From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Po Lu Newsgroups: gmane.emacs.devel Subject: Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop Date: Wed, 08 Mar 2023 16:09:05 +0800 Message-ID: <87r0tzoeam.fsf@yahoo.com> References: <167821009581.14664.5608674978571454819@vcs2.savannah.gnu.org> <20230307172816.2D56BC13915@vcs2.savannah.gnu.org> <877cvsozn5.fsf@yahoo.com> <87zg8onfob.fsf@yahoo.com> Mime-Version: 1.0 Content-Type: text/plain Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="39141"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Gnus/5.13 (Gnus v5.13) Cc: emacs-devel@gnu.org To: Ulrich Mueller Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Wed Mar 08 09:10:10 2023 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pZosD-000A26-P9 for ged-emacs-devel@m.gmane-mx.org; Wed, 08 Mar 2023 09:10:09 +0100 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pZorU-0002nK-DR; Wed, 08 Mar 2023 03:09:24 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pZorS-0002n1-Fj for emacs-devel@gnu.org; Wed, 08 Mar 2023 03:09:22 -0500 Original-Received: from sonic310-13.consmr.mail.bf2.yahoo.com ([74.6.135.123]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pZorQ-0007K9-Le for emacs-devel@gnu.org; Wed, 08 Mar 2023 03:09:22 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1678262956; bh=qFN7OsyhwICtZuj35tgaxdlMPT8Gfb+wgLZ+TSOKenc=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From:Subject:Reply-To; b=rXRqFi5jsDOggLdTD4kEeKLroiwj4kMveD3gwjEoZt3V3IIy+eC6IaGTT6sro+FpEKfPTLeQY6pYlibOOmH9HVGxorJlQf1CQAxMCcrNsScxs4uonxpFyuFgEKVhfFUJQK5FFt1Bztm5Aoq3/IJW6SBYypoOa4QreJAkaw7tuIkcx+AOEqsNNZYoyU3jhaiBf8iLpKMBycC3/00G5w5a6UG9JK1IDQbyn4Tn1nAXrDi4kldMIdjmPeVL3VuLiIEzzcIP1k3LJ5PH1NN0qV905TM0yfSm+FQ6oBDuRiY6JtjPEYDMBs6gIZ8yAryo1KbbCH6ZpOcLfHwrGLeQXllxBw== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1678262956; bh=/Y2CWgJSFwn+7VfRLMDTTc4fWcxtQch9Z6Vp4VrKWJQ=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=kr28FDDGxomKUPEK7bdADpl0A+Ro6pGOXmwOJo0ViAXG7GamEMjEe1v+16AsCwx1kxFYIPh37z0i5OPPvA0CqfXkUiV0tf/xov2qMl8lggoFMQNL0Mdwlf1ezddpphgiZhLYdGf/Oo6u9J1ALY23eVpHSpPaeHkSCEj1PT9COvwr8p/LVvkW1jv+2YfjLkHtUYKcfa2q/WLUQITiQpQj6d71S3hK7oRFd0UEj5sNxrWLgO+YBXQsAJXcMXfZF7BEPpKDBjkX89Xj1sa3MOX7IJieFN/treBY1DMtCtkGoZvQV0IR9/cZaZCBzFFvvSb+Ssamm1XMRw2ziJqQjipi9g== X-YMail-OSG: XnJgR58VM1kJN5Zni_ECFXjHUZpz_ETCaBaxEoaQi55EPmnEFaqZD2x1wgBmEoS _AkoHKlzJicMC5hPwkhM9E1HMEY.IvHlr2qT0Aigc82Sy_fG2kwJJcGkTPcMvDZNPMWp789V80pJ w_ZLIF8n6FdMlvrvRhTOGb5UfRNqIq5D7yREQV1vZpsxzxaNxi0DolZYSgwhbveqYKYye2I4Ex9z 8Zd3DgjkedQDFFGt1VSulWvCNcvrdmqQFqQttlDPn1ZuyAWwVEdTA_Ya0dY49d0RHMh..IfLgNip NdTufGBHtpN21z19daDkuqOsT4DU.f7ekGD6G.pkI1T.zSzmVmIP_TBhpv9ULikfs9SZ7YGHfHZl ajm0YbGqnmtcJc3rFvtyJOEaqjdEj95Pnh8tHyS5naEvVvE_i1GV83t9mNv3Ul9nNEBcr2Lgrne7 nHfBy3.br2uXUbC4mZBHi8N7HKhs.kU3NNSzSIt_JCONYrT0PA6Z_Wbk1Dc0qcP5z0STM21Wx5UL GspBk3qNXREIvpCKnu8FxRxvMdczHRNer4iliYlSVSLrV0cGXmEETHjPGXwNK.pBSTBmc3DVgXtT oG3bqT.wgEZbTN7fHVik6OIDzKs8xpMXm0XV5O9k6iSH4K4mGBRWfWBhQhCmMPbaASOsk970OO_Z GGDM9Fsn2T1lY_ftawn6MwtF9sShFj1zq1A_ek9GCm_q0GwfbltVOhuSueL9slKjZ.42OB6DsLRo MdRpP8OpT93W7hN8JEWSlrvkVqgBN1yYMQMzv3sHdPbIoC5fcJhiqHn2EcKcnNkb.dnM8cQ7xsp1 2Jhy2aVM.0DfbUjW21OJuKjgdHLQhOdfjYUgOgLP02 X-Sonic-MF: Original-Received: from sonic.gate.mail.ne1.yahoo.com by sonic310.consmr.mail.bf2.yahoo.com with HTTP; Wed, 8 Mar 2023 08:09:16 +0000 Original-Received: by hermes--production-sg3-67c57bccff-wt27l (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 92e93c73625af3e12576d8bdf29fb5a0; Wed, 08 Mar 2023 08:09:09 +0000 (UTC) In-Reply-To: (Ulrich Mueller's message of "Wed, 08 Mar 2023 08:15:48 +0100") X-Mailer: WebService/1.1.21284 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.yahoo Received-SPF: pass client-ip=74.6.135.123; envelope-from=luangruo@yahoo.com; helo=sonic310-13.consmr.mail.bf2.yahoo.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.devel:304110 Archived-At: Ulrich Mueller writes: >>>>>> On Wed, 08 Mar 2023, Po Lu wrote: > >> Ulrich Mueller writes: >>> Then the desktop file won't work, obviously. The problem is that >>> ${PARAMETER//PATTERN/STRING} substitution is not available in POSIX >>> parameter expansion. So with POSIX sh, an external program (e.g. sed) >>> would have to be called. >>> >>> The long term solution (suggested by Stefan Monnier) might be to add >>> a --funcall option to emacsclient. Then there would be no need for a >>> shell wrapper, in the first place. >>> >>> Should the Makefile skip installation of emacsclient-mail.desktop >>> when bash isn't available on the system? > >> Could we install this change not on emacs-29, but on master? > >> I don't think the problem it solves is severe, nor a regression from >> Emacs 28. It is rather a minor nusiance with certain URLs. > > Seriously? It is a vulnerability that allows remote injection of > arbitrary Elisp code through a crafted "mailto" URI. For it to be a vulnerability, you will have to click such mailto URIs in your web browser without first reading them, and some nasty person will have to specifically create URIs that run insidious Emacs Lisp code. How about something simpler: one can copy a command to download malware from the Internet, then paste it into a shell buffer. Let's remove a serious command injection vulnerability, ``M-x shell'', from Emacs 29! While we're at it, how about `interprogram-paste-function' as well?