2024 23:30:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1707118197; x=1707722997; darn=debbugs.gnu.org; h=cc:to:subject:message-id:date:mime-version:references:in-reply-to :from:from:to:cc:subject:date:message-id:reply-to; bh=gTH03Oml7eT2B3W3XgEbwxcTSnUFbasGnXcZedAw7T0=; b=bxUR3o6zC1dJiboen95bd97Rygs4NdMAvozzm9zVa4A7kp46LYPytDjldUGJ9VNTaI vOGTSh0v4oMyw/wTnVUbvFdulaF+7F8UTul2Eu3d3n8cUWutGy3q8d9Y5xRDY7PfaC3Y nhbOpk6qTvi4FhwJCIN0X7FaYGH75Q+YEPgT+5vFF+BAFNh48YeVuvCxnoPKPpLyvjVS 0xUxdkHi3RRZrEMZaPUzXwdUiKt/Nmo9m+AYIVkaMr7xm2AiaYudXXIatFf29Bs1+h26 BGq5qwkltwra33Ek5oyomxpOu8uDyj3DZ2Ae2EplXylp2tJhSdYyrMuX0rL5XwdSm/gt p5AA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707118197; x=1707722997; h=cc:to:subject:message-id:date:mime-version:references:in-reply-to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=gTH03Oml7eT2B3W3XgEbwxcTSnUFbasGnXcZedAw7T0=; b=Le+Q5rYRze1I4iivZ8EM2ybAWz1lrfzTH3Px7Did/hvqlZhjyys00ivEQOK26AfBa9 u9yVg5Bz3V2v00gg6cqkL2kPTBZUqUEuJaW5LZcBDm2A0eicguG+qgzCPKvO4pPbfdtz MHywH3N+BfTEY2E+nBFssfVqOHx/ZpGoJ9wgH6qlRxDrBX93eZ0F9IwLOLI/yEQTLC+R yI2dhcO6allAFwqitG1dgL+3uH2qrKg/iTSRXAam3jNyABbK//qK9+YiDkHozJW5KhD7 1UX1XZLhz5IeR0qvG57uyzJIkDVHJsmvmUMWx00rYNDQmh/tdnkDcJsCN/qhDKITX42a d7zg== X-Gm-Message-State: AOJu0YyGa5jof/0fXdwZLoyYW3mjRw0DyPi62nGan4In1GegLAO9L0P/ FhZaGf6TNeQxLo1LPFydz0EjgxqQkGMmc3jjDUiN56yxw3NgS3CM4p+lAsK5mvKFSpNbgobw3B2 eDGL2tQzyoq6CpiWelf1qVcu816Y= X-Google-Smtp-Source: AGHT+IHSxZT3X8bsh2DmARCAXAYTVzE0398fVFHKejNsjlKiB7qbqjQSV56VH4azN5TtbFiF0DiCpykEGyPynM0qqVU= X-Received: by 2002:a2e:a788:0:b0:2d0:b27e:2437 with SMTP id c8-20020a2ea788000000b002d0b27e2437mr363048ljf.39.1707118196726; Sun, 04 Feb 2024 23:29:56 -0800 (PST) Received: from 753933720722 named unknown by gmailapi.google.com with HTTPREST; Mon, 5 Feb 2024 02:29:55 -0500 From: Stefan Kangas In-Reply-To: <83sfewpe4d.fsf@gnu.org> References: <83y1opra5o.fsf@gnu.org> <83sfewpe4d.fsf@gnu.org> MIME-Version: 1.0 Date: Mon, 5 Feb 2024 02:29:55 -0500 Message-ID: Subject: Re: bug#61709: [PATCH] Security hardening: safely invoke `shell-command*' function. To: Eli Zaretskii , lux Content-Type: text/plain; charset="UTF-8" X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 61709-done Cc: 61709-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Version: 30.1 Eli Zaretskii writes: >> From: lux >> Cc: 61709@debbugs.gnu.org >> Date: Thu, 23 Feb 2023 21:17:12 +0800 >> >> You're right, thank you. I rewrited this patch. >> >> Let me briefly explain this patch: >> >> 1. I think `filesets-select-command' not need fixed, because it not >> used, and I cleaned up relevant old comments in `filesets-external- >> viewers'. >> >> 2. Using `shell-quote-argument' to replace `filesets-quote' and >> `(format "%S" ...)'. Because in the shell, double quotation marks can >> still execute unexpected code, such as $(), `command` and $var. Thank you for paying attention to these issues. Pushed to master as commit 7756e9c7361, and closing the bug. > Thanks. I hesitate installing this because I don't myself use > filesets, and we don't have tests for it. So I'm not sure how to > ensure that we don't break this package. > > Does someone else here use filesets? Let's hope that if it breaks something, someone will report a bug. :-/ From unknown Fri Jun 20 07:09:03 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Mon, 04 Mar 2024 12:24:05 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator