From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Eli Zaretskii Newsgroups: gmane.emacs.bugs Subject: bug#28350: enriched.el code execution Date: Sat, 09 Sep 2017 16:45:40 +0300 Message-ID: <838thovvcr.fsf@gnu.org> References: <837exb1bk5.fsf@gnu.org> Reply-To: Eli Zaretskii NNTP-Posting-Host: blaine.gmane.org X-Trace: blaine.gmane.org 1504964789 11779 195.159.176.226 (9 Sep 2017 13:46:29 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Sat, 9 Sep 2017 13:46:29 +0000 (UTC) Cc: 28350@debbugs.gnu.org To: charles@aurox.ch (Charles A. Roelli) Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Sat Sep 09 15:46:24 2017 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dqg5U-0002XZ-7n for geb-bug-gnu-emacs@m.gmane.org; Sat, 09 Sep 2017 15:46:20 +0200 Original-Received: from localhost ([::1]:49539 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dqg5Z-0004hf-Mx for geb-bug-gnu-emacs@m.gmane.org; Sat, 09 Sep 2017 09:46:25 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:52705) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dqg5M-0004cO-Fv for bug-gnu-emacs@gnu.org; Sat, 09 Sep 2017 09:46:17 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dqg5C-00008B-1b for bug-gnu-emacs@gnu.org; Sat, 09 Sep 2017 09:46:06 -0400 Original-Received: from debbugs.gnu.org ([208.118.235.43]:48307) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dqg5B-000086-TU for bug-gnu-emacs@gnu.org; Sat, 09 Sep 2017 09:46:01 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1dqg5B-0005ko-Kc for bug-gnu-emacs@gnu.org; Sat, 09 Sep 2017 09:46:01 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Eli Zaretskii Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sat, 09 Sep 2017 13:46:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 28350 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security Original-Received: via spool by 28350-submit@debbugs.gnu.org id=B28350.150496474422094 (code B ref 28350); Sat, 09 Sep 2017 13:46:01 +0000 Original-Received: (at 28350) by debbugs.gnu.org; 9 Sep 2017 13:45:44 +0000 Original-Received: from localhost ([127.0.0.1]:56988 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dqg4t-0005kI-UO for submit@debbugs.gnu.org; Sat, 09 Sep 2017 09:45:44 -0400 Original-Received: from eggs.gnu.org ([208.118.235.92]:33339) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dqg4s-0005k4-Hv for 28350@debbugs.gnu.org; Sat, 09 Sep 2017 09:45:42 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dqg4j-0008P2-0Q for 28350@debbugs.gnu.org; Sat, 09 Sep 2017 09:45:37 -0400 Original-Received: from fencepost.gnu.org ([2001:4830:134:3::e]:38486) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dqg4i-0008Oy-Ts; Sat, 09 Sep 2017 09:45:32 -0400 Original-Received: from 84.94.185.246.cable.012.net.il ([84.94.185.246]:1490 helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1dqg4i-0008OO-Ak; Sat, 09 Sep 2017 09:45:32 -0400 In-reply-to: (charles@aurox.ch) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 208.118.235.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.org gmane.emacs.bugs:136704 Archived-At: > Date: Sat, 09 Sep 2017 14:23:54 +0200 > From: charles@aurox.ch (Charles A. Roelli) > CC: 28350@debbugs.gnu.org > > Thank you. Does the attached patch look OK? I've used the file > enriched-test-safe-props.txt (also attached) to test that safe > properties are still applied. Thank you for working on this. I have some comments: > --- a/lisp/textmodes/enriched.el > +++ b/lisp/textmodes/enriched.el > @@ -503,6 +503,47 @@ enriched-decode-display-prop > (error nil))))) > (unless prop > (message "Warning: invalid parameter %s" param)) > - (list start end 'display prop))) > + (if (enriched-display-prop-safe-p prop) > + (list start end 'display prop) > + (message "Warning: unsafe parameter %s not applied" param) > + (list start end)))) I think we will want to allow unsafe display properties, given a user's explicit permission. So I think we need a defcustom that allows this, and then enriched-display-prop-safe-p should always return non-nil. > +See Info node `(elisp)Display Property' for the use of these > +display specifications." > + (ignore-errors > + (or (stringp prop) ^^^^^^^^^^^^ What about an image spec (including a slice spec)? > + (and (eq (car prop) 'space-width) > + (or (integerp (cadr prop)) (floatp (cadr prop)))) > + (and (consp (car prop)) > + (eq (caar prop) 'margin) > + (or (eq (cadar prop) 'right-margin) > + (eq (cadar prop) 'left-margin)) > + (stringp (cadr prop))) The margin display can also specify an image, not just a string, and I think that would be safe as well. > + (and (eq (car prop) 'height) > + (or (integerp (cadr prop)) > + (and (listp (cadr prop)) > + (or (eq (elt (cadr prop) 0) '+) (elt (cadr prop) 0) '-) > + (integerp (elt (cadr prop) 1))))) ^^^^^^^^ I think this should be numberp, as the value could also safely be a float. > + (and (eq (car prop) 'raise) > + (integerp (cadr prop)))))) ^^^^^^^^ The FACTOR in (raise FACTOR) can also be a float, so I think numberp is the correct predicate here. And then what about (space . PROPS) type of display spec? I think all of its variants are safe.