From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Ulrich Mueller Newsgroups: gmane.emacs.devel Subject: Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop Date: Wed, 08 Mar 2023 12:44:14 +0100 Message-ID: References: <167821009581.14664.5608674978571454819@vcs2.savannah.gnu.org> <20230307172816.2D56BC13915@vcs2.savannah.gnu.org> <877cvsozn5.fsf@yahoo.com> <87zg8onfob.fsf@yahoo.com> <87r0tzoeam.fsf@yahoo.com> <87a60no7su.fsf@yahoo.com> <871qlzo6fs.fsf@yahoo.com> Mime-Version: 1.0 Content-Type: text/plain Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="11032"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.3 (gnu/linux) Cc: emacs-devel@gnu.org To: Po Lu Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Wed Mar 08 12:45:18 2023 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pZsEP-0002gW-Tf for ged-emacs-devel@m.gmane-mx.org; Wed, 08 Mar 2023 12:45:17 +0100 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pZsDZ-0005MD-1n; Wed, 08 Mar 2023 06:44:25 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pZsDX-0005Lr-7D for emacs-devel@gnu.org; Wed, 08 Mar 2023 06:44:23 -0500 Original-Received: from smtp.gentoo.org ([2001:470:ea4a:1:5054:ff:fec7:86e4]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_CHACHA20_POLY1305:256) (Exim 4.90_1) (envelope-from ) id 1pZsDV-00021E-J7 for emacs-devel@gnu.org; Wed, 08 Mar 2023 06:44:22 -0500 In-Reply-To: <871qlzo6fs.fsf@yahoo.com> (Po Lu's message of "Wed, 08 Mar 2023 18:58:47 +0800") Received-SPF: pass client-ip=2001:470:ea4a:1:5054:ff:fec7:86e4; envelope-from=ulm@gentoo.org; helo=smtp.gentoo.org X-Spam_score_int: -41 X-Spam_score: -4.2 X-Spam_bar: ---- X-Spam_report: (-4.2 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.devel:304122 Archived-At: >>>>> On Wed, 08 Mar 2023, Po Lu wrote: > IMHO we should stop kow-towing to the information security people who > make a huge fuss over every single bug, especially bugs like this one > which only show up when you specifically try to trigger them. > Proprietary JavaScript routinely does things far more nasty and > malicious than a hyperlink that can be read before being clicked. > Or perhaps Emacs 29 can forgo this change entirely. Why would anyone > click a URL containing suspicious looking Lisp code, and who would > actually try to do nasty things with such URLs? > If you have to go out of your way to trigger a bug in a branch that is > supposed to be stable, then fixing it can wait. Wow. :) At least you seem to agree that the current behaviour is a bug.