[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[elpa] 1.2 7e9cc05 098/101: Fix #154: fix potential security issue fonti
From: |
Christian Johansson |
Subject: |
[elpa] 1.2 7e9cc05 098/101: Fix #154: fix potential security issue fontifying LSP doc |
Date: |
Thu, 29 Apr 2021 15:09:08 -0400 (EDT) |
tag: 1.2
commit 7e9cc0519e371f6d368ede1e6561b8d224f0d4d7
Author: João Távora <joaotavora@gmail.com>
Commit: João Távora <joaotavora@gmail.com>
Fix #154: fix potential security issue fontifying LSP doc
Previously, a server could mistankely or maliciously call *-mode
functions by in the response to a completion or hover request,
specifically in the :documentation field of the response.
Although there are plenty of similar avenues of attack in Emacs, it's
probably a good idea not to let LSP servers decide which functions to
call in an Emacs session running Eglot.
* eglot.el (eglot--format-markup): Call major-mode to fontify
buffer, not some dynamically constructed function name.
(eglot-completion-at-point): Ensure eglot--format-markup runs in
source buffer.
---
eglot.el | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/eglot.el b/eglot.el
index c382c67..f4a02ac 100644
--- a/eglot.el
+++ b/eglot.el
@@ -810,7 +810,7 @@ Doubles as an indicator of snippet support."
(if (stringp markup) (list (string-trim markup)
(intern "gfm-mode"))
(list (plist-get markup :value)
- (intern (concat (plist-get markup :language) "-mode"
))))))
+ major-mode))))
(with-temp-buffer
(ignore-errors (funcall mode))
(insert string) (font-lock-ensure) (buffer-string))))
@@ -1585,11 +1585,13 @@ is not active."
(get-text-property
0 'eglot--lsp-completion obj)
:cancel-on-input t)
- :documentation)))))
- (when documentation
+ :documentation))))
+ (formatted (and documentation
+ (eglot--format-markup documentation))))
+ (when formatted
(with-current-buffer (get-buffer-create " *eglot doc*")
(erase-buffer)
- (insert (eglot--format-markup documentation))
+ (insert formatted)
(current-buffer)))))
:company-prefix-length
(cl-some #'looking-back
- [elpa] 1.2 ff62057 071/101: Fix #138: accept deprecated field in SymbolInformation, (continued)
- [elpa] 1.2 ff62057 071/101: Fix #138: accept deprecated field in SymbolInformation, Christian Johansson, 2021/04/29
- [elpa] 1.2 f317a7d 069/101: * eglot-tests.el: Disable eclipse connection tests., Christian Johansson, 2021/04/29
- [elpa] 1.2 ff92d67 073/101: Remove duplicates from imenu, Christian Johansson, 2021/04/29
- [elpa] 1.2 660d9e3 078/101: Slightly robustify test engine, Christian Johansson, 2021/04/29
- [elpa] 1.2 da4cd2a 083/101: Make imenu hierarchical, Christian Johansson, 2021/04/29
- [elpa] 1.2 912d10f 088/101: Fix a bug introduced by previous bugfix, Christian Johansson, 2021/04/29
- [elpa] 1.2 8529b55 089/101: Fix #124: add ability to move to LSP-precise columns, Christian Johansson, 2021/04/29
- [elpa] 1.2 90b3bfd 090/101: Fix #148: complex completions work when chosen from *completions*, Christian Johansson, 2021/04/29
- [elpa] 1.2 63c2bbc 092/101: Add support for TextEdits in completion, Christian Johansson, 2021/04/29
- [elpa] 1.2 d52738f 095/101: Treat tab characters as 1 column wide in position conversion functions, Christian Johansson, 2021/04/29
- [elpa] 1.2 7e9cc05 098/101: Fix #154: fix potential security issue fontifying LSP doc,
Christian Johansson <=
- [elpa] 1.2 2bbf06e 097/101: Add support for R's languageserver (#161), Christian Johansson, 2021/04/29
- [elpa] 1.2 c667d79 093/101: Fix #125: add ability to report LSP-compliant columns, Christian Johansson, 2021/04/29
- [elpa] 1.2 a39a446 020/101: Close #61: Snappier completions that don't hinder typing, Christian Johansson, 2021/04/29
- [elpa] 1.2 2e21c12 084/101: * eglot.el (eglot-client-capabilities): Mention supported SymbolKinds., Christian Johansson, 2021/04/29
- [elpa] 1.2 9cee9eb 086/101: Move constants to top instead of forward-declaring, Christian Johansson, 2021/04/29
- [elpa] 1.2 fc9bbf7 096/101: Fix #160: Properly delete inserted text after completion, Christian Johansson, 2021/04/29
- [elpa] 1.2 b573d42 003/101: Close #44: Don't turn on flymake-mode any more than is needed, Christian Johansson, 2021/04/29
- [elpa] 1.2 13d8da4 039/101: Fix textDocument/hover responses where MarkedString is a plist (#72), Christian Johansson, 2021/04/29
- [elpa] 1.2 cf4881c 081/101: Simplify eglot-code-action. Fix compilation warning, Christian Johansson, 2021/04/29
- [elpa] 1.2 0f8091f 082/101: Fix a bug when response to definitions request is a single location, Christian Johansson, 2021/04/29