Re: [PATCH] Add shell-quasiquote.

[Michael Albinus]

address@hidden (Taylan Ulrich "Bayırlı/Kammer") writes:

> Can a remote host arrange for TRAMP to use shell-quote-argument on
> arbitrary strings and pass these to a shell that could potentially be
> csh, or any shell we don't know shell-quote-argument to be safe for?

Tramp uses `shell-quote-argument' on strings it has been constructed
itself. But those strings contain file names Tramp has read on the
remote side. No check what's the contents of such file names.

There is no special check on a remote shell being csh. But most of the
shell commands Tramp emits require a bournish shell. Otherwise, there
would be syntax errors soon, and Tramp would cease to continue on that
host.

In theory, anything could go with unknown file name strings. But I'm not
aware how one could exploit it. If you could show me a real exploit, I
will react.

> Taylan

Best regards, Michael.

PS: I'm working as Security Consultant, and so I am paranoid per
definition. But I'm not *such* paranoid until I see there are good
reasons for.