[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emac
From: |
Po Lu |
Subject: |
Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop |
Date: |
Wed, 08 Mar 2023 08:27:58 +0800 |
User-agent: |
Gnus/5.13 (Gnus v5.13) |
Ulrich Müller <ulm@gentoo.org> writes:
> Categories=Network;Email;
> Comment=GNU Emacs is an extensible, customizable text editor - and more
> -Exec=sh -c "exec emacsclient --alternate-editor= --display=\\"\\$DISPLAY\\"
> --eval \\"(message-mailto \\\\\\"\\$1\\\\\\")\\"" sh %u
> +# We want to pass the following commands to the shell wrapper:
> +# u=${1//\\/\\\\}; u=${u//\"/\\\"}; exec emacsclient --alternate-editor=
> --display="$DISPLAY" --eval "(message-mailto \"$u\")"
> +# Special chars '"', '$', and '\' must be escaped as '\\"', '\\$', and
> '\\\\'.
> +Exec=bash -c "u=\\${1//\\\\\\\\/\\\\\\\\\\\\\\\\};
> u=\\${u//\\\\\\"/\\\\\\\\\\\\\\"}; exec emacsclient --alternate-editor=
> --display=\\"\\$DISPLAY\\" --eval \\"(message-mailto \\\\\\"\\$u\\\\\\")\\""
> bash %u
> Icon=emacs
> Name=Emacs (Mail, Client)
> MimeType=x-scheme-handler/mailto;
> @@ -13,7 +16,7 @@ Actions=new-window;new-instance;
>
> [Desktop Action new-window]
> Name=New Window
> -Exec=sh -c "exec emacsclient --alternate-editor= --create-frame --eval
> \\"(message-mailto \\\\\\"\\$1\\\\\\")\\"" sh %u
> +Exec=bash -c "u=\\${1//\\\\\\\\/\\\\\\\\\\\\\\\\};
> u=\\${u//\\\\\\"/\\\\\\\\\\\\\\"}; exec emacsclient --alternate-editor=
> --create-frame --eval \\"(message-mailto \\\\\\"\\$u\\\\\\")\\"" bash %u
>
> [Desktop Action new-instance]
> Name=New Instance
What if the system in question has no bash? This is not a theoretical
question, because I have access to one system which does have .desktop
files, but only csh, /bin/sh (which is useless), and ksh93.
- Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop,
Po Lu <=
- Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Ulrich Mueller, 2023/03/07
- Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Po Lu, 2023/03/07
- Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Ulrich Mueller, 2023/03/08
- Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Po Lu, 2023/03/08
- Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Ulrich Mueller, 2023/03/08
- Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Po Lu, 2023/03/08
- Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Ulrich Mueller, 2023/03/08
- Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Robert Pluim, 2023/03/08
- Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Ulrich Mueller, 2023/03/08
- Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Ulrich Mueller, 2023/03/08