Fix man.el shell injection vulnerability

* lisp/man.el (Man-translate-references): Fix shell injection
vulnerability.  (Bug#66390)
* test/lisp/man-tests.el (man-tests-Man-translate-references): New
test.

diff --git a/lisp/man.el b/lisp/man.el
index 55cb9383bec1cf52910fc0691bcf62d405a19bf9..d96396483d393ec74b13aec5479f07acb59267fb 100644 (file)
--- a/lisp/man.el
+++ b/lisp/man.el
@@ -761,7 +761,11 @@ and the `Man-section-translations-alist' variables)."
       (setq name (match-string 2 ref)
            section (match-string 1 ref))))
     (if (string= name "")
-       ref                             ; Return the reference as is
+        ;; see Bug#66390
+       (mapconcat 'identity
+                   (mapcar #'shell-quote-argument
+                           (split-string ref "\\s-+"))
+                   " ")                 ; Return the reference as is
       (if Man-downcase-section-letters-flag
          (setq section (downcase section)))
       (while slist

diff --git a/test/lisp/man-tests.el b/test/lisp/man-tests.el
index 140482ee62223263aff4303eba08f5d90f082efc..11f5f805e43faac614257fac56606328755a1e62 100644 (file)
--- a/test/lisp/man-tests.el
+++ b/test/lisp/man-tests.el
@@ -161,6 +161,18 @@ DESCRIPTION
           (let ((button (button-at (match-beginning 0))))
             (should (and button (eq 'Man-xref-header-file (button-type button))))))))))
 
+(ert-deftest man-tests-Man-translate-references ()
+  (should (equal (Man-translate-references "basename")
+                 "basename"))
+  (should (equal (Man-translate-references "basename(3)")
+                 "3 basename"))
+  (should (equal (Man-translate-references "basename(3v)")
+                 "3v basename"))
+  (should (equal (Man-translate-references ";id")
+                 "\\;id"))
+  (should (equal (Man-translate-references "-k basename")
+                 "-k basename")))
+
 (provide 'man-tests)
 
 ;;; man-tests.el ends here