GNU bug report logs - #61709
[PATCH] Security hardening: safely invoke `shell-command*' function.

Previous Next

Full log

Message #8 received at 61709 <at> debbugs.gnu.org (full text, mbox):

From: Eli Zaretskii <eliz <at> gnu.org>
To: Xi Lu <lx <at> shellcodes.org>
Cc: 61709 <at> debbugs.gnu.org
Subject: Re: bug#61709: [PATCH] Security hardening: safely invoke
 `shell-command*' function.
Date: Wed, 22 Feb 2023 17:29:23 +0200

> Cc: Xi Lu <lx <at> shellcodes.org>
> From: Xi Lu <lx <at> shellcodes.org>
> Date: Wed, 22 Feb 2023 22:35:54 +0800
> 
>  (defun filesets-which-command-p (cmd)
>    "Call \"which CMD\" and return non-nil if the command was found."
> @@ -1264,9 +1265,11 @@ filesets-spawn-external-viewer
>  		  (funcall vwr file)
>  		  nil)
>  		 (co-flag
> -		  (shell-command-to-string (format "%s %s" vwr args)))
> +		  (shell-command-to-string (shell-quote-argument
> +                                            (format "%s %s" vwr args))))
>  		 (t
> -		  (shell-command (format "%s %s&" vwr args))
> +		  (shell-command (shell-quote-argument
> +                                  (format "%s %s&" vwr args)))
>  		  nil))))

These two cannot be right: you are quoting several separate
command-line arguments.

>  	  (if co-flag
>  	      (progn
> @@ -1578,7 +1581,7 @@ filesets-run-cmd
>  				   " "))
>  				 (cmd (concat fn " " args)))
>  			    (filesets-cmd-show-result
> -			     cmd (shell-command-to-string cmd))))
> +			     cmd (shell-command-to-string (shell-quote-argument cmd)))))
>  			 ((symbolp fn)
>  			  (apply fn
>  			         (mapcan (lambda (this)

I think this is also wrong: cmd is not a single word.

In general, you cannot quote arbitrary parts of a shell command, you
can only quote each command-line argument separately.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.