Fix man.el shell injection vulnerability

* lisp/man.el (Man-translate-references): Fix shell injection vulnerability. (Bug#66390) * test/lisp/man-tests.el (man-tests-Man-translate-references): New test.
2023-10-10 22:20:05 +08:00 · 2023-10-10 22:20:05 +08:00 · 820f0793f0
parent 093ecb2aca
commit 820f0793f0
2 changed files with 17 additions and 1 deletions
--- a/lisp/man.el
+++ b/lisp/man.el
@ -761,7 +761,11 @@ and the `Man-section-translations-alist' variables)."
      (setq name (match-string 2 ref)
 	    section (match-string 1 ref))))
    (if (string= name "")
-	ref				; Return the reference as is
+        ;; see Bug#66390
+	(mapconcat 'identity
+                   (mapcar #'shell-quote-argument
+                           (split-string ref "\\s-+"))
+                   " ")                 ; Return the reference as is
      (if Man-downcase-section-letters-flag
 	  (setq section (downcase section)))
      (while slist
--- a/test/lisp/man-tests.el
+++ b/test/lisp/man-tests.el
@ -161,6 +161,18 @@ DESCRIPTION
          (let ((button (button-at (match-beginning 0))))
            (should (and button (eq 'Man-xref-header-file (button-type button))))))))))

+(ert-deftest man-tests-Man-translate-references ()
+  (should (equal (Man-translate-references "basename")
+                 "basename"))
+  (should (equal (Man-translate-references "basename(3)")
+                 "3 basename"))
+  (should (equal (Man-translate-references "basename(3v)")
+                 "3v basename"))
+  (should (equal (Man-translate-references ";id")
+                 "\\;id"))
+  (should (equal (Man-translate-references "-k basename")
+                 "-k basename")))
+
 (provide 'man-tests)

 ;;; man-tests.el ends here