From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Stefan Kangas Newsgroups: gmane.emacs.bugs Subject: bug#65902: 29.0.92; emacsclient-mail.desktop fails due to complicated escaping Date: Fri, 22 Sep 2023 00:05:20 -0700 Message-ID: References: <80d8aeb0-c9f1-410f-b83d-60f83ca5b3af@email.android.com> <83led8ls3z.fsf@gnu.org> <835y4ckkzu.fsf@gnu.org> <874jjnvvip.fsf@catern.com> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="39874"; mail-complaints-to="usenet@ciao.gmane.io" Cc: jporterbugs@gmail.com, 65902@debbugs.gnu.org, Spencer Baugh To: sbaugh@catern.com, Eli Zaretskii Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Fri Sep 22 09:06:01 2023 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1qjaEj-000A8V-N6 for geb-bug-gnu-emacs@m.gmane-mx.org; Fri, 22 Sep 2023 09:06:01 +0200 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qjaEb-0002Lt-AR; Fri, 22 Sep 2023 03:05:53 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qjaEa-0002FU-4U for bug-gnu-emacs@gnu.org; Fri, 22 Sep 2023 03:05:52 -0400 Original-Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1qjaEZ-0007OO-LV for bug-gnu-emacs@gnu.org; Fri, 22 Sep 2023 03:05:51 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1qjaEj-0008QB-Sp for bug-gnu-emacs@gnu.org; Fri, 22 Sep 2023 03:06:01 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Stefan Kangas Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Fri, 22 Sep 2023 07:06:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 65902 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: patch Original-Received: via spool by 65902-submit@debbugs.gnu.org id=B65902.169536634132344 (code B ref 65902); Fri, 22 Sep 2023 07:06:01 +0000 Original-Received: (at 65902) by debbugs.gnu.org; 22 Sep 2023 07:05:41 +0000 Original-Received: from localhost ([127.0.0.1]:35181 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qjaEP-0008Pc-2i for submit@debbugs.gnu.org; Fri, 22 Sep 2023 03:05:41 -0400 Original-Received: from mail-lj1-x22f.google.com ([2a00:1450:4864:20::22f]:58722) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qjaEL-0008PM-D5 for 65902@debbugs.gnu.org; Fri, 22 Sep 2023 03:05:40 -0400 Original-Received: by mail-lj1-x22f.google.com with SMTP id 38308e7fff4ca-2c022ce8114so30910021fa.1 for <65902@debbugs.gnu.org>; Fri, 22 Sep 2023 00:05:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1695366321; x=1695971121; darn=debbugs.gnu.org; h=cc:to:subject:message-id:date:mime-version:references:in-reply-to :from:from:to:cc:subject:date:message-id:reply-to; bh=3tXEO5fZN9QEkDOWZRZL4YbeYwawJEiRdAYOA7I2l3o=; b=Balqs+bXhjYXPb/2VIJe5tWVqWe/SUF3vEUqKYd2Md1VrFXm8o3j4fLp/DoOKlFjua MMX3mrg5Qku3IrxhSdN8w5T++CBqhGrzWyDxuFRg0XXsXsKAMfo7vZleVB3GIkx00VV2 OQ3mUKY7Ovxi3fk1VFu/em36u+yRFPM3V7mn9NTB5u1GghJ0WOEnyo4KQmmAaW3URMmW pknnUGfnuvmrgF05WeggKqbVrKDIUTLVRlsSNHKFLzP9UIg4LKfw6/wP2c/2jfnXVvU3 azZNpPs/yZB8Q9gJCUlD7fw4MS7SwbAyfZ9uGO54EA/2unK0a9BSp4XBKLozwptEDyC0 B5Zg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1695366321; x=1695971121; h=cc:to:subject:message-id:date:mime-version:references:in-reply-to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=3tXEO5fZN9QEkDOWZRZL4YbeYwawJEiRdAYOA7I2l3o=; b=r0eA+R4Pe3gtWdP+lUIGeqE8PUMBMlz3vjXsTWHguC/Ij1uU4BQKbeTPC0aeR4c4zy W5QoPBMNf1eOOmoMVK3Ej6npW3yBdc4yQeQ07mV+mGsBSZpmcON3Se5c9QGzLO9xdqC4 REWbY+wo2/JEIqLo9XgDvkll3FQdQIQMIhcm+x/YXve1WWQ26ycnMHgvuoDFvnM2Iv71 cqYyBtjcWnhdtigJCQ5iQ/PFAcRsniCYM/TxNPqLuL8YDIfvtbwNN/7bs6eMxu3Mzz9U l7mH60wKpn+5b74QdqRzvMDxnObvt+hV+hC2MX/nshRGU50NyJ6w+GQPH3GltyWP4sz/ SWLQ== X-Gm-Message-State: AOJu0YyZKkLea1Ctbkdzlz6xdofcorlKbxQwjpLkJUF5p4HuXsxJ84CP ASRc5l5hCf9whM9CsSTOuuW5XRrf/sU15JhdzUg= X-Google-Smtp-Source: AGHT+IGYjNo46Mbcn60BPMPu7TsftmxXqPkE8jHvCsWsYsPnYm0IY/1HajGvfbeV+5u2Tvkf/UDNTSSEbvNe/GaPvZU= X-Received: by 2002:a2e:b614:0:b0:2ba:8127:a2c3 with SMTP id r20-20020a2eb614000000b002ba8127a2c3mr5952210ljn.34.1695366320771; Fri, 22 Sep 2023 00:05:20 -0700 (PDT) Original-Received: from 753933720722 named unknown by gmailapi.google.com with HTTPREST; Fri, 22 Sep 2023 00:05:20 -0700 In-Reply-To: <874jjnvvip.fsf@catern.com> X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.bugs:271040 Archived-At: sbaugh@catern.com writes: > diff --git a/etc/emacsclient-mail.desktop b/etc/emacsclient-mail.desktop > index 0a2420ddead..5962fa1764c 100644 > --- a/etc/emacsclient-mail.desktop > +++ b/etc/emacsclient-mail.desktop > @@ -1,10 +1,7 @@ > [Desktop Entry] > Categories=Network;Email; > Comment=GNU Emacs is an extensible, customizable text editor - and more > -# We want to pass the following commands to the shell wrapper: > -# u=$(echo "$1" | sed 's/[\"]/\\&/g'); exec emacsclient --alternate-editor= --display="$DISPLAY" --eval "(message-mailto \"$u\")" > -# Special chars '"', '$', and '\' must be escaped as '\\"', '\\$', and '\\\\'. > -Exec=sh -c "u=\\$(echo \\"\\$1\\" | sed 's/[\\\\\\"]/\\\\\\\\&/g'); exec emacsclient --alternate-editor= --display=\\"\\$DISPLAY\\" --eval \\"(message-mailto \\\\\\"\\$u\\\\\\")\\"" sh %u > +Exec=emacsclient --alternate-editor= --eval '(message-mailto (pop server-eval-args-left))' %u As Spencer pointed out upthread, the mailto: links come from untrusted sources (e.g. websites). Escaping is infamous for being hard to get right, and for that reason is a popular attack vector among bad actors. I think it would be good if we could reduce the amount of stuff we have to remember escaping here, or even better if we didn't need to escape anything at all. It's analogous to the case `shell-command-to-string' (which uses a shell) vs `call-process' (which doesn't). To my mind, this speaks in favor of some type of change in this direction. My two cents.