From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail
From: Po Lu <luangruo@yahoo.com>
Newsgroups: gmane.emacs.devel
Subject: Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in
 emacsclient-mail.desktop
Date: Wed, 08 Mar 2023 18:58:47 +0800
Message-ID: <871qlzo6fs.fsf@yahoo.com>
References: <167821009581.14664.5608674978571454819@vcs2.savannah.gnu.org>
 <20230307172816.2D56BC13915@vcs2.savannah.gnu.org>
 <877cvsozn5.fsf@yahoo.com> <umt4ornv3@gentoo.org>
 <87zg8onfob.fsf@yahoo.com> <ucz5jsogr@gentoo.org>
 <87r0tzoeam.fsf@yahoo.com> <u1qlzskwb@gentoo.org>
 <87a60no7su.fsf@yahoo.com> <usfefr0gr@gentoo.org>
Mime-Version: 1.0
Content-Type: text/plain
Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214";
	logging-data="21692"; mail-complaints-to="usenet@ciao.gmane.io"
User-Agent: Gnus/5.13 (Gnus v5.13)
Cc: emacs-devel@gnu.org
To: Ulrich Mueller <ulm@gentoo.org>
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Wed Mar 08 11:59:48 2023
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane-mx.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>)
	id 1pZrWM-0005Ui-AF
	for ged-emacs-devel@m.gmane-mx.org; Wed, 08 Mar 2023 11:59:46 +0100
Original-Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <emacs-devel-bounces@gnu.org>)
	id 1pZrVd-0006hZ-HM; Wed, 08 Mar 2023 05:59:01 -0500
Original-Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <luangruo@yahoo.com>)
 id 1pZrVb-0006hP-W5
 for emacs-devel@gnu.org; Wed, 08 Mar 2023 05:59:00 -0500
Original-Received: from sonic311-13.consmr.mail.bf2.yahoo.com ([74.6.131.123])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <luangruo@yahoo.com>)
 id 1pZrVa-00029y-EC
 for emacs-devel@gnu.org; Wed, 08 Mar 2023 05:58:59 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1678273136; bh=jE1VCudnvTvN8K7yGgoReCunNZv3sj/5v5UDI9Q20jw=;
 h=From:To:Cc:Subject:In-Reply-To:References:Date:From:Subject:Reply-To;
 b=JIpzGB+uH+/FNYV5XipJ6r/razbC3YBejXIqIUzHq1APZlDNnGAG1Au6/eDrJQKwgupCKJhX674ob6ft0W2hpVvH7IIjFiH2bRhESTfH9JPwtGu453CWS0akFy+GXqCBkFpcpfvjOv6+to2+igtGt1oEJhZi8z8DnWwUAwkfz1737co9Q6MxZRvgDtYiQ0uAsEGLKLliOquAXnVCh4Jb9l0cbkPop/06VaBU/apYDZkzJ2kft2glM5TKpK2sVBcSOXF4MRQ5xn5TU5PD2XCfYkBo5H3slnsiJZ0W0Dp6O7tby45JGrYNtPmTb78wa3UKbXkPe4HCmhrvAO++39lHZg==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1678273136; bh=UMWQOV3vUzMCgMHkpk/NFU10OU6iqsR9WEZuL3N0RZG=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=BSms/ykA7CLRcrpTKkrgxzZRNJZUK6cgJixY6FgxDq0E9zbEcXNEA2L/DIFIuRCqXJvkJFSxjIFsmHO2KnxB62ETHzfs6uuqaG2+nZ6LN9ORuE4r0E18Ehzt+zqqxldktrqs3ldUxwqbd/Kr9Ch/vBBNjsFh3kte7yJ7Ix4d8YNqN1vV9MRAia2OUJhivzEXxbDAlNLowTakN2DEpM2FfYah0HCBbjkTXUWBMN8PZbLLjZKnSt+p9ZSmevMUXx2JRDbn981JozGDww3/RsZnnFvWvDvChFq/WHccSlxrrn1u2nu1EJ1EqPYJnK9SVetwe3GMvCFIfw9Fi606ordVEQ==
X-YMail-OSG: rs0OZqkVM1nrTbEvVGJRE8hY6xt8ajAo9DPK.UM4SAslr9bRstRpu7cnB2.uPt.
 QjcPoT9sTJa6ilISps5aYAbn3INPnxWQyMPOmICGx5Ubz9ZNkFWfvP2xU4cSiCiOcjNYSjJ3qRIT
