From: Jim Porter <jporterbugs@gmail.com>
To: Po Lu <luangruo@yahoo.com>, Robert Pluim <rpluim@gmail.com>
Cc: Eli Zaretskii <eliz@gnu.org>, ulm@gentoo.org, emacs-devel@gnu.org
Subject: Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop
Date: Thu, 9 Mar 2023 10:36:01 -0800 [thread overview]
Message-ID: <4a2a3297-698e-c617-eec3-62664a578c1c@gmail.com> (raw)
In-Reply-To: <878rg6jkby.fsf@yahoo.com>
On 3/9/2023 2:22 AM, Po Lu wrote:
> Robert Pluim <rpluim@gmail.com> writes:
>
>>>>>>> On Wed, 8 Mar 2023 10:54:08 -0800, Jim Porter <jporterbugs@gmail.com> said:
>>
>> Jim> 'set-arg' is probably simple enough that we could expect users to
>> Jim> write it themselves. '--apply' is a bit tricky (for emacsclient at
>> Jim> least), since we'd need to properly escape strings. I guess the
>> Jim> complexity of doing this would depend on how we did the escaping
>> Jim> though.
>>
>> Iʼm not sure what escaping is needed. We take each command line
>> argument and pass it to emacs wrapped in "" so itʼs treated as a
>> string.
Well, not quite. That's similar to the bug the commit in this thread is
fixing. If I pass emacs an argument like this,
hi" (delete-directory "/" t) "bye
then simply wrapping it with "" isn't enough, so we need something a
little more elaborate. This is probably pretty straightforward for
emacs, but (possibly) more complex for emacsclient. One option for
'--apply' in emacsclient would be to build a properly-escaped Lisp form
and then call '-eval' on the server; another would be to add some new
commands to 'server-process-filter' and let the Emacs server build the
form to evaluate.
The latter seems more in-line with the rest of server.el, since the
protocol has its own way of quoting/unquoting arguments (see
'server-quote-arg', 'server-unquote-arg'). We could probably use that to
make the job easier in emacsclient.c.
> I'm not quite familiar with emacsclient, but can't we have emacsclient
> run Lisp from stdin? That sounds much more flexible.
Yes, but the goal of this commit (and '--apply', as discussed in
bug#57752), is to pass arguments to a Lisp function as properly-escaped
strings. If we want to prevent code injection possibilities, then I
don't see how '--eval' will help, unless we just expect users to do
their own escaping. (But that's what the commit in this thread did.)
next prev parent reply other threads:[~2023-03-09 18:36 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <167821009581.14664.5608674978571454819@vcs2.savannah.gnu.org>
[not found] ` <20230307172816.2D56BC13915@vcs2.savannah.gnu.org>
2023-03-08 0:27 ` emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop Po Lu
2023-03-08 2:14 ` Ulrich Mueller
2023-03-08 2:24 ` Po Lu
2023-03-08 7:15 ` Ulrich Mueller
2023-03-08 8:09 ` Po Lu
2023-03-08 8:32 ` Ulrich Mueller
2023-03-08 10:29 ` Po Lu
2023-03-08 10:39 ` Ulrich Mueller
2023-03-08 10:44 ` Robert Pluim
2023-03-08 11:08 ` Ulrich Mueller
2023-03-08 11:29 ` Ulrich Mueller
2023-03-08 11:47 ` Robert Pluim
2023-03-08 14:17 ` Eli Zaretskii
2023-03-08 15:47 ` Robert Pluim
2023-03-08 17:03 ` Jim Porter
2023-03-08 17:20 ` Robert Pluim
2023-03-08 17:41 ` Eli Zaretskii
2023-03-08 18:54 ` Jim Porter
2023-03-09 9:30 ` Robert Pluim
2023-03-09 10:22 ` Po Lu
2023-03-09 10:50 ` Robert Pluim
2023-03-09 18:36 ` Jim Porter [this message]
2023-03-08 11:44 ` Po Lu
2023-03-08 14:14 ` Eli Zaretskii
2023-03-09 0:50 ` Po Lu
2023-03-09 7:19 ` Eli Zaretskii
2023-03-09 7:25 ` Po Lu
2023-03-09 7:49 ` Manuel Giraud via Emacs development discussions.
2023-03-09 8:20 ` tomas
2023-03-08 10:58 ` Po Lu
2023-03-08 11:44 ` Ulrich Mueller
2023-03-08 14:13 ` Eli Zaretskii
2023-03-08 14:05 ` Eli Zaretskii
2023-03-08 10:37 ` Robert Pluim
2023-03-08 12:14 ` Ulrich Mueller
2023-03-08 15:49 ` Robert Pluim
2023-03-08 14:04 ` Eli Zaretskii
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4a2a3297-698e-c617-eec3-62664a578c1c@gmail.com \
--to=jporterbugs@gmail.com \
--cc=eliz@gnu.org \
--cc=emacs-devel@gnu.org \
--cc=luangruo@yahoo.com \
--cc=rpluim@gmail.com \
--cc=ulm@gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).