From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Ulrich Mueller Newsgroups: gmane.emacs.devel Subject: Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop Date: Wed, 08 Mar 2023 09:32:52 +0100 Message-ID: References: <167821009581.14664.5608674978571454819@vcs2.savannah.gnu.org> <20230307172816.2D56BC13915@vcs2.savannah.gnu.org> <877cvsozn5.fsf@yahoo.com> <87zg8onfob.fsf@yahoo.com> <87r0tzoeam.fsf@yahoo.com> Mime-Version: 1.0 Content-Type: text/plain Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="5471"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.3 (gnu/linux) Cc: emacs-devel@gnu.org To: Po Lu Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Wed Mar 08 09:33:45 2023 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pZpF2-0001FL-Md for ged-emacs-devel@m.gmane-mx.org; Wed, 08 Mar 2023 09:33:44 +0100 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pZpEN-0006UD-ER; Wed, 08 Mar 2023 03:33:03 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pZpEL-0006TO-Sp for emacs-devel@gnu.org; Wed, 08 Mar 2023 03:33:01 -0500 Original-Received: from woodpecker.gentoo.org ([140.211.166.183] helo=smtp.gentoo.org) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_CHACHA20_POLY1305:256) (Exim 4.90_1) (envelope-from ) id 1pZpEI-0002yU-CB for emacs-devel@gnu.org; Wed, 08 Mar 2023 03:33:01 -0500 In-Reply-To: <87r0tzoeam.fsf@yahoo.com> (Po Lu's message of "Wed, 08 Mar 2023 16:09:05 +0800") Received-SPF: pass client-ip=140.211.166.183; envelope-from=ulm@gentoo.org; helo=smtp.gentoo.org X-Spam_score_int: -41 X-Spam_score: -4.2 X-Spam_bar: ---- X-Spam_report: (-4.2 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.devel:304113 Archived-At: >>>>> On Wed, 08 Mar 2023, Po Lu wrote: > For it to be a vulnerability, you will have to click such mailto URIs in > your web browser without first reading them, and some nasty person will > have to specifically create URIs that run insidious Emacs Lisp code. > How about something simpler: one can copy a command to download malware > from the Internet, then paste it into a shell buffer. Let's remove a > serious command injection vulnerability, ``M-x shell'', from Emacs 29! > While we're at it, how about `interprogram-paste-function' as well? No, it doesn't work that way. :) When it comes to vulnerabilities, it is all about expectations. If I execute a program (shell code, binary, etc.) that I find somewhere in the Internet, then I know that it will execute some code, and that I must trust its source that it doesn't do anything malicious. OTOH, I don't have that expectation when I click on a mailto hyperlink.