Re: [PATCH] Add shell-quasiquote.

[Taylan Ulrich Bayırlı/Kammer]

Eli Zaretskii <address@hidden> writes:

>> From: address@hidden (Taylan Ulrich Bayırlı/Kammer)
>> Cc: address@hidden
>> Date: Sat, 17 Oct 2015 20:23:17 +0200
>> 
>> > I don't think we'd like to have packages limited in that way.  AFAIK,
>> > we didn't until now, at least not consciously.
>> 
>> Quoting RMS, coincidentally from a couple days ago:
>> 
>>     The policy is non-GNU systems are secondary, and lower priority than
>>     the GNU system, but we are glad to include support for them in GNU
>>     packages if users contribute the necessary code -- provided that
>>     code isn't a maintenance problem for us.
>> 
>>     The maintenainers of any particular package are the ones who judge
>>     whether that code is a maintenance problem, since they are the ones
>>     it would be a problem for.
>
> I don't see how this is relevant for the issue at hand, since the
> necessary code (the shell-quote-argument function) was already
> contributed to Emacs years ago, and is used in many places in core
> Emacs.  There's no extra effort needed to support more platforms, just
> replace one function with another.

You seem to be implying that using shell-quote-argument will uphold the
invariant that the code is safe against injection.  I'm asking for
explicit confirmation of that.  Once I have confirmation of that, sure,
I will use it and thus make my code portable.  As it stands, I don't
know whether doing that change would really make my code portable with
the same safety guarantees, or weaken the safety guarantees.

>> I generally don't want to take responsibility of my code being used on
>> non-GNU/non-POSIX systems, but if I can share the responsibility then
>> that's fine.
>
> You are sharing the responsibility with a long line of Emacs
> developers, all of whom use this function.  I don't see anything you
> should worry about, really.

I can't have responsibility over every single Elisp function in Emacs,
as no developer can.  In particular I *can't* take responsibility over
shell-quote-argument because I don't know any shell syntax other than
POSIX.

And I surely do worry whether users of my library will be subject to
arbitrary code injection.

>> > And it really isn't a big deal.  Emacs already has all the
>> > infrastructure for portable handling of shell commands.
>> >
>> >> How much can I rely on shell-quote-argument?
>> >
>> > You can rely on it.  Emacs uses it in umpteen important places.
>> >
>> >> Can one fully rely on it being safe against code injection?
>> >
>> > I don't think I understand what code injection you had in mind.
>> > Please elaborate.
>> 
>> (let ((file-list (read where-ever)))
>>   (shqq (cp -- ,@file-list some-place)))
>> 
>> That code is *guaranteed* to either copy the files in file-list to
>> some-place, or error, so long as the argument quoting by shqq works
>> well.  If it has a bug, then malicious input from where-ever may be able
>> to execute arbitrary shell commands.
>> 
>> Is shell-quote-argument safe against such a thing?  My shqq-quote-string
>> isn't exactly formally proven to be safe either, but its implementation
>> is so simple it's fairly obvious that it doesn't contain bugs.
>
> Please take a look at the implementation of shell-quote-argument.  It
> uses the same interfaces as your implementation, no more, no less.  If
> your implementation is safe, then so is shell-quote-argument.

I have taken a look.  It doesn't use the same strategy even for POSIX
shells, and I can't be as sure of its safety as I am of the safety of my
implementation.  When it comes to non-POSIX shells, I have no clue.

If someone explicitly confirms to me that the function is very obviously
safe against injection on all shells it supports, then I will use it.
So far, seeing things like

      ;; This should be safe enough even for really weird shells.

and the implementation complexity for the ms-dos and windows-nt variants
(though as I said I have no clue about those) doesn't exactly inspire
confidence.

Taylan