[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#21702: shell-quote-argument semantics and safety
From: |
Taylan Ulrich Bayırlı/Kammer |
Subject: |
bug#21702: shell-quote-argument semantics and safety |
Date: |
Mon, 19 Oct 2015 11:22:16 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) |
Eli Zaretskii <eliz@gnu.org> writes:
>> From: taylanbayirli@gmail.com (Taylan Ulrich Bayırlı/Kammer)
>> Cc: 21702@debbugs.gnu.org
>> Date: Mon, 19 Oct 2015 09:34:15 +0200
>>
>> > Item 1 was this:
>> >
>> >> >> The function should clearly document
>> >> >>
>> >> >> 1) for which shells will the quoting work absolutely, i.e. lead to
>> >> >> the given string to appear *verbatim* in an element of the ARGV of
>> >> >> the called command,
>> >
>> > There's nothing about safety here, only about correctness. That is
>> > the aspect that I think is now covered, as the doc string now says for
>> > which shells one can have correct results.
>>
>> Usually it's indeed correctness that protects against injection attacks.
>> A quoting mechanism that's correct is automatically safe.
>
> And that is the current situation, AFAIU.
>
>> Another way to make it safe would be to error when the given string
>> contains characters outside of a limited character set.
>
> What limited set would you suggest that will not make the function
> useless in real-life scenarios?
>
> In any case, I think quoting is better than rejecting, as it supports
> more use cases.
>
>> Either way, the safeness should be documented clearly, either implicitly
>> through a clear documentation of the correctness, or explicitly.
>
> Like I said, this convention should be adopted project-wide. Doing so
> only in a few doc strings, let alone one, will only confuse, because
> the user will not know whether the lack of such documentation means
> the API is safe or unsafe.
Yes, it should be done for every function for which the concerns I've
explained apply. So let's start from this one.
>> I would propose something along the lines of:
>>
>> It is guaranteed that ARGUMENT will be parsed as a single token by
>> shells X, Y, and Z, as long as it is separated from other text via a
>> delimiter in the syntax of the respective shell.
>
> I don't think we want to mention specific shells explicitly, because
> maintaining such a list would be a burden. The standard shell of each
> OS is well defined and known to the users of the respective systems.
> Moreover, Emacs by default uses that shell automatically.
For instance: POSIX sh, MS-DOS, and Windows NT, is not a long list. (I
don't really know what shells MS-DOS and Windows NT use; a more precise
naming would be good.)
The payoff of the small burden is having clear safety guarantees.
>> >> Does that make sense?
>> >
>> > Maybe it does, but only if we start documenting these aspects
>> > project-wide. It makes little sense to me to do that for a single
>> > API, and not an important one at that. But that's me.
>>
>> This is an API which if its implementation is imperfect will result in
>> programs prone to code injection attacks when these programs face
>> untrusted input sources. Why do you say it's not an important one?
>
> Because there are many much more important ones that can do much more
> harm more easily. In particular, a shell command doesn't need to be
> quoted to be harmful or malicious.
There being other important cases, does not make this a less important
case. It is exactly as important as I've already said.
I don't understand what "a shell command doesn't need to be quoted to be
harmful" is supposed to mean; quoting is what *makes* the arguments
harmless, by ensuring they cleanly end up in the ARGV of a called
command instead of causing arbitrary behavior of the shell.
Here's a patch doing an improvement to the documentation like the one I
proposed. Of course, if you have verified that shells other than POSIX
sh are fully safe, feel free to improve the docstring accordingly.
Taylan
>From bb746be5638a17c99e1647ecc178e3b9d97e4ba3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Taylan=20Ulrich=20Bay=C4=B1rl=C4=B1/Kammer?=
<taylanbayirli@gmail.com>
Date: Sun, 18 Oct 2015 14:23:35 +0200
Subject: [PATCH] * lisp/subr.el (shell-quote-argument): Improve documentation.
---
lisp/subr.el | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/lisp/subr.el b/lisp/subr.el
index c903ee3..e55647b 100644
--- a/lisp/subr.el
+++ b/lisp/subr.el
@@ -2713,8 +2713,14 @@ Note: :data and :device are currently not supported on
Windows."
(defun shell-quote-argument (argument)
"Quote ARGUMENT for passing as argument to an inferior shell.
-This function is designed to work with the syntax of your system's
-standard shell, and might produce incorrect results with unusual shells."
+This is safe for shells conforming to POSIX sh. No safety
+guarantees are made for other shells, but the standard MS-DOS and
+Windows NT shells are supported as well.
+
+Being safe in this context means that as long as the result is
+surrounded by delimiters in the syntax of the respective shell,
+it's guaranteed that it will be parsed as one token and that the
+value of the token will be exactly ARGUMENT."
(cond
((eq system-type 'ms-dos)
;; Quote using double quotes, but escape any existing quotes in
--
2.5.0
- bug#21702: shell-quote-argument semantics and safety, Taylan Ulrich Bayırlı/Kammer, 2015/10/18
- bug#21702: shell-quote-argument semantics and safety, Eli Zaretskii, 2015/10/18
- bug#21702: shell-quote-argument semantics and safety, Taylan Ulrich Bayırlı/Kammer, 2015/10/18
- bug#21702: shell-quote-argument semantics and safety, Eli Zaretskii, 2015/10/18
- bug#21702: shell-quote-argument semantics and safety, Taylan Ulrich Bayırlı/Kammer, 2015/10/19
- bug#21702: shell-quote-argument semantics and safety, Eli Zaretskii, 2015/10/19
- bug#21702: shell-quote-argument semantics and safety,
Taylan Ulrich Bayırlı/Kammer <=
- bug#21702: shell-quote-argument semantics and safety, Eli Zaretskii, 2015/10/19
- bug#21702: shell-quote-argument semantics and safety, Taylan Ulrich Bayırlı/Kammer, 2015/10/19
- bug#21702: shell-quote-argument semantics and safety, Eli Zaretskii, 2015/10/19
- bug#21702: shell-quote-argument semantics and safety, Taylan Ulrich Bayırlı/Kammer, 2015/10/19
bug#21702: shell-quote-argument semantics and safety, Paul Eggert, 2015/10/21