From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!.POSTED!not-for-mail
From: charles@aurox.ch (Charles A. Roelli)
Newsgroups: gmane.emacs.bugs
Subject: bug#28350: enriched.el code execution
Date: Sat, 09 Sep 2017 14:23:54 +0200
Message-ID: <m2a8249i1x.fsf@aurox.ch>
References: <m2k21e9shx.fsf@aurox.ch> <m2bmmnaau9.fsf@aurox.ch>
	<837exb1bk5.fsf@gnu.org>
NNTP-Posting-Host: blaine.gmane.org
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
X-Trace: blaine.gmane.org 1504959927 9853 195.159.176.226 (9 Sep 2017 12:25:27 GMT)
X-Complaints-To: usenet@blaine.gmane.org
NNTP-Posting-Date: Sat, 9 Sep 2017 12:25:27 +0000 (UTC)
Cc: 28350@debbugs.gnu.org
To: Eli Zaretskii <eliz@gnu.org>
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Sat Sep 09 14:25:20 2017
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by blaine.gmane.org with esmtp (Exim 4.84_2)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1dqeox-0001a6-0C
	for geb-bug-gnu-emacs@m.gmane.org; Sat, 09 Sep 2017 14:25:11 +0200
Original-Received: from localhost ([::1]:49377 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1dqep0-00061S-Pv
	for geb-bug-gnu-emacs@m.gmane.org; Sat, 09 Sep 2017 08:25:14 -0400
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:37138)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1dqeos-000618-BL
	for bug-gnu-emacs@gnu.org; Sat, 09 Sep 2017 08:25:07 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1dqeoo-0002GZ-9u
	for bug-gnu-emacs@gnu.org; Sat, 09 Sep 2017 08:25:06 -0400
Original-Received: from debbugs.gnu.org ([208.118.235.43]:48267)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1dqeoo-0002GN-4v
	for bug-gnu-emacs@gnu.org; Sat, 09 Sep 2017 08:25:02 -0400
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1dqeon-0003ga-Pn
	for bug-gnu-emacs@gnu.org; Sat, 09 Sep 2017 08:25:01 -0400
X-Loop: help-debbugs@gnu.org
Resent-From: charles@aurox.ch (Charles A. Roelli)
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@gnu.org
Resent-Date: Sat, 09 Sep 2017 12:25:01 +0000
Resent-Message-ID: <handler.28350.B28350.150495988214128@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 28350
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: security
Original-Received: via spool by 28350-submit@debbugs.gnu.org id=B28350.150495988214128
	(code B ref 28350); Sat, 09 Sep 2017 12:25:01 +0000
Original-Received: (at 28350) by debbugs.gnu.org; 9 Sep 2017 12:24:42 +0000
Original-Received: from localhost ([127.0.0.1]:56948 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1dqeoU-0003fo-BM
	for submit@debbugs.gnu.org; Sat, 09 Sep 2017 08:24:42 -0400
Original-Received: from sinyavsky.aurox.ch ([37.35.109.145]:54631)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <charles@aurox.ch>) id 1dqeoR-0003fY-NV
	for 28350@debbugs.gnu.org; Sat, 09 Sep 2017 08:24:40 -0400
Original-Received: from sinyavsky.aurox.ch (sinyavsky.aurox.ch [127.0.0.1])
	by sinyavsky.aurox.ch (Postfix) with ESMTP id 6C61E22533
	for <28350@debbugs.gnu.org>; Sat,  9 Sep 2017 12:18:25 +0000 (UTC)
Authentication-Results: sinyavsky.aurox.ch (amavisd-new);
	dkim=pass (1024-bit key) reason="pass (just generated, assumed good)"
	header.d=aurox.ch
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=aurox.ch; h=
	content-type:content-type:mime-version:references:subject
	:subject:in-reply-to:to:from:from:message-id:date:date; s=dkim;
	t=1504959503; x=1505823504; bh=zs8wxsqZhOdyrbKsN8wUqWnPsgwjLf2y
	ZelZAyWzSG0=; b=Zd8YFj2y9zITGJYzPBy9LF1oFCCETeATnFICRlS6vOscOLBQ
	cDTzxXO1IqSfz1GIUI/E2enJNwCXfN3uM80pmB5ZqH3yyRb28t1/Qr+XCP2/jrLm
	jT5MPmXniqZIfXfqkrRCBF3acS7VLuYSTbYl1MFMZXqqGp47rj0R9HXx2C8=
X-Virus-Scanned: Debian amavisd-new at test.virtualizor.com
Original-Received: from sinyavsky.aurox.ch ([127.0.0.1])
	by sinyavsky.aurox.ch (sinyavsky.aurox.ch [127.0.0.1]) (amavisd-new,
	port 10026) with ESMTP id Cj2KJYJYvYmg for <28350@debbugs.gnu.org>;
	Sat,  9 Sep 2017 12:18:23 +0000 (UTC)
Original-Received: from gray (125.85.192.178.dynamic.wline.res.cust.swisscom.ch
	[178.192.85.125])
	by sinyavsky.aurox.ch (Postfix) with ESMTPSA id 195012252B;
	Sat,  9 Sep 2017 12:18:21 +0000 (UTC)
In-reply-to: <837exb1bk5.fsf@gnu.org> (message from Eli Zaretskii on Thu, 07
	Sep 2017 05:34:34 +0300)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 208.118.235.43
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
	the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-gnu-emacs/>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org
Original-Sender: "bug-gnu-emacs"
	<bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>
Xref: news.gmane.org gmane.emacs.bugs:136703
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/136703>

