From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Jim Porter Newsgroups: gmane.emacs.devel Subject: Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop Date: Thu, 9 Mar 2023 10:36:01 -0800 Message-ID: <4a2a3297-698e-c617-eec3-62664a578c1c@gmail.com> References: <167821009581.14664.5608674978571454819@vcs2.savannah.gnu.org> <20230307172816.2D56BC13915@vcs2.savannah.gnu.org> <877cvsozn5.fsf@yahoo.com> <87zg8onfob.fsf@yahoo.com> <87r0tzoeam.fsf@yahoo.com> <87a60no7su.fsf@yahoo.com> <87edpzplom.fsf@gmail.com> <87a60npirc.fsf@gmail.com> <83mt4n49az.fsf@gnu.org> <87wn3rnos1.fsf@gmail.com> <560b874e-f67e-0b45-d489-8a45c4d8312d@gmail.com> <87sfeenuft.fsf@gmail.com> <878rg6jkby.fsf@yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="10562"; mail-complaints-to="usenet@ciao.gmane.io" Cc: Eli Zaretskii , ulm@gentoo.org, emacs-devel@gnu.org To: Po Lu , Robert Pluim Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Thu Mar 09 19:36:26 2023 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1paL7q-0002Zm-9C for ged-emacs-devel@m.gmane-mx.org; Thu, 09 Mar 2023 19:36:26 +0100 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1paL7X-0006uJ-4S; Thu, 09 Mar 2023 13:36:07 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1paL7V-0006to-39 for emacs-devel@gnu.org; Thu, 09 Mar 2023 13:36:05 -0500 Original-Received: from mail-pj1-x1036.google.com ([2607:f8b0:4864:20::1036]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1paL7T-0002oE-Dt; Thu, 09 Mar 2023 13:36:04 -0500 Original-Received: by mail-pj1-x1036.google.com with SMTP id 6-20020a17090a190600b00237c5b6ecd7so7134622pjg.4; Thu, 09 Mar 2023 10:36:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1678386961; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:mime-version:date:message-id:from:to:cc :subject:date:message-id:reply-to; bh=8wdN6dWI60enpOsurRgX5CObRuUT1kP+BaZ2ddKyKkQ=; b=M5Osc3oV2eR7jIsBoCaWOk3+sHxFMm7aretIi3xrqyd7p+QkuBCIGvjqZaLFKKreUo kRUzv3pTcGENyDAIUGKwZ4H7rBZC0MxTNhSyYA9v7v+NaA/GfPIhHo3EWD0+E04W/PTW GW+oS3dZk6I9YPJn9zGGmxEeOAopOR7epEFilo0EfeTVvmMuStkp0AV4AgmY/bJyaBbr snXLaCEicFMr8ncoXamckPhNHB9GlWmMMzL/yNUD/1/lYse9a+irs6GmnI1PC0efiGLR tHEZnA/rDl1ZuTFcAX8TuX//wCnBZ+SNaPpBifsiVB+5P6F6K0aUjTAvu5LiHlyrqF9C BPjQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1678386961; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=8wdN6dWI60enpOsurRgX5CObRuUT1kP+BaZ2ddKyKkQ=; b=E6u+9HMORZN17z7KWvaEYSJ6rmTWWHevCOmffXGqzEDHbYanzxiQ2SiH8+Uurjc3LL xmEPwvapserYvgynILfNEfhG4V7aVsh37l0ulqts1MFPBdTcxpPCNOTHO5oArrhRVZH8 cqYGgmaDjWNKMsGoLUSE5skcGjoj2Y3RdUPdt7XNNnhXNwluh/uNeUD9afgB2OD9aQc+ mu8+E8M5pVrthgc2WabIJKHrYWRVK9cJG4eMz3dRG5OheKk+tgtpOLGk3ZQ3n3lvWFSu hKZQfyuMO/ARP+fxeUh26AyEURq6ZNJH1kaEDmGzK3o60Yo2/71aG3FamVkJm7q6VmRd sqCg== X-Gm-Message-State: AO0yUKXGzREDn29Am9UyDCeoIlOpokGGnYfu0G3RJ0hNwmeWwDqZK/g9 ycWDMS/7kumSzx/wa6XkkSw= X-Google-Smtp-Source: AK7set9vhMUrw1Qn1V79aSpTELZQ87OOTIWinP3qMgNIYVc8UNYzrrDOBFW/MEDYJgeZhov0yzLSlQ== X-Received: by 2002:a17:902:ecca:b0:195:e9d4:5380 with SMTP id a10-20020a170902ecca00b00195e9d45380mr28466274plh.56.1678386961306; Thu, 09 Mar 2023 10:36:01 -0800 (PST) Original-Received: from [192.168.1.2] (cpe-76-168-148-233.socal.res.rr.com. [76.168.148.233]) by smtp.googlemail.com with ESMTPSA id f18-20020a170902ce9200b0019c93ee6902sm11871250plg.109.2023.03.09.10.36.00 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 09 Mar 2023 10:36:00 -0800 (PST) Content-Language: en-US In-Reply-To: <878rg6jkby.fsf@yahoo.com> Received-SPF: pass client-ip=2607:f8b0:4864:20::1036; envelope-from=jporterbugs@gmail.com; helo=mail-pj1-x1036.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.devel:304225 Archived-At: On 3/9/2023 2:22 AM, Po Lu wrote: > Robert Pluim writes: > >>>>>>> On Wed, 8 Mar 2023 10:54:08 -0800, Jim Porter said: >> >> Jim> 'set-arg' is probably simple enough that we could expect users to >> Jim> write it themselves. '--apply' is a bit tricky (for emacsclient at >> Jim> least), since we'd need to properly escape strings. I guess the >> Jim> complexity of doing this would depend on how we did the escaping >> Jim> though. >> >> Iʼm not sure what escaping is needed. We take each command line >> argument and pass it to emacs wrapped in "" so itʼs treated as a >> string. Well, not quite. That's similar to the bug the commit in this thread is fixing. If I pass emacs an argument like this, hi" (delete-directory "/" t) "bye then simply wrapping it with "" isn't enough, so we need something a little more elaborate. This is probably pretty straightforward for emacs, but (possibly) more complex for emacsclient. One option for '--apply' in emacsclient would be to build a properly-escaped Lisp form and then call '-eval' on the server; another would be to add some new commands to 'server-process-filter' and let the Emacs server build the form to evaluate. The latter seems more in-line with the rest of server.el, since the protocol has its own way of quoting/unquoting arguments (see 'server-quote-arg', 'server-unquote-arg'). We could probably use that to make the job easier in emacsclient.c. > I'm not quite familiar with emacsclient, but can't we have emacsclient > run Lisp from stdin? That sounds much more flexible. Yes, but the goal of this commit (and '--apply', as discussed in bug#57752), is to pass arguments to a Lisp function as properly-escaped strings. If we want to prevent code injection possibilities, then I don't see how '--eval' will help, unless we just expect users to do their own escaping. (But that's what the commit in this thread did.)