From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Po Lu Newsgroups: gmane.emacs.devel Subject: Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop Date: Thu, 09 Mar 2023 08:50:21 +0800 Message-ID: <87cz5in3xu.fsf@yahoo.com> References: <167821009581.14664.5608674978571454819@vcs2.savannah.gnu.org> <20230307172816.2D56BC13915@vcs2.savannah.gnu.org> <877cvsozn5.fsf@yahoo.com> <87zg8onfob.fsf@yahoo.com> <87r0tzoeam.fsf@yahoo.com> <87a60no7su.fsf@yahoo.com> <87edpzplom.fsf@gmail.com> <83o7p349f9.fsf@gnu.org> Mime-Version: 1.0 Content-Type: text/plain Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="14288"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Gnus/5.13 (Gnus v5.13) Cc: Ulrich Mueller , rpluim@gmail.com, emacs-devel@gnu.org To: Eli Zaretskii Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Thu Mar 09 01:51:30 2023 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pa4VG-0003YL-0j for ged-emacs-devel@m.gmane-mx.org; Thu, 09 Mar 2023 01:51:30 +0100 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pa4UR-0002gH-C2; Wed, 08 Mar 2023 19:50:39 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pa4UP-0002aj-UV for emacs-devel@gnu.org; Wed, 08 Mar 2023 19:50:38 -0500 Original-Received: from sonic308-3.consmr.mail.bf2.yahoo.com ([74.6.130.42]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pa4UO-0008Gu-Hx for emacs-devel@gnu.org; Wed, 08 Mar 2023 19:50:37 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1678323033; bh=EqIfn5OKN5cniMS828wnL+SbvgDP2uwXUMeaccy84Bc=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From:Subject:Reply-To; b=BY2fbxWeOOwTfbs5jiSN/xGP0hT1rC10KSAqa5HDnQmLO9k8rjR4sqqJ6G3TlwPc/qM9ssmZsmqO2DKLJyx7uTunHwMw1E9XOdESaWWyk0Fb0PwvqPNuFUItgduzQRCdr9xmRA/xxSz7++w4PKD8QDxayrbDNXw1QOYAFQGPK+/Px07hGlGZNtEJa/wGEiPNJGBw2KYHGg7C/fthKtbFNSQYoAwflGURNKSrXMYuhzO+EWmmLbwrlia3oFcTf13spb7G2ypPRXfK61BZcVTo/SwarQmNjAcLnyek7NHkPMeUyU/52psyeVf8k92eQifW8fasezDYy1mTwZLIGKMcTg== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1678323033; bh=48pwKbrdNMyQ6drUAbGAWcvcQOrT04NVhIXJqB4LbdF=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=opO7YLxrx1+CS04PSSHvmjjBIioZoOgbCeB6/ro/OPStvSXmqKjFBhtr367jxYOCh4FK0Hh7c92xMNLhULe8fxUEIPWXaHiYLjbNiU2suLKgNbWzl9TVLepV0HChVi1zzwHTlLb5lfEyBnUiAlau8CydwWcjvn8od5vd7zKojcLtNqujSo90kVE1sMVCy+9FfmMzSEIZsWv85O+gFNfpHXjXHUsfD0vlmlkoi0mXnqSlqOrcjbhxtSiQDaohlpgLvghJorXpAQx7+v9M6stgrtZPmQ1Nd0CHjyn5hxWB4FWkEva/9tz3zmqrsFVHToWVObZX8aobTqUM4GABOnwA7g== X-YMail-OSG: 4YJmVfcVM1lckA0Yao9czYSlTCT60aPGWYsXLI9W09ly8jC.sipaOE05tOLujBG Va54sXQ1BfPG_ghBS31km6_LTctblcKMDuX0NZzbgY8Npl2t7p8_6YTdZYZ5vDCs5rUoISmbLP3Z Y8zMrEGFRSnDpnSjoXnry5.Zn622k33dW6AmdsPQM5dMTJ9m5v3owtGuJKlzGmIiN_QAotzu5qlJ GBv2mBddOyUTXNu.iwFR0Tz8oB2MqxljnnYSkK53ETfNLCrf0BWDkd11UPDVvbdGPYIxm4TgYmrH NIo.nfJheW9jCtPHO0hR19BMMrRkXEH9pgUJ9Crpfj_K6uahiO8HkUzVYaC4W7Ps9CgWJsV1nhkr 4OM5J_tWp9jDZS6CZ_jauZwhoDqeRwP07cjctm8QaFUxUPlBNY047vH9m9miN.CxKVT4k9O6caf_ Nl4IwZfkItPHwMY9ixXd5m1VXFLlrn7SY2J6j8AyAn1DvnuDxftPzlVV2.KNCoMv380woj8iMdpe knYhW4BFyjdKMQkK2MO4to5QyuxAFIgBiaImmRekX96pIyHqLsND5bOUW61yfRu0Bz9ZjsXZ8sLi boDSJ0wJb6EjMRm5Gsg6MoZiFaGF8rM_pPtSIzAAUSB00HHzMxsvx_H1YhJqnMoPSJ5Jc5dbVSsJ x3t_LAkPMgUeePE48uo1EgNgmLSpFNBzzmvdZXCNa0PE9RL3PyvRC6mH9YNAaVdn4_ve8of_8IHL r5.sJdUwrcIL8SFJXTPJzyDS.pPZC0_2JKRE99MimjCYcPUK66KhzFtzaVt5ogyG9Lx2tUt26rJM E_.ksmQsmhyq.mM8rwL5efcYeYC3dO3wegrUIk8gKJ X-Sonic-MF: Original-Received: from sonic.gate.mail.ne1.yahoo.com by sonic308.consmr.mail.bf2.yahoo.com with HTTP; Thu, 9 Mar 2023 00:50:33 +0000 Original-Received: by hermes--production-sg3-67c57bccff-d4fzt (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID bcc6190b8f850c699313eb1de8e7ea30; Thu, 09 Mar 2023 00:50:26 +0000 (UTC) In-Reply-To: <83o7p349f9.fsf@gnu.org> (Eli Zaretskii's message of "Wed, 08 Mar 2023 16:14:34 +0200") X-Mailer: WebService/1.1.21284 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.yahoo Received-SPF: pass client-ip=74.6.130.42; envelope-from=luangruo@yahoo.com; helo=sonic308-3.consmr.mail.bf2.yahoo.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.devel:304157 Archived-At: Eli Zaretskii writes: > I hope it is, but I thought this about Bash as well... sed is be portable as long as you avoid alternation, separators in patterns, empty parenthesized patterns, character classes, nested parentheses, and some other pitfalls which don't immediately come to mind. Thanks.