retitle 550843 ldapvi: does neither handle $EDITOR nor $PAGER values with arguments kthxbye
Hi, I ran into this issue today, too, with $PAGER set to "less -s" like in this thread on the upstream ML: http://lists.askja.de/pipermail/ldapvi/2011-May/000092.html Rhonda wrote on Wed, 14 Oct 2009 11:29:34 +0200: > > > following that approach might raise security related issues with > > > injecting escape sequences, > > > > Are you seriously saying that hg, svn and git have security issues > > because of this? Because they work fine with my setting. > > Erm, about git (svn): > <http://osdir.com/ml/git/2009-02/msg02581.html>, But that seems only for git-svn and not git itself. With git it works fine since ages (I use "less -XF" as pager in git, works fine even on git 1.5.x on Debian Lenny), same for mutt with $EDITOR where I use "emacsclient -a emacs" or even more complex constructs. See http://bugs.debian.org/656657 for a more complete discussion of this topic. (I actually wrote that bug report during research for details for this mail. :-) > it doesn't work - and there are also some interesting responses to > it. The only interesting ones are IMHO those suggesting to pass the whole string as argument to "sh -c": http://osdir.com/ml/git/2009-02/msg02582.html http://osdir.com/ml/git/2009-02/msg02589.html (The link on http://osdir.com/ml/git/2009-02/msg02678.html is broken due to some msg-id-looks-like-email obfuscating techniques, so there maybe more advise, but the link itself doesn't help.) > Anyway, yes, I'm seriously saying that it might be troublesome and > non-trivial to do it right. IMHO the current state ignores the rule of "least surprise" (and the issued error messages make that even worse). Commands with whitespace in the path are extremly seldom and setting commands with parameters via environment variables and passing them to "sh -c" is very common. It is also defined for at least $PAGER in the POSIX specification of mailx[1] and man[2]. [1] http://pubs.opengroup.org/onlinepubs/9699919799/utilities/mailx.html [2] http://pubs.opengroup.org/onlinepubs/9699919799/utilities/man.html In both is declared: PAGER Determine a string representing an output filtering or pagination command for writing the output to the terminal. Any string acceptable as a command_string operand to the sh -c command shall be valid. So at least for $PAGER some parts of POSIX expect the value of the variable to be handled like shell code. I though found no such declaration for $EDITOR or $VISUAL in that document, though. Nevertheless I'd expect those variables to be handled identically. Even though David hasn't yet decided (or at least not yet responded) on the proposed patch(es), I would include them in the Debian package for the sake of the least surprise, working pager and editor options, less confusing error messages and a non-crashing ldapvi in case you try to use a pager with options twice in a row. Regards, Axel -- ,''`. | Axel Beckert <a...@debian.org>, http://people.debian.org/~abe/ : :' : | Debian Developer, ftp.ch.debian.org Admin `. `' | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE `- | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
