bug-gnu-emacs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#59544: [PATCH] Fixed lib-src/etags.c command execute vulnerability

From: Stefan Kangas
Subject: bug#59544: [PATCH] Fixed lib-src/etags.c command execute vulnerability
Date: Thu, 24 Nov 2022 10:12:31 -0800 
Eli Zaretskii <eliz@gnu.org> writes:

> Thanks, but the solution you propose for this is too drastic: it in effect
> rejects legitimate file names just because they have characters which look
> "suspicious".  I think we need a more accurate test, which will not produce
> false positives so easily.  Or maybe we need to ask the user for
> confirmation instead of skipping the files with suspicious names.

I think we could escape the file name using single quotes, but AFAIU we
then need to escape single quote characters too, so that:

    '

becomes

    '\''

See here for why:
https://www.gnu.org/savannah-checkouts/gnu/bash/manual/bash.html#Single-Quotes

But would it not be better to rewrite etags.c to not use system(1) at
all?
reply via email to
[Prev in Thread] Current Thread [Next in Thread]