Re: [PATCH] Add shell-quasiquote.

emacs-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] Add shell-quasiquote.

From:	Taylan Ulrich Bayırlı/Kammer
Subject:	Re: [PATCH] Add shell-quasiquote.
Date:	Sun, 18 Oct 2015 12:07:00 +0200
User-agent:	Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)

Michael Albinus <address@hidden> writes:

> address@hidden (Taylan Ulrich "Bayırlı/Kammer") writes:
>
>> Dmitry Gutov <address@hidden> writes:
>>
>>> On 10/18/2015 12:25 AM, Taylan Ulrich Bayırlı/Kammer wrote:
>>>
>>>> Not knowing that there are bugs is not proof that there are no bugs.
>>>
>>> If you can't point out a bug, you have no justification to not use the
>>> standard function.
>>
>> No, I will *not* let users of my code potentially suffer from arbitrary
>> code injection attacks, thank you very much.
>
> If this is important for you, I recommend stop using Tramp. It makes
> heavy use of (a slightly modified version of) `shell-quote-argument'.

TRAMP doesn't read shell commands from arbitrary input sources...

I hope! :-)

Can a remote host arrange for TRAMP to use shell-quote-argument on
arbitrary strings and pass these to a shell that could potentially be
csh, or any shell we don't know shell-quote-argument to be safe for?  If
so, that might be a *very* serious issue and you should not be telling
*me* to stop using TRAMP but rather to the whole Emacs user-base.  I
mean it.

Taylan

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [PATCH] Add shell-quasiquote., (continued)

Prev by Date: Re: [PATCH] Add shell-quasiquote.
Next by Date: Re: feature proposal: change-log-exit: save change-log buffer and bury it.
Previous by thread: Re: [PATCH] Add shell-quasiquote.
Next by thread: Re: [PATCH] Add shell-quasiquote.
Index(es):
- Date
- Thread