Re: [PATCH] Add shell-quasiquote.

[Taylan Ulrich Bayırlı/Kammer]

Paul Eggert <address@hidden> writes:

> Taylan Ulrich Bayırlı/Kammer wrote:
>> Please tell me which shells shell-quote-argument is guaranteed to work
>> safely on
>
> Nobody can tell you that. What we can tell you is that
> shell-quote-argument works on a superset of uses that
> shqq--quote-string works on. The trust-based arguments against using
> shell-quote-argument all apply, with greater force, against using
> shqq--quote-string. For example, shqq--quote-string is more vulnerable
> to code-injection attacks than shell-quote-argument is.

The domain of a function is part of its semantics, even if in Lisp we
have no way to formalize it other than through documentation.

The domain of shqq--quote-string is arguments to POSIX shell commands.
It's safe within that domain, i.e. its whole domain, meaning in short
"it's safe."

The domain of shell-quote-argument is unknown, so it's unknown whether
it's safe.  (If we include csh in its domain, it's known to be unsafe.)

Saying shqq--quote-string is more vulnerable is plain wrong.  It's
either as safe as, or safer, than shell-quote-argument.

That may sound like "semantics," but it carries over to practice very
simply: if I can't tell my users what shells shqq is safe for (or worse,
imply to them that they can use it with just any shell), there's a good
chance they'll use it for shells its unsafe for, exposing themselves to
vulnerabilities.  (Or if they're smarter than that, they will see that
my library is entirely useless for arbitrary input.)

Of course, I could use shell-quote-argument, but still document that
shqq is safe only for POSIX shells, no matter what shell-quote-argument
seems to try to accommodate for.  I think that's an unnecessary
complication, but if it's going to satisfy others for whatever reason
then I'm not opposed to it because it's at least harmless.  (I'll first
investigate further on possible breakage with shell-quote-argument's
quoting strategy for POSIX though.)

> I am not a fan of non-POSIX shells. They are a hassle to deal with and
> can cause significant problems in Emacs maintenance. In areas where
> they are a significant problem, we don't need to support them. But
> this particular instance is not a significant problem. Emacs already
> has a portable, tested, easy-to-use function to quote shell arguments,
> and there's good reason to use it here.

Arbitrary code injection is a very significant problem, and it has been
demonstrated in this thread that shell-quote-argument is vulnerable
against it.


Let's please all be more rigorous about such things in the future and
not pretend that problems are known not to exist when they're merely not
known to exist, let alone pretending that they don't exist shortly after
they've been demonstrated to exist.

I'll file a bug report about shell-quote-argument shortly, where we can
decide on more precise semantics for it (even if still open-ended) and
clearly document its safety guarantees.

Taylan