[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emac
|
From: |
Ulrich Mueller |
|
Subject: |
Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop |
|
Date: |
Wed, 08 Mar 2023 12:29:13 +0100 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/28.3 (gnu/linux) |
>>>>> On Wed, 08 Mar 2023, Ulrich Mueller wrote:
> Sure, something like this (not yet tested):
> -Exec=bash -c "u=\\${1//\\\\\\\\/\\\\\\\\\\\\\\\\};
> u=\\${u//\\\\\\"/\\\\\\\\\\\\\\"}; exec emacsclient --alternate-editor=
> --display=\\"\\$DISPLAY\\" --eval \\"(message-mailto \\\\\\"\\$u\\\\\\")\\""
> bash %u
> +Exec=sh -c "u=\\$\\(echo \\"\\$1\\" | sed
> \\'s/[\\\\\\"]/\\\\\\\\\\&/g\\'\\); exec emacsclient --alternate-editor=
> --display=\\"\\$DISPLAY\\" --eval \\"(message-mailto \\\\\\"\\$u\\\\\\")\\""
> sh %u
> Sorry, but it doesn't get less ugly. :) Also, it will now call _two_
> external programs. Is this acceptable, and is it guaranteed that sed
> will be available on users' systems?
In fact, only '"', '$', and '\' need to be backslash-escaped.
Patch included below, works fine here.
----- 8< -----
>From 1e1f128c5ca0c888dae4651bcb3d556737e3a207 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ulrich=20M=C3=BCller?= <ulm@gentoo.org>
Date: Wed, 8 Mar 2023 12:23:58 +0100
Subject: [PATCH] Avoid using bash in the emacsclient desktop file
* etc/emacsclient-mail.desktop (Exec): Use sh and sed instead
of bash, because the latter may not be available everywhere.
---
etc/emacsclient-mail.desktop | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/etc/emacsclient-mail.desktop b/etc/emacsclient-mail.desktop
index 49c6f99f317..0a2420ddead 100644
--- a/etc/emacsclient-mail.desktop
+++ b/etc/emacsclient-mail.desktop
@@ -2,9 +2,9 @@
Categories=Network;Email;
Comment=GNU Emacs is an extensible, customizable text editor - and more
# We want to pass the following commands to the shell wrapper:
-# u=${1//\\/\\\\}; u=${u//\"/\\\"}; exec emacsclient --alternate-editor=
--display="$DISPLAY" --eval "(message-mailto \"$u\")"
+# u=$(echo "$1" | sed 's/[\"]/\\&/g'); exec emacsclient --alternate-editor=
--display="$DISPLAY" --eval "(message-mailto \"$u\")"
# Special chars '"', '$', and '\' must be escaped as '\\"', '\\$', and '\\\\'.
-Exec=bash -c "u=\\${1//\\\\\\\\/\\\\\\\\\\\\\\\\};
u=\\${u//\\\\\\"/\\\\\\\\\\\\\\"}; exec emacsclient --alternate-editor=
--display=\\"\\$DISPLAY\\" --eval \\"(message-mailto \\\\\\"\\$u\\\\\\")\\""
bash %u
+Exec=sh -c "u=\\$(echo \\"\\$1\\" | sed 's/[\\\\\\"]/\\\\\\\\&/g'); exec
emacsclient --alternate-editor= --display=\\"\\$DISPLAY\\" --eval
\\"(message-mailto \\\\\\"\\$u\\\\\\")\\"" sh %u
Icon=emacs
Name=Emacs (Mail, Client)
MimeType=x-scheme-handler/mailto;
@@ -16,7 +16,7 @@ Actions=new-window;new-instance;
[Desktop Action new-window]
Name=New Window
-Exec=bash -c "u=\\${1//\\\\\\\\/\\\\\\\\\\\\\\\\};
u=\\${u//\\\\\\"/\\\\\\\\\\\\\\"}; exec emacsclient --alternate-editor=
--create-frame --eval \\"(message-mailto \\\\\\"\\$u\\\\\\")\\"" bash %u
+Exec=sh -c "u=\\$(echo \\"\\$1\\" | sed 's/[\\\\\\"]/\\\\\\\\&/g'); exec
emacsclient --alternate-editor= --create-frame --eval \\"(message-mailto
\\\\\\"\\$u\\\\\\")\\"" sh %u
[Desktop Action new-instance]
Name=New Instance
--
2.39.2
- Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Po Lu, 2023/03/07
- Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Ulrich Mueller, 2023/03/07
- Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Po Lu, 2023/03/07
- Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Ulrich Mueller, 2023/03/08
- Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Po Lu, 2023/03/08
- Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Ulrich Mueller, 2023/03/08
- Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Po Lu, 2023/03/08
- Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Ulrich Mueller, 2023/03/08
- Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Robert Pluim, 2023/03/08
- Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Ulrich Mueller, 2023/03/08
- Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop,
Ulrich Mueller <=
- Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Robert Pluim, 2023/03/08
- Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Eli Zaretskii, 2023/03/08
- Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Robert Pluim, 2023/03/08
- Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Jim Porter, 2023/03/08
- Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Robert Pluim, 2023/03/08
- Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Eli Zaretskii, 2023/03/08
- Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Jim Porter, 2023/03/08
- Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Robert Pluim, 2023/03/09
- Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Po Lu, 2023/03/09
- Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Robert Pluim, 2023/03/09