emacs-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emac


From: Ulrich Mueller
Subject: Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop
Date: Wed, 08 Mar 2023 09:32:52 +0100
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/28.3 (gnu/linux)

>>>>> On Wed, 08 Mar 2023, Po Lu wrote:

> For it to be a vulnerability, you will have to click such mailto URIs in
> your web browser without first reading them, and some nasty person will
> have to specifically create URIs that run insidious Emacs Lisp code.

> How about something simpler: one can copy a command to download malware
> from the Internet, then paste it into a shell buffer.  Let's remove a
> serious command injection vulnerability, ``M-x shell'', from Emacs 29!
> While we're at it, how about `interprogram-paste-function' as well?

No, it doesn't work that way. :) When it comes to vulnerabilities, it is
all about expectations.

If I execute a program (shell code, binary, etc.) that I find somewhere
in the Internet, then I know that it will execute some code, and that I
must trust its source that it doesn't do anything malicious.

OTOH, I don't have that expectation when I click on a mailto hyperlink.



reply via email to

[Prev in Thread] Current Thread [Next in Thread]