emacs-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emac


From: Ulrich Mueller
Subject: Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop
Date: Wed, 08 Mar 2023 08:15:48 +0100
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/28.3 (gnu/linux)

>>>>> On Wed, 08 Mar 2023, Po Lu wrote:

> Ulrich Mueller <ulm@gentoo.org> writes:
>> Then the desktop file won't work, obviously. The problem is that
>> ${PARAMETER//PATTERN/STRING} substitution is not available in POSIX
>> parameter expansion. So with POSIX sh, an external program (e.g. sed)
>> would have to be called.
>> 
>> The long term solution (suggested by Stefan Monnier) might be to add
>> a --funcall option to emacsclient. Then there would be no need for a
>> shell wrapper, in the first place.
>> 
>> Should the Makefile skip installation of emacsclient-mail.desktop
>> when bash isn't available on the system?

> Could we install this change not on emacs-29, but on master?

> I don't think the problem it solves is severe, nor a regression from
> Emacs 28.  It is rather a minor nusiance with certain URLs.

Seriously? It is a vulnerability that allows remote injection of
arbitrary Elisp code through a crafted "mailto" URI.



reply via email to

[Prev in Thread] Current Thread [Next in Thread]