GNU bug report logs -
#61709
[PATCH] Security hardening: safely invoke `shell-command*' function.
Previous Next
Reported by: Xi Lu <lx <at> shellcodes.org>
Date: Wed, 22 Feb 2023 14:38:02 UTC
Severity: normal
Tags: patch
Fixed in version 30.1
Done: Stefan Kangas <stefankangas <at> gmail.com>
Bug is archived. No further changes may be made.
Full log
View this message in rfc822 format
[Message part 1 (text/plain, inline)]
Your message dated Mon, 5 Feb 2024 02:29:55 -0500
with message-id <CADwFkmnFXQpixjnYt88szmHB67M-Ugkx5Pe2Cg0MrnTr8pWXnA <at> mail.gmail.com>
and subject line Re: bug#61709: [PATCH] Security hardening: safely invoke `shell-command*' function.
has caused the debbugs.gnu.org bug report #61709,
regarding [PATCH] Security hardening: safely invoke `shell-command*' function.
to be marked as done.
(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)
--
61709: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=61709
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems
[Message part 2 (message/rfc822, inline)]
* lisp/filesets.el:
(filesets-select-command, filesets-which-command,
filesets-spawn-external-viewer, filesets-run-cmd): Add `shell-quote-argument'
---
lisp/filesets.el | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/lisp/filesets.el b/lisp/filesets.el
index 1b7e6ffa81f..96ac11bb40b 100644
--- a/lisp/filesets.el
+++ b/lisp/filesets.el
@@ -165,14 +165,15 @@ filesets-select-command
"Select one command from CMD-LIST -- a string with space separated names."
(let ((this (shell-command-to-string
(format "which --skip-alias %s 2> %s | head -n 1"
- cmd-list null-device))))
+ (shell-quote-argument cmd-list)
+ (shell-quote-argument null-device)))))
(if (equal this "")
nil
(file-name-nondirectory (substring this 0 (- (length this) 1))))))
(defun filesets-which-command (cmd)
"Call \"which CMD\"."
- (shell-command-to-string (format "which %s" cmd)))
+ (shell-command-to-string (format "which %s" (shell-quote-argument cmd))))
(defun filesets-which-command-p (cmd)
"Call \"which CMD\" and return non-nil if the command was found."
@@ -1264,9 +1265,11 @@ filesets-spawn-external-viewer
(funcall vwr file)
nil)
(co-flag
- (shell-command-to-string (format "%s %s" vwr args)))
+ (shell-command-to-string (shell-quote-argument
+ (format "%s %s" vwr args))))
(t
- (shell-command (format "%s %s&" vwr args))
+ (shell-command (shell-quote-argument
+ (format "%s %s&" vwr args)))
nil))))
(if co-flag
(progn
@@ -1578,7 +1581,7 @@ filesets-run-cmd
" "))
(cmd (concat fn " " args)))
(filesets-cmd-show-result
- cmd (shell-command-to-string cmd))))
+ cmd (shell-command-to-string (shell-quote-argument cmd)))))
((symbolp fn)
(apply fn
(mapcan (lambda (this)
--
2.39.2
[Message part 3 (message/rfc822, inline)]
Version: 30.1
Eli Zaretskii <eliz <at> gnu.org> writes:
>> From: lux <lx <at> shellcodes.org>
>> Cc: 61709 <at> debbugs.gnu.org
>> Date: Thu, 23 Feb 2023 21:17:12 +0800
>>
>> You're right, thank you. I rewrited this patch.
>>
>> Let me briefly explain this patch:
>>
>> 1. I think `filesets-select-command' not need fixed, because it not
>> used, and I cleaned up relevant old comments in `filesets-external-
>> viewers'.
>>
>> 2. Using `shell-quote-argument' to replace `filesets-quote' and
>> `(format "%S" ...)'. Because in the shell, double quotation marks can
>> still execute unexpected code, such as $(), `command` and $var.
Thank you for paying attention to these issues.
Pushed to master as commit 7756e9c7361, and closing the bug.
> Thanks. I hesitate installing this because I don't myself use
> filesets, and we don't have tests for it. So I'm not sure how to
> ensure that we don't break this package.
>
> Does someone else here use filesets?
Let's hope that if it breaks something, someone will report a bug. :-/
This bug report was last modified 1 year and 107 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.