Re: [ANN] Emergency bugfix release: Org mode 9.7.5

[Steven Allen]

Greg Troxel <gdt@lexort.com> writes:

> (Thanks for fixing and your efforts on org.  I've been an org user since
> at least July of 2010.)
>
> Just to be clear, is this the commit that needs applying to emacs
> sources, 29.3, 28.x, and so on?

Yes, that's the correct commit.

> It seems so, but I would rather not guess. I'm asking on behalf of
> pkgsrc, where I am managing the release process for our 2024Q2 branch,
> due on 30 June. Believe it or not we have 20, 21, 26, 27, 28, 29 and a
> from-git version. While some should be pruned, some people use it on
> vaxes. Any idea how far back this goes?

It was introduced in org 7.9 (commit [1] from July of 2012). From what I
can tell, it has been present in Emacs since emacs-24.2.

[1]: ef3d4b5965b828e85a535ef3f32999473c6a2a7a 

>
> Thanks,
> Greg
>
> commit f4cc61636947b5c2f0afc67174dd369fe3277aa8
> Author: Ihor Radchenko <yantar92@posteo.net>
> Date:   Tue Jun 18 13:06:44 2024 +0200
>
>     org-link-expand-abbrev: Do not evaluate arbitrary unsafe Elisp code
>     
>     * lisp/ol.el (org-link-expand-abbrev): Refuse expanding %(...) link
>     abbrevs that specify unsafe function.  Instead, display a warning, and
>     do not expand the abbrev.  Clear all the text properties from the
>     returned link, to avoid any potential vulnerabilities caused by
>     properties that may contain arbitrary Elisp.
>
> diff --git a/lisp/ol.el b/lisp/ol.el
> index 7a7f4f558..8a556c7b9 100644
> --- a/lisp/ol.el
> +++ b/lisp/ol.el
> @@ -1152,17 +1152,35 @@ Abbreviations are defined in `org-link-abbrev-alist'."
>        (if (not as)
>         link
>       (setq rpl (cdr as))
> -     (cond
> -      ((symbolp rpl) (funcall rpl tag))
> -      ((string-match "%(\\([^)]+\\))" rpl)
> -       (replace-match
> -        (save-match-data
> -          (funcall (intern-soft (match-string 1 rpl)) tag))
> -        t t rpl))
> -      ((string-match "%s" rpl) (replace-match (or tag "") t t rpl))
> -      ((string-match "%h" rpl)
> -       (replace-match (url-hexify-string (or tag "")) t t rpl))
> -      (t (concat rpl tag)))))))
> +        ;; Drop any potentially dangerous text properties like
> +        ;; `modification-hooks' that may be used as an attack vector.
> +        (substring-no-properties
> +      (cond
> +       ((symbolp rpl) (funcall rpl tag))
> +       ((string-match "%(\\([^)]+\\))" rpl)
> +           (let ((rpl-fun-symbol (intern-soft (match-string 1 rpl))))
> +             ;; Using `unsafep-function' is not quite enough because
> +             ;; Emacs considers functions like `genenv' safe, while
> +             ;; they can potentially be used to expose private system
> +             ;; data to attacker if abbreviated link is clicked.
> +             (if (or (eq t (get rpl-fun-symbol 'org-link-abbrev-safe))
> +                     (eq t (get rpl-fun-symbol 'pure)))
> +                 (replace-match
> +               (save-match-data
> +                 (funcall (intern-soft (match-string 1 rpl)) tag))
> +               t t rpl)
> +               (org-display-warning
> +                (format "Disabling unsafe link abbrev: %s
> +You may mark function safe via (put '%s 'org-link-abbrev-safe t)"
> +                        rpl (match-string 1 rpl)))
> +               (setq org-link-abbrev-alist-local (delete as 
> org-link-abbrev-alist-local)
> +                     org-link-abbrev-alist (delete as org-link-abbrev-alist))
> +               link
> +            )))
> +       ((string-match "%s" rpl) (replace-match (or tag "") t t rpl))
> +       ((string-match "%h" rpl)
> +        (replace-match (url-hexify-string (or tag "")) t t rpl))
> +       (t (concat rpl tag))))))))
>  
>  (defun org-link-open (link &optional arg)
>    "Open a link object LINK.