GNU bug report logs -
#61709
[PATCH] Security hardening: safely invoke `shell-command*' function.
Previous Next
Reported by: Xi Lu <lx <at> shellcodes.org>
Date: Wed, 22 Feb 2023 14:38:02 UTC
Severity: normal
Tags: patch
Fixed in version 30.1
Done: Stefan Kangas <stefankangas <at> gmail.com>
Bug is archived. No further changes may be made.
Full log
Message #14 received at 61709 <at> debbugs.gnu.org (full text, mbox):
> From: lux <lx <at> shellcodes.org>
> Cc: 61709 <at> debbugs.gnu.org
> Date: Thu, 23 Feb 2023 21:17:12 +0800
>
> You're right, thank you. I rewrited this patch.
>
> Let me briefly explain this patch:
>
> 1. I think `filesets-select-command' not need fixed, because it not
> used, and I cleaned up relevant old comments in `filesets-external-
> viewers'.
>
> 2. Using `shell-quote-argument' to replace `filesets-quote' and
> `(format "%S" ...)'. Because in the shell, double quotation marks can
> still execute unexpected code, such as $(), `command` and $var.
Thanks. I hesitate installing this because I don't myself use
filesets, and we don't have tests for it. So I'm not sure how to
ensure that we don't break this package.
Does someone else here use filesets?
This bug report was last modified 1 year and 107 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.