emacs-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emac


From: Ulrich Mueller
Subject: Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop
Date: Wed, 08 Mar 2023 12:08:42 +0100
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/28.3 (gnu/linux)

>>>>> On Wed, 08 Mar 2023, Robert Pluim wrote:

Ulrich> Sorry, but I've installed this on emacs-29 with an explicit ack from
Ulrich> both Eli and Stefan.

> Fair enough, but is there no way to get it to use `sed' instead?

Sure, something like this (not yet tested):

-Exec=bash -c "u=\\${1//\\\\\\\\/\\\\\\\\\\\\\\\\}; 
u=\\${u//\\\\\\"/\\\\\\\\\\\\\\"}; exec emacsclient --alternate-editor= 
--display=\\"\\$DISPLAY\\" --eval \\"(message-mailto \\\\\\"\\$u\\\\\\")\\"" 
bash %u
+Exec=sh -c "u=\\$\\(echo \\"\\$1\\" | sed \\'s/[\\\\\\"]/\\\\\\\\\\&/g\\'\\); 
exec emacsclient --alternate-editor= --display=\\"\\$DISPLAY\\" --eval 
\\"(message-mailto \\\\\\"\\$u\\\\\\")\\"" sh %u

Sorry, but it doesn't get less ugly. :) Also, it will now call _two_
external programs. Is this acceptable, and is it guaranteed that sed
will be available on users' systems?



reply via email to

[Prev in Thread] Current Thread [Next in Thread]