branch: externals-release/org
commit bc3caa8f90d215e63852d5795a1c0209a6d20cc8
Author: Ihor Radchenko <yanta...@posteo.net>
Commit: Ihor Radchenko <yanta...@posteo.net>
org-man-open: Fix shell expansion vulnerability (Emacs bug#66390)
* lisp/ol-man.el (org-man-open): Work around Emacs bug#66390.
Implement fix on org side before Emacs commit that fixes the bug.
Link:
https://yhetil.org/emacs-bugs/cadwfkmntmsom+z0x8fgpggumtod9hlrnt9yfbaj08kpnkw3...@mail.gmail.com/
---
lisp/ol-man.el | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/lisp/ol-man.el b/lisp/ol-man.el
index b6cada1b3c..d801f59d89 100644
--- a/lisp/ol-man.el
+++ b/lisp/ol-man.el
@@ -39,13 +39,27 @@
:group 'org-link
:type '(choice (const man) (const woman)))
+(declare-function Man-translate-references "man" (ref))
(defun org-man-open (path _)
"Visit the manpage on PATH.
PATH should be a topic that can be thrown at the man command.
If PATH contains extra ::STRING which will use `occur' to search
matched strings in man buffer."
+ (require 'man) ; For `Man-translate-references'
(string-match "\\(.*?\\)\\(?:::\\(.*\\)\\)?$" path)
(let* ((command (match-string 1 path))
+ ;; FIXME: Remove after we drop Emacs 29 support.
+ ;; Working around security bug #66390.
+ (command (if (org-man-store-link (equal (Man-translate-references
";id") "\\;id"))
+ ;; We are on Emacs that properly escapes man
+ ;; command args (see Emacs commit 820f0793f0b).
+ command
+ ;; Older Emacs without the fix - escape the
+ ;; arguments ourselves.
+ (mapconcat 'identity
+ (mapcar #'shell-quote-argument
+ (split-string command "\\s-+"))
+ " ")))
(search (match-string 2 path))
(buffer (funcall org-man-command command)))
(when search
