From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Po Lu Newsgroups: gmane.emacs.devel Subject: Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop Date: Wed, 08 Mar 2023 08:27:58 +0800 Message-ID: <877cvsozn5.fsf@yahoo.com> References: <167821009581.14664.5608674978571454819@vcs2.savannah.gnu.org> <20230307172816.2D56BC13915@vcs2.savannah.gnu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="16162"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Gnus/5.13 (Gnus v5.13) Cc: Ulrich =?utf-8?Q?M=C3=BCller?= To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Wed Mar 08 01:28:53 2023 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pZhfp-00045L-7x for ged-emacs-devel@m.gmane-mx.org; Wed, 08 Mar 2023 01:28:53 +0100 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pZhfA-0006Wl-18; Tue, 07 Mar 2023 19:28:12 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pZhf8-0006WY-FM for emacs-devel@gnu.org; Tue, 07 Mar 2023 19:28:10 -0500 Original-Received: from sonic305-3.consmr.mail.bf2.yahoo.com ([74.6.133.42]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pZhf6-0002XZ-IJ for emacs-devel@gnu.org; Tue, 07 Mar 2023 19:28:10 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1678235285; bh=DLGeTDB/+7hBwQdXzfdUCVwbaj5rdcrWvoke5QoJMv4=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From:Subject:Reply-To; b=hEOFpsJKC22zbroNKmh24iEQ1FXrNNlxQGO5exyt1pCJ9SbY4EPPUqRqPsOld+q6dsDcytFXzfaPOAEjetZmB62W8NxBiE1YKyxINeHVymrT2YdMEqOi+9WSYGFaHUqz/+uWfcBBe39NSZbK+bw6lfVF9kr/bY/EXzA3soEOQvcTcK0QsQm0rJfTMwCjP8WKAzxhHKcHF8seURKfro05ZQUfbVw7mweT4L/x+l0YW0AraAUjBlggkiYMrQwidAkbLVdl8Vt2T1KeqSx8PRJxW/ul+woAtWoDGEb4PU3Oe4XbPIJXdn1T2RzyTl7ABPPeYNYxW0a+5j9nFCb0KwdMFg== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1678235285; bh=h7z1NeUJXMYqgG2UVoNP6nQZgTXmEHwDEEO30RHoHcd=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=NaKfJZH+QCff87c2gwq3z4E7+1hSm6zhH4iJTKjHy8ORE1WI9ADPHbeBUKy7+wB4H39b7gE3Ha1JiD8pO/tw5APulOH4M6niMKZFRUmzVF4mIrKxOiNxYv2Ggxwhzd7+3B74yOdMbgxAQ0bmIMG6cP6qYs3pc/5Ml+Ct+TpzBFGKB0LawYV5csiy9UUoX+flgyCRwNz+2INtne6po1SjN2Q7kXkzQzbFVIKpKMy6DnBnpBEvrxUIjxBaJqU+FXgt7bLiIg/hfXQ7bR8UJT8gxIPzTRf7SMBvlgsUJH4gq53VW6+AUfIDPlfwvOaofMaCrqOq3RtWekgoCQJnd/CtYg== X-YMail-OSG: yk5T2m4VM1l6uE9M0XsLw0eBq9Iz2z7TUfsE5U1ueRh_PiIW.hpE1SCqdrU.F8A CBZ2Ei5Gp4VRIBGHDkpoOC_otIGC0kv9qYdOYbpBC9.SU3QCnkj_S3fdk6Ei7tg6L7ido3yl5uiD jgB4ugd4qmzIynGltj0cxqwgBxepRNlmCklgh82gW3vG1I_4j0Uy3CPiDrbTgqMwqcYuUZ74gekO 67lxnINCa5Ojkbvw8dOZwHwjnL_0H4bi3p6QfSukvT5FQLI2xWV3ZcTOEk.iK5X1CFMoBuiCjuNr pc4lteN8Ybzi.RZCi7sdqj.2pd5WyMKs7C9f5vQyIQ53nPAG42wHabR35GYDUmGt1atHF3tQFspu eRRHMGS4ML9xmk8sxGfxGVk7JTwnxXlR6SSg0hxbEcItJyc8lc39u7mjGpvWHDm2yZVO_7Y5Fp03 2j_MxEvuNy4Wmhcp4Gwo2TU_O92X1xmcDvS.Qyo67A4_gVUP6TmSy2.y7jbI.HfvjYM2TVSVBZ3m