From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Eli Zaretskii Newsgroups: gmane.emacs.devel Subject: Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop Date: Wed, 08 Mar 2023 16:14:34 +0200 Message-ID: <83o7p349f9.fsf@gnu.org> References: <167821009581.14664.5608674978571454819@vcs2.savannah.gnu.org> <20230307172816.2D56BC13915@vcs2.savannah.gnu.org> <877cvsozn5.fsf@yahoo.com> <87zg8onfob.fsf@yahoo.com> <87r0tzoeam.fsf@yahoo.com> <87a60no7su.fsf@yahoo.com> <87edpzplom.fsf@gmail.com> Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="27953"; mail-complaints-to="usenet@ciao.gmane.io" Cc: rpluim@gmail.com, luangruo@yahoo.com, emacs-devel@gnu.org To: Ulrich Mueller Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Wed Mar 08 15:15:21 2023 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pZuZb-00073N-MB for ged-emacs-devel@m.gmane-mx.org; Wed, 08 Mar 2023 15:15:19 +0100 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pZuZT-0006uU-FF; Wed, 08 Mar 2023 09:15:11 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pZuZA-0006nU-OH for emacs-devel@gnu.org; Wed, 08 Mar 2023 09:14:58 -0500 Original-Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pZuZ7-0001SP-Or; Wed, 08 Mar 2023 09:14:50 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date: mime-version; bh=ftifco88JHC5IAsVxb4pkCoOZfk1f1C904MxavNtzwo=; b=APz+6cetPViT MOIuXFbuz2xC3ssyta/7fYg2idG8eEpu/swvytWPYtLMWPIOYBJMbc4WjAjrQ0JBfNQ8hE5DXJh+c OVpIF20SSM4lR/T6DltAVAbxKP+hWQFMmajZ8/nUIOpTOHbdKVUVs67Cmj0JbNmmgVPOVOFi7Wku+ 66oxBsgu7XRdXfP7tcuopVMCCyll+r76HPj9ja2xRaM1BRrgAwxg9xM5IY5TqhZvuF/hZe/vkIVte VTM1x65jaLsB8/FzGPcKK8R1zlQGHGQLYThQurcuOVbm2+uAJJTeiL9LSQhHkp4sWoE8+jNevM1lS lUbCOz6oq3nIg8LmGC2esg==; Original-Received: from [87.69.77.57] (helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pZuYt-0003Kb-Kd; Wed, 08 Mar 2023 09:14:49 -0500 In-Reply-To: (message from Ulrich Mueller on Wed, 08 Mar 2023 12:08:42 +0100) X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.devel:304134 Archived-At: > From: Ulrich Mueller > Cc: Po Lu , emacs-devel@gnu.org > Date: Wed, 08 Mar 2023 12:08:42 +0100 > > >>>>> On Wed, 08 Mar 2023, Robert Pluim wrote: > > > Fair enough, but is there no way to get it to use `sed' instead? > > Sure, something like this (not yet tested): > > -Exec=bash -c "u=\\${1//\\\\\\\\/\\\\\\\\\\\\\\\\}; u=\\${u//\\\\\\"/\\\\\\\\\\\\\\"}; exec emacsclient --alternate-editor= --display=\\"\\$DISPLAY\\" --eval \\"(message-mailto \\\\\\"\\$u\\\\\\")\\"" bash %u > +Exec=sh -c "u=\\$\\(echo \\"\\$1\\" | sed \\'s/[\\\\\\"]/\\\\\\\\\\&/g\\'\\); exec emacsclient --alternate-editor= --display=\\"\\$DISPLAY\\" --eval \\"(message-mailto \\\\\\"\\$u\\\\\\")\\"" sh %u > > Sorry, but it doesn't get less ugly. :) Also, it will now call _two_ > external programs. Is this acceptable Yes. Ugliness is not relevant: no one should be looking at this file unless they want to hack on it. > and is it guaranteed that sed will be available on users' systems? I hope it is, but I thought this about Bash as well...