[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[elpa] externals/eglot 894fe5a 42/45: Fix #154: fix potential security i
From: |
João Távora |
Subject: |
[elpa] externals/eglot 894fe5a 42/45: Fix #154: fix potential security issue fontifying LSP doc |
Date: |
Thu, 22 Nov 2018 19:15:34 -0500 (EST) |
branch: externals/eglot
commit 894fe5a9da9354c5dba826ecbd15562dadbc9fe3
Author: João Távora <address@hidden>
Commit: João Távora <address@hidden>
Fix #154: fix potential security issue fontifying LSP doc
Previously, a server could mistankely or maliciously call *-mode
functions by in the response to a completion or hover request,
specifically in the :documentation field of the response.
Although there are plenty of similar avenues of attack in Emacs, it's
probably a good idea not to let LSP servers decide which functions to
call in an Emacs session running Eglot.
* eglot.el (eglot--format-markup): Call major-mode to fontify
buffer, not some dynamically constructed function name.
(eglot-completion-at-point): Ensure eglot--format-markup runs in
source buffer.
---
eglot.el | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/eglot.el b/eglot.el
index c382c67..f4a02ac 100644
--- a/eglot.el
+++ b/eglot.el
@@ -810,7 +810,7 @@ Doubles as an indicator of snippet support."
(if (stringp markup) (list (string-trim markup)
(intern "gfm-mode"))
(list (plist-get markup :value)
- (intern (concat (plist-get markup :language) "-mode"
))))))
+ major-mode))))
(with-temp-buffer
(ignore-errors (funcall mode))
(insert string) (font-lock-ensure) (buffer-string))))
@@ -1585,11 +1585,13 @@ is not active."
(get-text-property
0 'eglot--lsp-completion obj)
:cancel-on-input t)
- :documentation)))))
- (when documentation
+ :documentation))))
+ (formatted (and documentation
+ (eglot--format-markup documentation))))
+ (when formatted
(with-current-buffer (get-buffer-create " *eglot doc*")
(erase-buffer)
- (insert (eglot--format-markup documentation))
+ (insert formatted)
(current-buffer)))))
:company-prefix-length
(cl-some #'looking-back
- [elpa] externals/eglot f74a80f 27/45: Make imenu hierarchical, (continued)
- [elpa] externals/eglot f74a80f 27/45: Make imenu hierarchical, João Távora, 2018/11/22
- [elpa] externals/eglot 118f966 26/45: Fix a bug when response to definitions request is a single location, João Távora, 2018/11/22
- [elpa] externals/eglot 3c180c0 19/45: Rework test macros for hopefully more stable testing, João Távora, 2018/11/22
- [elpa] externals/eglot b31ba80 35/45: Tweak solution to #125 with a hint from Fangrui Song, João Távora, 2018/11/22
- [elpa] externals/eglot fdb1941 36/45: Add support for TextEdits in completion, João Távora, 2018/11/22
- [elpa] externals/eglot d66f2eb 39/45: Treat tab characters as 1 column wide in position conversion functions, João Távora, 2018/11/22
- [elpa] externals/eglot b731db5 41/45: Add support for R's languageserver (#161), João Távora, 2018/11/22
- [elpa] externals/eglot de1728c 44/45: * eglot.el (eglot-completion-at-point): Less chatter., João Távora, 2018/11/22
- [elpa] externals/eglot fc03d7c 40/45: Fix #160: Properly delete inserted text after completion, João Távora, 2018/11/22
- [elpa] externals/eglot 604c1b0 38/45: Per #144: Format documentation of signature parameters, João Távora, 2018/11/22
- [elpa] externals/eglot 894fe5a 42/45: Fix #154: fix potential security issue fontifying LSP doc,
João Távora <=
- [elpa] externals/eglot b9e9cf3 34/45: Fix #148: complex completions work when chosen from *completions*, João Távora, 2018/11/22
- [elpa] externals/eglot 0a18dca 37/45: Fix #125: add ability to report LSP-compliant columns, João Távora, 2018/11/22
- [elpa] externals/eglot f291816 45/45: * eglot.el (Version): Bump to 1.2, João Távora, 2018/11/22
- [elpa] externals/eglot ee7f9c6 43/45: Fix #167: correctly insert TextEdit-less snippets, João Távora, 2018/11/22