procyberian/emacs
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Document shell-command-to-string security considerations

Browse source 
* lisp/simple.el (shell-command-to-string): Document security
considerations in docstring.
This commit is contained in:
Stefan Kangas 2023-09-17 17:03:59 +02:00
parent b74d9e8bad
commit 94bef169e2
1 changed files with 9 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

10
lisp/simple.el
View file

@ -5060,7 +5060,15 @@ characters."
exit-status)) exit-status))
(defun shell-command-to-string (command) (defun shell-command-to-string (command)
"Execute shell command COMMAND and return its output as a string." "Execute shell command COMMAND and return its output as a string.
Use `shell-quote-argument' to quote dangerous characters in
COMMAND before passing it as an argument to this function.
Use this function only when a shell interpreter is needed. In
other cases, consider alternatives such as `call-process' or
`process-lines', which do not invoke the shell. Prefer built-in
functions like `mv' to the external command \"mv\". For more
information, see Info node (elisp)Security Considerations."
(with-output-to-string (with-output-to-string
(with-current-buffer standard-output (with-current-buffer standard-output
(shell-command command t)))) (shell-command command t))))