bug#57856: 28.2; bookmark context strings in encrypted files

[Gustavo Barros <gusbrs.2016@gmail.com>]

Hi All,

I guess this one is midway between a bug report and a feature request. 
I don't see that this is anyway against expected/documented behavior of 
involved libraries (bookmark.el, epg.el), but it is arguably a bad 
corner case of interaction between the two, which represents a (small) 
potential security issue.

Currently (Emacs 28.2), when setting a bookmark in a gpg encrypted file, 
part of the buffer is stored unencrypted as `front-context-string' and 
`rear-context-string' in the `bookmark-default-file' whenever 
`bookmark-search-size' is larger than 0, which by default is 16.

It could be argued that it is unwise to set a bookmark in this context. 
But, well, users do all kind of stuff.  Besides, Emacs provides no hint 
that this may be risky (as far as I can tell).  So it would be nice if 
Emacs would be a little more conservative here, and locally set 
`bookmark-search-size' to 0 in buffers visiting encrypted files.

I think it'd be overkill to provide a full reproduction recipe, since 
most of it would just be to set up environment (key etc.) for GPG.  But 
anyone who already has a setup and an encrypted file can reproduce the 
following simple steps (which I have tested in an .org.gpg file with 
`emacs -Q'):

Visit the encrypted file.  Set a bookmark with `bookmark-set' ("C-x r 
m") somewhere near a non-empty part of the buffer.  Save bookmarks with 
`bookmark-save'.  Inspect `bookmark-default-file' (by default 
"~/.emacs.d/bookmarks"), particularly `front-context-string' and 
`rear-context-string' of the pertinent bookmark, to find part of the 
original encrypted file stored there unencrypted.

Best regards,
Gustavo.


In GNU Emacs 28.2 (build 2, x86_64-pc-linux-gnu, GTK+ Version 3.24.20, 
cairo version 1.16.0)
 of 2022-09-12 built on gusbrs-laptop
Windowing system distributor 'The X.Org Foundation', version 
11.0.12013000
System Description: Linux Mint 20.3

Configured using:
 'configure --with-mailutils --with-xwidgets --with-native-compilation
 --without-compress-install'

Configured features:
ACL CAIRO DBUS FREETYPE GIF GLIB GMP GNUTLS GPM GSETTINGS HARFBUZZ JPEG
JSON LCMS2 LIBOTF LIBSELINUX LIBSYSTEMD LIBXML2 M17N_FLT MODULES
NATIVE_COMP NOTIFY INOTIFY PDUMPER PNG RSVG SECCOMP SOUND THREADS TIFF
TOOLKIT_SCROLL_BARS X11 XDBE XIM XPM XWIDGETS GTK3 ZLIB

Important settings:
  value of $LC_MONETARY: pt_BR.UTF-8
  value of $LC_NUMERIC: pt_BR.UTF-8
  value of $LANG: en_US.UTF-8
  locale-coding-system: utf-8-unix

Major mode: Lisp Interaction

Minor modes in effect:
  tooltip-mode: t
  global-eldoc-mode: t
  eldoc-mode: t
  show-paren-mode: t
  electric-indent-mode: t
  mouse-wheel-mode: t
  tool-bar-mode: t
  menu-bar-mode: t
  file-name-shadow-mode: t
  global-font-lock-mode: t
  font-lock-mode: t
  blink-cursor-mode: t
  auto-composition-mode: t
  auto-encryption-mode: t
  auto-compression-mode: t
  line-number-mode: t
  indent-tabs-mode: t
  transient-mark-mode: t

Load-path shadows:
None found.

Features:
(shadow sort mail-extr emacsbug sendmail bookmark pp vc-git diff-mode
vc-dispatcher org-element avl-tree generator ol-eww eww xdg url-queue
thingatpt mm-url ol-rmail ol-mhe ol-irc ol-info ol-gnus nnselect
gnus-search eieio-opt cl-extra help-mode speedbar ezimage dframe
gnus-art mm-uu mml2015 mm-view mml-smime smime dig gnus-sum shr kinsoku
svg dom browse-url url url-proxy url-privacy url-expand url-methods
url-history url-cookie url-domsuf url-util url-parse url-vars mailcap
gnus-group gnus-undo gnus-start gnus-dbus dbus xml gnus-cloud nnimap
nnmail mail-source utf7 netrc nnoo parse-time gnus-spec gnus-int
gnus-range message rmc puny rfc822 mml mml-sec mm-decode mm-bodies
mm-encode mail-parse rfc2231 mailabbrev gmm-utils mailheader gnus-win
gnus nnheader gnus-util rmail rmail-loaddefs auth-source cl-seq eieio
eieio-core cl-macs eieio-loaddefs password-cache rfc2047 rfc2045
ietf-drums text-property-search mail-utils mm-util mail-prsvr wid-edit
ol-docview doc-view jka-compr image-mode exif dired dired-loaddefs
ol-bibtex ol-bbdb ol-w3m ol-doi org-link-doi org ob ob-tangle ob-ref
ob-lob ob-table ob-exp org-macro org-footnote org-src ob-comint
org-pcomplete pcomplete comint ansi-color ring org-list org-faces
org-entities noutline outline easy-mmode org-version ob-emacs-lisp
ob-core ob-eval org-table oc-basic json map bibtex iso8601 time-date
subr-x ol rx org-keys oc org-compat advice org-macs org-loaddefs
format-spec find-func cal-menu calendar cal-loaddefs cl-loaddefs cl-lib
seq byte-opt gv bytecomp byte-compile cconv epa-file epa derived epg
rfc6068 epg-config iso-transl tooltip eldoc paren electric uniquify
ediff-hook vc-hooks lisp-float-type elisp-mode mwheel term/x-win x-win
term/common-win x-dnd tool-bar dnd fontset image regexp-opt fringe
tabulated-list replace newcomment text-mode lisp-mode prog-mode register
page tab-bar menu-bar rfn-eshadow isearch easymenu timer select
scroll-bar mouse jit-lock font-lock syntax font-core term/tty-colors
frame minibuffer cl-generic cham georgian utf-8-lang misc-lang
vietnamese tibetan thai tai-viet lao korean japanese eucjp-ms cp51932
hebrew greek romanian slovak czech european ethiopic indian cyrillic
chinese composite emoji-zwj charscript charprop case-table epa-hook
jka-cmpr-hook help simple abbrev obarray cl-preloaded nadvice button
loaddefs faces cus-face macroexp files window text-properties overlay
sha1 md5 base64 format env code-pages mule custom widget
hashtable-print-readable backquote threads xwidget-internal dbusbind
inotify lcms2 dynamic-setting system-font-setting font-render-setting
cairo move-toolbar gtk x-toolkit x multi-tty make-network-process
native-compile emacs)

Memory information:
((conses 16 238516 14883)
 (symbols 48 20306 0)
 (strings 32 72413 2731)
 (string-bytes 1 2383288)
 (vectors 16 36730)
 (vector-slots 8 659339 39456)
 (floats 8 313 89)
 (intervals 56 312 0)
 (buffers 992 11))