From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Andrew Cohen Newsgroups: gmane.emacs.devel Subject: Re: Reproducers for recent Emacs security issues Date: Mon, 15 Apr 2024 21:42:00 +0800 Message-ID: <877cgyn3o7.fsf@ust.hk> References: <875xwk8w5w.fsf@melete.silentflame.com> <706e1218-7451-4221-830a-ae3db3bf842e@gmail.com> <87cyqrf01x.fsf@melete.silentflame.com> <87mspv6kf0.fsf@localhost> <87y19fdklq.fsf@melete.silentflame.com> <87wmoy6dkl.fsf@localhost> Mime-Version: 1.0 Content-Type: text/plain Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="9834"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Gnus/5.13 (Gnus v5.13) To: emacs-devel@gnu.org Cancel-Lock: sha1:DJQvPlKPX3RXyZmPSZDYrg8dRtY= Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Mon Apr 15 15:58:58 2024 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1rwMrK-0002Gi-3o for ged-emacs-devel@m.gmane-mx.org; Mon, 15 Apr 2024 15:58:58 +0200 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rwMqg-0003DN-EG; Mon, 15 Apr 2024 09:58:18 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rwMbG-0006yA-Bp for emacs-devel@gnu.org; Mon, 15 Apr 2024 09:42:22 -0400 Original-Received: from ciao.gmane.io ([116.202.254.214]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rwMbC-00051V-45 for emacs-devel@gnu.org; Mon, 15 Apr 2024 09:42:20 -0400 Original-Received: from list by ciao.gmane.io with local (Exim 4.92) (envelope-from ) id 1rwMb6-0009qs-UH for emacs-devel@gnu.org; Mon, 15 Apr 2024 15:42:12 +0200 X-Injected-Via-Gmane: http://gmane.org/ Received-SPF: pass client-ip=116.202.254.214; envelope-from=ged-emacs-devel@m.gmane-mx.org; helo=ciao.gmane.io X-Spam_score_int: -15 X-Spam_score: -1.6 X-Spam_bar: - X-Spam_report: (-1.6 / 5.0 requ) BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.25, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-Mailman-Approved-At: Mon, 15 Apr 2024 09:58:13 -0400 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.devel:317736 Archived-At: >>>>> "IR" == Ihor Radchenko writes: IR> Max Nikulin writes: [...] >> >> I expect that message body should not affect attachment preview. IR> This sounds like gnus bug (or feature?). I can also reproduce IR> it. Feel free to submit it as a separate bug report. The culprit here is gnus-article-emulate-mime (which defaults to t): "If non-nil, use MIME emulation for uuencode and the like. This means that Gnus will search message bodies for text that look like uuencoded bits, yEncoded bits, and so on, and present that using the normal Gnus MIME machinery." Even though this sample message is mime, with this variable non-nil the message bodies are searched as the doc describes. But the parsing fails on this message, and ends up with some rather confused "parts": in particular one which contains just the URL, but for some reason calls org to dispaly itself. Given that these alternative encodings are ancient and probably no longer relevant, I suggest we change the default to nil.