bug-gnu-emacs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#19350: #19350 24.4; Incorrect quoting of %-signs for Windows command


From: npostavs
Subject: bug#19350: #19350 24.4; Incorrect quoting of %-signs for Windows command shell
Date: Sun, 14 Aug 2016 23:13:43 -0400
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux)

Demi Obenour <demiobenour@gmail.com> writes:

> We don't know what this is being used for. For all we know, someone has 
> written an Emacs plugin that passes a file with an attacker-controlled 
> basename (ex.
> downloaded from the Internet) and uses this function to escape the filename 
> before passing it to an external command, and in a context where there are 
> unbalanced
> double quotes (say) in a known env var. Result: remote execution of arbitrary 
> code.

Hmm, maybe we could fix this by making Emacs refuse to apply environment
variables with names ending in carets?





reply via email to

[Prev in Thread] Current Thread [Next in Thread]