From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: charles@aurox.ch (Charles A. Roelli) Newsgroups: gmane.emacs.bugs Subject: bug#28350: enriched.el code execution Date: Mon, 04 Sep 2017 21:24:42 +0200 Message-ID: NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Trace: blaine.gmane.org 1504553191 25480 195.159.176.226 (4 Sep 2017 19:26:31 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Mon, 4 Sep 2017 19:26:31 +0000 (UTC) To: 28350@debbugs.gnu.org Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Mon Sep 04 21:26:15 2017 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dox0c-0005fE-At for geb-bug-gnu-emacs@m.gmane.org; Mon, 04 Sep 2017 21:26:10 +0200 Original-Received: from localhost ([::1]:55381 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dox0j-0006yy-Dm for geb-bug-gnu-emacs@m.gmane.org; Mon, 04 Sep 2017 15:26:17 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:40922) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dox0Z-0006yK-5s for bug-gnu-emacs@gnu.org; Mon, 04 Sep 2017 15:26:11 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dox0U-0002Nl-8q for bug-gnu-emacs@gnu.org; Mon, 04 Sep 2017 15:26:07 -0400 Original-Received: from debbugs.gnu.org ([208.118.235.43]:40631) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dox0U-0002Ne-4p for bug-gnu-emacs@gnu.org; Mon, 04 Sep 2017 15:26:02 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1dox0T-0002oL-O0 for bug-gnu-emacs@gnu.org; Mon, 04 Sep 2017 15:26:01 -0400 X-Loop: help-debbugs@gnu.org Resent-From: charles@aurox.ch (Charles A. Roelli) Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Mon, 04 Sep 2017 19:26:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 28350 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: X-Debbugs-Original-To: bug-gnu-emacs@gnu.org Original-Received: via spool by submit@debbugs.gnu.org id=B.150455313310768 (code B ref -1); Mon, 04 Sep 2017 19:26:01 +0000 Original-Received: (at submit) by debbugs.gnu.org; 4 Sep 2017 19:25:33 +0000 Original-Received: from localhost ([127.0.0.1]:49312 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dox00-0002nc-VX for submit@debbugs.gnu.org; Mon, 04 Sep 2017 15:25:33 -0400 Original-Received: from eggs.gnu.org ([208.118.235.92]:49771) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dowzz-0002nM-Uw for submit@debbugs.gnu.org; Mon, 04 Sep 2017 15:25:32 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dowzp-0001eT-VG for submit@debbugs.gnu.org; Mon, 04 Sep 2017 15:25:26 -0400 Original-Received: from lists.gnu.org ([2001:4830:134:3::11]:35254) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dowzp-0001e9-SQ for submit@debbugs.gnu.org; Mon, 04 Sep 2017 15:25:21 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:40627) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dowzk-0006pc-No for bug-gnu-emacs@gnu.org; Mon, 04 Sep 2017 15:25:21 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dowzf-0001WF-RF for bug-gnu-emacs@gnu.org; Mon, 04 Sep 2017 15:25:16 -0400 Original-Received: from sinyavsky.aurox.ch ([37.35.109.145]:56282) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dowzf-0001M6-HG for bug-gnu-emacs@gnu.org; Mon, 04 Sep 2017 15:25:11 -0400 Original-Received: from sinyavsky.aurox.ch (sinyavsky.aurox.ch [127.0.0.1]) by sinyavsky.aurox.ch (Postfix) with ESMTP id 592E822523 for ; Mon, 4 Sep 2017 19:19:00 +0000 (UTC) Authentication-Results: sinyavsky.aurox.ch (amavisd-new); dkim=pass (1024-bit key) reason="pass (just generated, assumed good)" header.d=aurox.ch DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=aurox.ch; h= content-type:content-type:mime-version:subject:subject:to:from :from:message-id:date:date; s=dkim; t=1504552738; x=1505416739; bh=Ge37mg/HikKbAVW6qG18PqCO/oL5ly/uxtZJXl7hoxE=; b=EOwEUSPYwtEN uRKEjjNL229XNm0zS+fOHfOGfP04PLcfLcgnM263d3RPOuVgNwzo6IMyApR1cDTz yFgK3nI8bGCTqUt6tz7QTI+rVrOQcaiGboNUqTOu3MTEjMkQ9IC+8YfP9zPTF+YF OH7zr0AuQ8UdGHpCERY64HKF9VBe2BM= X-Virus-Scanned: Debian amavisd-new at test.virtualizor.com Original-Received: from sinyavsky.aurox.ch ([127.0.0.1]) by sinyavsky.aurox.ch (sinyavsky.aurox.ch [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id XKrrWFwG6Rez for ; Mon, 4 Sep 2017 19:18:58 +0000 (UTC) Original-Received: from gray (125.85.192.178.dynamic.wline.res.cust.swisscom.ch [178.192.85.125]) by sinyavsky.aurox.ch (Postfix) with ESMTPSA id 874D022520 for ; Mon, 4 Sep 2017 19:18:58 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 208.118.235.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.org gmane.emacs.bugs:136585 Archived-At: --=-=-= Content-Type: text/plain Enriched mode implements an extension command to the text/enriched format called "x-display", which stores "display" text properties. It was added awhile ago: commit d9e28c1ca1d95f51a05d052dcf1fe06888d52476 Author: Gerd Moellmann Date: Wed Jul 21 21:43:03 1999 +0000 (enriched-translations): Add `display' and "x-display". (enriched-handle-display-prop): New. (enriched-decode-display-prop): New. It's possible to use this extension command to transparently execute arbitrary code in an Emacs process that opens a text/enriched file. For example, if you open a file containing the following contents: Content-Type: text/enriched Text-Width: 70 (when (message "hello world") nil)test Then "hello world" will be printed in the echo area whenever the "test" text is displayed (which is immediate). Note that the s-expression between the tags needs to conform to a "display" spec: but since there are a few display specs that can execute code, it's not difficult to craft a file that could have bad effects (shell commands work, for example). Additionally, such a file can be compressed with gzip (thus hiding the contents), and when it is opened, Emacs will automatically decompress it and apply the display properties. Attached is an example file (enriched-bug-example.txt) that turns the mode line red as soon as you open it. It works in 23.4, 24.5, 25.2 and master (and possibly earlier versions -- I haven't tested). Other extensions in `enriched-translations' of enriched.el may have similar issues (I don't understand them all, so I hope somebody else can make sure). --=-=-= Content-Type: text/enriched Content-Disposition: attachment; filename=enriched-bug-example.txt Content-Type: text/enriched Text-Width: 70 (when (set-face-attribute (quote mode-line) nil :background "red") nil)test --=-=-=--