JMK2GVSJ8g15z6uSXwGJOw2OmlxzfcAEjMwCeQrXlXp3HK9wo1Op90BStywIPPVAnPkvNxHt_0z_ x26kKVhDK2bJHy8MUcEibIZJTBqiThgb53Mlknpk4AyhMIEbh.ucGup4QDqkN7yLTGtMWvp0U6Se V1IfSVyFmeMobnFYVQcMee2iyhPsyD0_ctlk3AvVhikEz0f9SAFRbrzvDds.tnUXqcHnIEzYeUQO duJfAiMibv4yE8Z3v4sJ361rqepT0nJBQ_8EGADGr2GYW78ozpMpeVag02BG4Od_ajzBiuUqKaAg iD00MC3seri8Xx_uKNoW5_zdBqJnFIVgAH5kw4SRpa X-Sonic-MF: Original-Received: from sonic.gate.mail.ne1.yahoo.com by sonic305.consmr.mail.bf2.yahoo.com with HTTP; Wed, 8 Mar 2023 00:28:05 +0000 Original-Received: by hermes--production-sg3-67c57bccff-l44jm (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 06e4ad8e038da9333c3b3f72522b6ff0; Wed, 08 Mar 2023 00:28:02 +0000 (UTC) In-Reply-To: <20230307172816.2D56BC13915@vcs2.savannah.gnu.org> ("Ulrich =?utf-8?Q?M=C3=BCller=22's?= message of "Tue, 7 Mar 2023 12:28:16 -0500 (EST)") X-Mailer: WebService/1.1.21284 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.yahoo Received-SPF: pass client-ip=74.6.133.42; envelope-from=luangruo@yahoo.com; helo=sonic305-3.consmr.mail.bf2.yahoo.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.devel:304099 Archived-At: Ulrich M=C3=BCller writes: > Categories=3DNetwork;Email; > Comment=3DGNU Emacs is an extensible, customizable text editor - and more > -Exec=3Dsh -c "exec emacsclient --alternate-editor=3D --display=3D\\"\\$D= ISPLAY\\" --eval \\"(message-mailto \\\\\\"\\$1\\\\\\")\\"" sh %u > +# We want to pass the following commands to the shell wrapper: > +# u=3D${1//\\/\\\\}; u=3D${u//\"/\\\"}; exec emacsclient --alternate-edi= tor=3D --display=3D"$DISPLAY" --eval "(message-mailto \"$u\")" > +# Special chars '"', '$', and '\' must be escaped as '\\"', '\\$', and '= \\\\'. > +Exec=3Dbash -c "u=3D\\${1//\\\\\\\\/\\\\\\\\\\\\\\\\}; u=3D\\${u//\\\\\\= "/\\\\\\\\\\\\\\"}; exec emacsclient --alternate-editor=3D --display=3D\\"\= \$DISPLAY\\" --eval \\"(message-mailto \\\\\\"\\$u\\\\\\")\\"" bash %u > Icon=3Demacs > Name=3DEmacs (Mail, Client) > MimeType=3Dx-scheme-handler/mailto; > @@ -13,7 +16,7 @@ Actions=3Dnew-window;new-instance; >=20=20 > [Desktop Action new-window] > Name=3DNew Window > -Exec=3Dsh -c "exec emacsclient --alternate-editor=3D --create-frame --ev= al \\"(message-mailto \\\\\\"\\$1\\\\\\")\\"" sh %u > +Exec=3Dbash -c "u=3D\\${1//\\\\\\\\/\\\\\\\\\\\\\\\\}; u=3D\\${u//\\\\\\= "/\\\\\\\\\\\\\\"}; exec emacsclient --alternate-editor=3D --create-frame -= -eval \\"(message-mailto \\\\\\"\\$u\\\\\\")\\"" bash %u >=20=20 > [Desktop Action new-instance] > Name=3DNew Instance What if the system in question has no bash? This is not a theoretical question, because I have access to one system which does have .desktop files, but only csh, /bin/sh (which is useless), and ksh93.