emacs-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] Add shell-quasiquote.

From: Taylan Ulrich Bayırlı/Kammer
Subject: Re: [PATCH] Add shell-quasiquote.
Date: Sun, 18 Oct 2015 18:40:49 +0200
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) 
Eli Zaretskii <address@hidden> writes:

>> From: Paul Eggert <address@hidden>
>> Date: Sat, 17 Oct 2015 19:40:21 -0700
>> Cc: address@hidden
>> 
>> Taylan Ulrich Bayırlı/Kammer wrote:
>> > Please tell me which shells shell-quote-argument is guaranteed to work
>> > safely on
>> 
>> Nobody can tell you that. What we can tell you is that shell-quote-argument 
>> works on a superset of uses that shqq--quote-string works on. The 
>> trust-based 
>> arguments against using shell-quote-argument all apply, with greater force, 
>> against using shqq--quote-string. For example, shqq--quote-string is more 
>> vulnerable to code-injection attacks than shell-quote-argument is.
>> 
>> I am not a fan of non-POSIX shells. They are a hassle to deal with and can 
>> cause 
>> significant problems in Emacs maintenance. In areas where they are a 
>> significant 
>> problem, we don't need to support them. But this particular instance is not 
>> a 
>> significant problem. Emacs already has a portable, tested, easy-to-use 
>> function 
>> to quote shell arguments, and there's good reason to use it here.
>
> I completely agree with everything Paul wrote here.

And as I already said, code injection is far from "not a significant
problem."  I hope everyone here agrees with that.

But anyway, we should discuss this on the bug report ML.

Taylan
reply via email to
[Prev in Thread] Current Thread [Next in Thread]