[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emac
From: |
Ulrich Mueller |
Subject: |
Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop |
Date: |
Wed, 08 Mar 2023 03:14:08 +0100 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/28.3 (gnu/linux) |
>>>>> On Wed, 08 Mar 2023, Po Lu wrote:
> Ulrich Müller <ulm@gentoo.org> writes:
>> Categories=Network;Email;
>> Comment=GNU Emacs is an extensible, customizable text editor - and more
>> -Exec=sh -c "exec emacsclient --alternate-editor= --display=\\"\\$DISPLAY\\"
>> --eval \\"(message-mailto \\\\\\"\\$1\\\\\\")\\"" sh %u
>> +# We want to pass the following commands to the shell wrapper:
>> +# u=${1//\\/\\\\}; u=${u//\"/\\\"}; exec emacsclient --alternate-editor=
>> --display="$DISPLAY" --eval "(message-mailto \"$u\")"
>> +# Special chars '"', '$', and '\' must be escaped as '\\"', '\\$', and
>> '\\\\'.
>> +Exec=bash -c "u=\\${1//\\\\\\\\/\\\\\\\\\\\\\\\\};
>> u=\\${u//\\\\\\"/\\\\\\\\\\\\\\"}; exec emacsclient --alternate-editor=
>> --display=\\"\\$DISPLAY\\" --eval \\"(message-mailto \\\\\\"\\$u\\\\\\")\\""
>> bash %u
>> Icon=emacs
>> Name=Emacs (Mail, Client)
>> MimeType=x-scheme-handler/mailto;
>> @@ -13,7 +16,7 @@ Actions=new-window;new-instance;
>>
>> [Desktop Action new-window]
>> Name=New Window
>> -Exec=sh -c "exec emacsclient --alternate-editor= --create-frame --eval
>> \\"(message-mailto \\\\\\"\\$1\\\\\\")\\"" sh %u
>> +Exec=bash -c "u=\\${1//\\\\\\\\/\\\\\\\\\\\\\\\\};
>> u=\\${u//\\\\\\"/\\\\\\\\\\\\\\"}; exec emacsclient --alternate-editor=
>> --create-frame --eval \\"(message-mailto \\\\\\"\\$u\\\\\\")\\"" bash %u
>>
>> [Desktop Action new-instance]
>> Name=New Instance
> What if the system in question has no bash?
Then the desktop file won't work, obviously. The problem is that
${PARAMETER//PATTERN/STRING} substitution is not available in POSIX
parameter expansion. So with POSIX sh, an external program (e.g. sed)
would have to be called.
The long term solution (suggested by Stefan Monnier) might be to add
a --funcall option to emacsclient. Then there would be no need for a
shell wrapper, in the first place.
Should the Makefile skip installation of emacsclient-mail.desktop
when bash isn't available on the system?
- Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Po Lu, 2023/03/07
- Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop,
Ulrich Mueller <=
- Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Po Lu, 2023/03/07
- Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Ulrich Mueller, 2023/03/08
- Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Po Lu, 2023/03/08
- Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Ulrich Mueller, 2023/03/08
- Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Po Lu, 2023/03/08
- Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Ulrich Mueller, 2023/03/08
- Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Robert Pluim, 2023/03/08
- Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Ulrich Mueller, 2023/03/08
- Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Ulrich Mueller, 2023/03/08
- Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Robert Pluim, 2023/03/08