 kFoa6.jbuYnchY_Xztyyus1hbRcEWG5hcDnHgwXrDtWRDYm9flQz8LLaptRb2cxJ8_byDAX55mQj
 Rdgt1Me_rsyfynH5d05a_y2Dq3p7bdv.kwcWuUp05OT2MMyyzajOrWCsTNKmMpKqWfb1q_aiNUO3
 cD_1_uIg88zEiLZ_bdEcJxaPjWgqBQLj_ZsKptUxuCRu.SN6mHxzU5lm_dWbv.5sLCYDvMjxCa6B
 P.IhNlEN.AfMlEFGme8.XiOJXzij_PQERkb11Acs7jZW5TTdY6P63qaUNctPRg3O83ODBaJoHwWH
 4C_Av8k2t_XQiKAypuHud1kR42CUxMQAKw_NR.IQUTAwUXAj5Vzf6uPeuXN9Be89YalLhRvkQ8Kf
 RxjbiMXqJFTG_vgyh_AyxcxFGbnj2ertN.QygiJub9GWYRfbB.vp8lISWppNWK23EwUtUfsHVI0Z
 kwPU4M81VisKYi03Jytg7u3WWLkkrC983btV_b4wplm_ici53kOkZxhw5935NYBfTyClcO6HzBKx
 Xy6XGIaUGp8z90IUSbzzerYcr7iGuFGHdnxporgGaSA83gYx_mqXJSG09K4L_SA9Ir8SpdFL9l2A
 ziSY7xIo._V1KyynPAnHJQtOda7.QkBLxt5wj_aBElfBTvYCRLmNqqLmFu67zKO_0p8EB2.P.NXs
 7Rg5P3sIBsgV78mfTvhbayN6uV4MW1ruJ0rAG4jRqf 
X-Sonic-MF: <luangruo@yahoo.com>
Original-Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic311.consmr.mail.bf2.yahoo.com with HTTP; Wed, 8 Mar 2023 10:58:56 +0000
Original-Received: by hermes--production-sg3-67c57bccff-sjmln (Yahoo Inc. Hermes SMTP
 Server) with ESMTPA ID b837a835733fb0e7c350fd543721f859; 
 Wed, 08 Mar 2023 10:58:51 +0000 (UTC)
In-Reply-To: <usfefr0gr@gentoo.org> (Ulrich Mueller's message of "Wed, 08 Mar
 2023 11:39:32 +0100")
X-Mailer: WebService/1.1.21284
 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.yahoo
Received-SPF: pass client-ip=74.6.131.123; envelope-from=luangruo@yahoo.com;
 helo=sonic311-13.consmr.mail.bf2.yahoo.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
 <mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
 <mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org
Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org
Xref: news.gmane.io gmane.emacs.devel:304118
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/304118>

Ulrich Mueller <ulm@gentoo.org> writes:

> Sorry, but I've installed this on emacs-29 with an explicit ack from
> both Eli and Stefan.

Why was this considered okay for emacs-29?

IMHO we should stop kow-towing to the information security people who
make a huge fuss over every single bug, especially bugs like this one
which only show up when you specifically try to trigger them.

Proprietary JavaScript routinely does things far more nasty and
malicious than a hyperlink that can be read before being clicked.

> An alternative solution would be to drop emacsclient-mail.desktop
> altogether, since this desktop file isn't part of any core
> functionality. It could be readded once emacsclient has gained a
> --funcall argument, so that arguments can be passed in a sane way.

Or perhaps Emacs 29 can forgo this change entirely.  Why would anyone
click a URL containing suspicious looking Lisp code, and who would
actually try to do nasty things with such URLs?

If you have to go out of your way to trigger a bug in a branch that is
supposed to be stable, then fixing it can wait.

Just my two cents.  Feel free to disregard them if you want, but keep in
mind it will result in many angry users.