--=-=-=
Content-Type: text/plain

> Date: Thu, 07 Sep 2017 05:34:34 +0300
> From: Eli Zaretskii <eliz@gnu.org>
> CC: 28350@debbugs.gnu.org
> 
> > Date: Wed, 06 Sep 2017 21:25:18 +0200
> > From: charles@aurox.ch (Charles A. Roelli)
> > 
> > As for a fix to apply to master: I'd like to keep "x-display" if we
> > can agree on some "safe" predicate that the given parameter would have
> > to satisfy.  Looking at the list of display specifications that are
> > available, it seems that simple string, margin text, space-width,
> > height (only in the (+ n), (- n) and n cases) and raise specifications
> > should be okay.  Does anybody else have an opinion about this?
> 
> I agree that the cases you have shown are safe.
> 
> Thanks.

Thank you.  Does the attached patch look OK?  I've used the file
enriched-test-safe-props.txt (also attached) to test that safe
properties are still applied.


--=-=-=
Content-Type: text/x-patch
Content-Disposition: attachment;
 filename=0001-Prevent-code-execution-by-text-enriched-files-Bug-28.patch

>From 1c58b3e76a80a342c2f7e96d91214fe49678f471 Mon Sep 17 00:00:00 2001
From: "Charles A. Roelli" <charles@aurox.ch>
Date: Sat, 9 Sep 2017 14:03:58 +0200
Subject: [PATCH] Prevent code execution by text/enriched files (Bug#28350)

* lisp/textmodes/enriched.el (enriched-display-prop-safe-p): New
function.
(enriched-decode-display-prop): Use it to prevent unsafe display
properties from being applied.
---
 lisp/textmodes/enriched.el | 43 ++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 42 insertions(+), 1 deletion(-)

diff --git a/lisp/textmodes/enriched.el b/lisp/textmodes/enriched.el
index 7ace2a5..f496259 100644
--- a/lisp/textmodes/enriched.el
+++ b/lisp/textmodes/enriched.el
@@ -503,6 +503,47 @@ enriched-decode-display-prop
 		  (error nil)))))
     (unless prop
       (message "Warning: invalid <x-display> parameter %s" param))
-    (list start end 'display prop)))
+    (if (enriched-display-prop-safe-p prop)
+        (list start end 'display prop)
+      (message "Warning: unsafe <x-display> parameter %s not applied" param)
+      (list start end))))
+
+(defun enriched-display-prop-safe-p (prop)
+  "Return t if display property PROP is safe to apply to text.
+
+A safe display property is either:
+
+  - a string,
+
+  - a space-width display specification, (space-width factor),
+    where FACTOR is an integer or a float,
+
+  - a margin display specification, ((margin right-margin) spec)
+    or ((margin left-margin) spec), where SPEC is a string,
+
+  - a height display specification, (height spec), where SPEC is
+    of the form (+ n), (- n) or n, and N is an integer,
+
+  - or a raise display specification, (raise factor), where
+    FACTOR is an integer.
+
+See Info node `(elisp)Display Property' for the use of these
+display specifications."
+  (ignore-errors
+    (or (stringp prop)
+        (and (eq (car prop) 'space-width)
+             (or (integerp (cadr prop)) (floatp (cadr prop))))
+        (and (consp (car prop))
+             (eq (caar prop) 'margin)
+             (or (eq (cadar prop) 'right-margin)
+                 (eq (cadar prop) 'left-margin))
+             (stringp (cadr prop)))
+        (and (eq (car prop) 'height)
+             (or (integerp (cadr prop))
+                 (and (listp (cadr prop))
+                      (or (eq (elt (cadr prop) 0) '+) (elt (cadr prop) 0) '-)
+                      (integerp (elt (cadr prop) 1)))))
+        (and (eq (car prop) 'raise)
+             (integerp (cadr prop))))))
 
 ;;; enriched.el ends here
-- 
2.9.4


--=-=-=
Content-Type: text/enriched
Content-Disposition: attachment; filename=enriched-test-safe-props.txt

Content-Type: text/enriched
Text-Width: 70

<x-display><param>"replace"</param>test</x-display>

<x-display><param>(space-width 5)</param>large spaces</x-display>

<x-display><param>((margin left-margin) "string")</param>marginal text</x-display>

<x-display><param>(height 3)</param>tall text</x-display>

<x-display><param>(raise 5)</param>raised text</x-display>


--=-=-=--