From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Eli Zaretskii Newsgroups: gmane.emacs.bugs Subject: bug#28350: enriched.el code execution Date: Sat, 09 Sep 2017 19:55:37 +0300 Message-ID: <83wp57vmk6.fsf@gnu.org> References: <837exb1bk5.fsf@gnu.org> <838thovvcr.fsf@gnu.org> Reply-To: Eli Zaretskii NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Trace: blaine.gmane.org 1504976248 12577 195.159.176.226 (9 Sep 2017 16:57:28 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Sat, 9 Sep 2017 16:57:28 +0000 (UTC) Cc: 28350@debbugs.gnu.org To: charles@aurox.ch (Charles A. Roelli) Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Sat Sep 09 18:57:23 2017 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dqj44-0002AK-Q1 for geb-bug-gnu-emacs@m.gmane.org; Sat, 09 Sep 2017 18:57:04 +0200 Original-Received: from localhost ([::1]:50268 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dqj4B-00040j-U2 for geb-bug-gnu-emacs@m.gmane.org; Sat, 09 Sep 2017 12:57:11 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:49896) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dqj45-000401-UL for bug-gnu-emacs@gnu.org; Sat, 09 Sep 2017 12:57:06 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dqj42-0002NL-SM for bug-gnu-emacs@gnu.org; Sat, 09 Sep 2017 12:57:05 -0400 Original-Received: from debbugs.gnu.org ([208.118.235.43]:49062) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dqj42-0002Mn-Oc for bug-gnu-emacs@gnu.org; Sat, 09 Sep 2017 12:57:02 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1dqj42-0001sf-9r for bug-gnu-emacs@gnu.org; Sat, 09 Sep 2017 12:57:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Eli Zaretskii Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sat, 09 Sep 2017 16:57:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 28350 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security Original-Received: via spool by 28350-submit@debbugs.gnu.org id=B28350.15049761627145 (code B ref 28350); Sat, 09 Sep 2017 16:57:02 +0000 Original-Received: (at 28350) by debbugs.gnu.org; 9 Sep 2017 16:56:02 +0000 Original-Received: from localhost ([127.0.0.1]:57743 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dqj33-0001r5-MD for submit@debbugs.gnu.org; Sat, 09 Sep 2017 12:56:02 -0400 Original-Received: from eggs.gnu.org ([208.118.235.92]:58684) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dqj32-0001qs-2P for 28350@debbugs.gnu.org; Sat, 09 Sep 2017 12:56:00 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dqj2t-00016o-QP for 28350@debbugs.gnu.org; Sat, 09 Sep 2017 12:55:54 -0400 Original-Received: from fencepost.gnu.org ([2001:4830:134:3::e]:42602) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dqj2t-00016i-MB; Sat, 09 Sep 2017 12:55:51 -0400 Original-Received: from 84.94.185.246.cable.012.net.il ([84.94.185.246]:1673 helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1dqj2r-0003eR-3C; Sat, 09 Sep 2017 12:55:51 -0400 In-reply-to: (charles@aurox.ch) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 208.118.235.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.org gmane.emacs.bugs:136710 Archived-At: > Date: Sat, 09 Sep 2017 17:57:10 +0200 > From: charles@aurox.ch (Charles A. Roelli) > CC: 28350@debbugs.gnu.org > > > > +See Info node `(elisp)Display Property' for the use of these > > > +display specifications." > > > + (ignore-errors > > > + (or (stringp prop) > > ^^^^^^^^^^^^ > > What about an image spec (including a slice spec)? > > Okay, I see that image specs can be safe. But are they all safe? I think they are. Does anyone know different? > And I don't understand how a slice spec is used together with an image > spec. Is the slice spec used inside of IMAGE-PROPS, i.e. as you might > gather from the manual: > > ‘(image . IMAGE-PROPS)’ > This kind of display specification is an image descriptor (*note > Images). When used as a display specification, it means to > display the image instead of the text that has the display > specification. > > ‘(slice X Y WIDTH HEIGHT)’ > This specification together with ‘image’ specifies a “slice” (a > partial area) of the image to display. > > ? AFAIU, like this: ((slice X Y WIDTH HEIGHT) (image . IMAGE-PROPS)) You can see examples of this in image.el and image-mode.el. > At this point it seems that unsafe display specs are more the > exception than the rule, so it might make sense to define the > `enriched-display-prop-safe-p' function by excluding the unsafe > specifications instead of including the safe ones. What do you > think? I'm not sure. The display spec can be complex, so to make sure none of these exceptions sneak through, you will have to recursively unpack the spec data structure and examine each of the elements, which smells too similar to emulating 'eval'. No? Thanks.