GNU bug report logs - #61709
[PATCH] Security hardening: safely invoke `shell-command*' function.

Previous Next

Package: emacs;

Reported by: Xi Lu <lx <at> shellcodes.org>

Date: Wed, 22 Feb 2023 14:38:02 UTC

Severity: normal

Tags: patch

Fixed in version 30.1

Done: Stefan Kangas <stefankangas <at> gmail.com>

Bug is archived. No further changes may be made.

Full log

Message #22 received at 61709-done <at> debbugs.gnu.org (full text, mbox):

From: Stefan Kangas <stefankangas <at> gmail.com>
To: Eli Zaretskii <eliz <at> gnu.org>, lux <lx <at> shellcodes.org>
Cc: 61709-done <at> debbugs.gnu.org
Subject: Re: bug#61709: [PATCH] Security hardening: safely invoke
 `shell-command*' function.
Date: Mon, 5 Feb 2024 02:29:55 -0500

Version: 30.1

Eli Zaretskii <eliz <at> gnu.org> writes:

>> From: lux <lx <at> shellcodes.org>
>> Cc: 61709 <at> debbugs.gnu.org
>> Date: Thu, 23 Feb 2023 21:17:12 +0800
>>
>> You're right, thank you. I rewrited this patch.
>>
>> Let me briefly explain this patch:
>>
>> 1. I think `filesets-select-command' not need fixed, because it not
>> used, and I cleaned up relevant old comments in `filesets-external-
>> viewers'.
>>
>> 2. Using `shell-quote-argument' to replace `filesets-quote' and
>> `(format "%S" ...)'. Because in the shell, double quotation marks can
>> still execute unexpected code, such as $(), `command` and $var.

Thank you for paying attention to these issues.

Pushed to master as commit 7756e9c7361, and closing the bug.

> Thanks.  I hesitate installing this because I don't myself use
> filesets, and we don't have tests for it.  So I'm not sure how to
> ensure that we don't break this package.
>
> Does someone else here use filesets?

Let's hope that if it breaks something, someone will report a bug.  :-/
This bug report was last modified 1 year and 107 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.