[ldapvi] Bug#550843: ldapvi: does not handle EDITOR values with arguments -> Same for PAGER

Axel Beckert abe at debian.org
Fri Jan 20 19:26:35 CET 2012 

retitle 550843 ldapvi: does neither handle $EDITOR nor $PAGER values with arguments
kthxbye

Hi,

I ran into this issue today, too, with $PAGER set to "less -s" like in
this thread on the upstream ML:
http://lists.askja.de/pipermail/ldapvi/2011-May/000092.html

Rhonda wrote on Wed, 14 Oct 2009 11:29:34 +0200:
> > > following that approach might raise security related issues with
> > > injecting escape sequences,
> > 
> > Are you seriously saying that hg, svn and git have security issues
> > because of this? Because they work fine with my setting.
> 
>  Erm, about git (svn):
> <http://osdir.com/ml/git/2009-02/msg02581.html>,

But that seems only for git-svn and not git itself. With git it works
fine since ages (I use "less -XF" as pager in git, works fine even on
git 1.5.x on Debian Lenny), same for mutt with $EDITOR where I use
"emacsclient -a emacs" or even more complex constructs. See
http://bugs.debian.org/656657 for a more complete discussion of this
topic. (I actually wrote that bug report during research for details
for this mail. :-)

> it doesn't work - and there are also some interesting responses to
> it.

The only interesting ones are IMHO those suggesting to pass the whole
string as argument to "sh -c":

  http://osdir.com/ml/git/2009-02/msg02582.html
  http://osdir.com/ml/git/2009-02/msg02589.html

(The link on http://osdir.com/ml/git/2009-02/msg02678.html is broken
due to some msg-id-looks-like-email obfuscating techniques, so there
maybe more advise, but the link itself doesn't help.)

> Anyway, yes, I'm seriously saying that it might be troublesome and
> non-trivial to do it right.

IMHO the current state ignores the rule of "least surprise" (and the
issued error messages make that even worse).

Commands with whitespace in the path are extremly seldom and setting
commands with parameters via environment variables and passing them to
"sh -c" is very common.

It is also defined for at least $PAGER in the POSIX specification of
mailx[1] and man[2].

  [1] http://pubs.opengroup.org/onlinepubs/9699919799/utilities/mailx.html
  [2] http://pubs.opengroup.org/onlinepubs/9699919799/utilities/man.html

In both is declared:

  PAGER

    Determine a string representing an output filtering or pagination
    command for writing the output to the terminal. Any string
    acceptable as a command_string operand to the sh -c command shall
    be valid.

So at least for $PAGER some parts of POSIX expect the value of the
variable to be handled like shell code.

I though found no such declaration for $EDITOR or $VISUAL in that
document, though. Nevertheless I'd expect those variables to be
handled identically.

Even though David hasn't yet decided (or at least not yet responded)
on the proposed patch(es), I would include them in the Debian package
for the sake of the least surprise, working pager and editor options,
less confusing error messages and a non-crashing ldapvi in case you
try to use a pager with options twice in a row.

		Regards, Axel
-- 
 ,''`.  |  Axel Beckert <abe at debian.org>, http://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE
  `-    |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5

More information about the ldapvi mailing list