org-man-open: Fix shell expansion vulnerability (Emacs bug#66390)

* lisp/ol-man.el (org-man-open): Work around Emacs bug#66390. Implement fix on org side before Emacs commit that fixes the bug. Link: https://yhetil.org/emacs-bugs/CADwFkmnTMsOM+z0x8FGPGguMtoD9hLrNt9YfbaJ08KPNKW3EbQ@mail.gmail.com/
2024-01-11 13:04:23 +01:00 · 2024-01-11 13:04:23 +01:00 · bc3caa8f90
parent 804d032685
commit bc3caa8f90
1 changed files with 14 additions and 0 deletions
--- a/lisp/ol-man.el
+++ b/lisp/ol-man.el
@ -39,13 +39,27 @@
  :group 'org-link
  :type '(choice (const man) (const woman)))

+(declare-function Man-translate-references "man" (ref))
 (defun org-man-open (path _)
  "Visit the manpage on PATH.
 PATH should be a topic that can be thrown at the man command.
 If PATH contains extra ::STRING which will use `occur' to search
 matched strings in man buffer."
+  (require 'man) ; For `Man-translate-references'
  (string-match "\\(.*?\\)\\(?:::\\(.*\\)\\)?$" path)
  (let* ((command (match-string 1 path))
+         ;; FIXME: Remove after we drop Emacs 29 support.
+         ;; Working around security bug #66390.
+         (command (if (org-man-store-link (equal (Man-translate-references ";id") "\\;id"))
+                      ;; We are on Emacs that properly escapes man
+                      ;; command args (see Emacs commit 820f0793f0b).
+                      command
+                    ;; Older Emacs without the fix - escape the
+                    ;; arguments ourselves.
+                    (mapconcat 'identity
+                               (mapcar #'shell-quote-argument
+                                       (split-string command "\\s-+"))
+                               " ")))
         (search (match-string 2 path))
         (buffer (funcall org-man-command command)))
    (when search