[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] Add shell-quasiquote.
From: |
Taylan Ulrich Bayırlı/Kammer |
Subject: |
Re: [PATCH] Add shell-quasiquote. |
Date: |
Sat, 17 Oct 2015 22:28:42 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) |
Eli Zaretskii <address@hidden> writes:
>> From: address@hidden (Taylan Ulrich Bayırlı/Kammer)
>> Cc: address@hidden
>> Date: Sat, 17 Oct 2015 20:23:17 +0200
>>
>> > I don't think we'd like to have packages limited in that way. AFAIK,
>> > we didn't until now, at least not consciously.
>>
>> Quoting RMS, coincidentally from a couple days ago:
>>
>> The policy is non-GNU systems are secondary, and lower priority than
>> the GNU system, but we are glad to include support for them in GNU
>> packages if users contribute the necessary code -- provided that
>> code isn't a maintenance problem for us.
>>
>> The maintenainers of any particular package are the ones who judge
>> whether that code is a maintenance problem, since they are the ones
>> it would be a problem for.
>
> I don't see how this is relevant for the issue at hand, since the
> necessary code (the shell-quote-argument function) was already
> contributed to Emacs years ago, and is used in many places in core
> Emacs. There's no extra effort needed to support more platforms, just
> replace one function with another.
You seem to be implying that using shell-quote-argument will uphold the
invariant that the code is safe against injection. I'm asking for
explicit confirmation of that. Once I have confirmation of that, sure,
I will use it and thus make my code portable. As it stands, I don't
know whether doing that change would really make my code portable with
the same safety guarantees, or weaken the safety guarantees.
>> I generally don't want to take responsibility of my code being used on
>> non-GNU/non-POSIX systems, but if I can share the responsibility then
>> that's fine.
>
> You are sharing the responsibility with a long line of Emacs
> developers, all of whom use this function. I don't see anything you
> should worry about, really.
I can't have responsibility over every single Elisp function in Emacs,
as no developer can. In particular I *can't* take responsibility over
shell-quote-argument because I don't know any shell syntax other than
POSIX.
And I surely do worry whether users of my library will be subject to
arbitrary code injection.
>> > And it really isn't a big deal. Emacs already has all the
>> > infrastructure for portable handling of shell commands.
>> >
>> >> How much can I rely on shell-quote-argument?
>> >
>> > You can rely on it. Emacs uses it in umpteen important places.
>> >
>> >> Can one fully rely on it being safe against code injection?
>> >
>> > I don't think I understand what code injection you had in mind.
>> > Please elaborate.
>>
>> (let ((file-list (read where-ever)))
>> (shqq (cp -- ,@file-list some-place)))
>>
>> That code is *guaranteed* to either copy the files in file-list to
>> some-place, or error, so long as the argument quoting by shqq works
>> well. If it has a bug, then malicious input from where-ever may be able
>> to execute arbitrary shell commands.
>>
>> Is shell-quote-argument safe against such a thing? My shqq-quote-string
>> isn't exactly formally proven to be safe either, but its implementation
>> is so simple it's fairly obvious that it doesn't contain bugs.
>
> Please take a look at the implementation of shell-quote-argument. It
> uses the same interfaces as your implementation, no more, no less. If
> your implementation is safe, then so is shell-quote-argument.
I have taken a look. It doesn't use the same strategy even for POSIX
shells, and I can't be as sure of its safety as I am of the safety of my
implementation. When it comes to non-POSIX shells, I have no clue.
If someone explicitly confirms to me that the function is very obviously
safe against injection on all shells it supports, then I will use it.
So far, seeing things like
;; This should be safe enough even for really weird shells.
and the implementation complexity for the ms-dos and windows-nt variants
(though as I said I have no clue about those) doesn't exactly inspire
confidence.
Taylan
- [PATCH] Add shell-quasiquote., Taylan Ulrich Bayırlı/Kammer, 2015/10/17
- Re: [PATCH] Add shell-quasiquote., Eli Zaretskii, 2015/10/17
- Re: [PATCH] Add shell-quasiquote., Taylan Ulrich Bayırlı/Kammer, 2015/10/17
- Re: [PATCH] Add shell-quasiquote., Eli Zaretskii, 2015/10/17
- Re: [PATCH] Add shell-quasiquote., Taylan Ulrich Bayırlı/Kammer, 2015/10/17
- Re: [PATCH] Add shell-quasiquote., Eli Zaretskii, 2015/10/17
- Re: [PATCH] Add shell-quasiquote.,
Taylan Ulrich Bayırlı/Kammer <=
- Re: [PATCH] Add shell-quasiquote., Dmitry Gutov, 2015/10/17
- Re: [PATCH] Add shell-quasiquote., Taylan Ulrich Bayırlı/Kammer, 2015/10/17
- Re: [PATCH] Add shell-quasiquote., Dmitry Gutov, 2015/10/17
- Re: [PATCH] Add shell-quasiquote., Taylan Ulrich Bayırlı/Kammer, 2015/10/17
- Re: [PATCH] Add shell-quasiquote., Michael Albinus, 2015/10/18
- Re: [PATCH] Add shell-quasiquote., Taylan Ulrich Bayırlı/Kammer, 2015/10/18
- Re: [PATCH] Add shell-quasiquote., Michael Albinus, 2015/10/18
- Re: [PATCH] Add shell-quasiquote., Random832, 2015/10/18
- Re: [PATCH] Add shell-quasiquote., Taylan Ulrich Bayırlı/Kammer, 2015/10/18
- Re: [PATCH] Add shell-quasiquote., Michael Albinus, 2015/10/18