Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop

[Po Lu]

Ulrich Mueller <ulm@gentoo.org> writes:

>>>>>> On Wed, 08 Mar 2023, Po Lu wrote:
>
>> Ulrich Mueller <ulm@gentoo.org> writes:
>>> Then the desktop file won't work, obviously. The problem is that
>>> ${PARAMETER//PATTERN/STRING} substitution is not available in POSIX
>>> parameter expansion. So with POSIX sh, an external program (e.g. sed)
>>> would have to be called.
>>> 
>>> The long term solution (suggested by Stefan Monnier) might be to add
>>> a --funcall option to emacsclient. Then there would be no need for a
>>> shell wrapper, in the first place.
>>> 
>>> Should the Makefile skip installation of emacsclient-mail.desktop
>>> when bash isn't available on the system?
>
>> Could we install this change not on emacs-29, but on master?
>
>> I don't think the problem it solves is severe, nor a regression from
>> Emacs 28.  It is rather a minor nusiance with certain URLs.
>
> Seriously? It is a vulnerability that allows remote injection of
> arbitrary Elisp code through a crafted "mailto" URI.

For it to be a vulnerability, you will have to click such mailto URIs in
your web browser without first reading them, and some nasty person will
have to specifically create URIs that run insidious Emacs Lisp code.

How about something simpler: one can copy a command to download malware
from the Internet, then paste it into a shell buffer.  Let's remove a
serious command injection vulnerability, ``M-x shell'', from Emacs 29!
While we're at it, how about `interprogram-paste-function' as well?