From: Andrew Cohen <acohen@ust.hk>
To: Eli Zaretskii <eliz@gnu.org>
Cc: emacs-devel@gnu.org
Subject: Re: Reproducers for recent Emacs security issues
Date: Tue, 16 Apr 2024 21:23:58 +0800 [thread overview]
Message-ID: <87msptqw41.fsf@ust.hk> (raw)
In-Reply-To: <86edb5jxzt.fsf@gnu.org>
>>>>> "EZ" == Eli Zaretskii <eliz@gnu.org> writes:
>> From: Andrew Cohen <acohen@ust.hk> Date: Tue, 16 Apr 2024
>> 07:30:27 +0800
>>
>> >>>>> "FW" == Florian Weimer <fw@deneb.enyo.de> writes:
>>
>> [...]
>>
FW> It's a feature. I think it comes the regular expression in
FW> mm-uu-type-alist. Some of the features are quite nice, like
FW> diff highlighting. Others are a bit scary (and not just the
FW> org-mode integration).
>>
>> I stand corrected---this still looks quite useful and seems to be
>> working as intended. I was thrown off by the documentation which
>> indicated it was just for uuencoded and yencoded content.
EZ> Maybe I misunderstand something (I don't use Gnus), but isn't it
EZ> a security problem that the presence of such a line in an email
EZ> message causes Emacs to download a remote file?
It doesn't cause the file to be downloaded immediately---it displays a
message identifying downloading the file as a possible security risk,
and requires confirmation in order to proceed with the download. This
seems OK from the security viewpoint.
If I understand correctly, Max is concerned that the behavior of this
part of the multipart mime message (text/plain) invokes org to deal with
the link. But this is what 'gnus-article-emulate-mime is supposed to do:
it consults a list of regular expressions to match and invokes handlers
to deal with them (whether the article is mime or not). The particular
line in question matches an org expression and org is then invoked to
handle it. The security issue is whether or not org handles the link
reasonably, and it does.
In Max's example message there is another part to the message of type
(text/org). This makes it appear that the involvement of org is related
to this other part. But it isn't---just the line by itself (#+setupfile:
http://localhost/test.html) will trigger the org handling.
My only issue is that the documentation is not very clear about all
this. I'll try to update it if I can find some time.
--
Andrew Cohen
next prev parent reply other threads:[~2024-04-16 13:23 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-14 3:23 Reproducers for recent Emacs security issues Sean Whitton
2024-04-14 4:41 ` Max Nikulin
2024-04-15 9:27 ` Sean Whitton
2024-04-15 9:32 ` Ihor Radchenko
2024-04-15 9:46 ` Sean Whitton
2024-04-15 10:09 ` Ihor Radchenko
2024-04-15 11:20 ` Max Nikulin
2024-04-15 12:00 ` Ihor Radchenko
2024-04-15 13:42 ` Andrew Cohen
2024-04-15 18:33 ` Florian Weimer
2024-04-15 23:30 ` Andrew Cohen
2024-04-16 4:35 ` Max Nikulin
2024-04-16 12:25 ` Eli Zaretskii
2024-04-16 13:23 ` Andrew Cohen [this message]
2024-04-17 14:31 ` Max Nikulin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87msptqw41.fsf@ust.hk \
--to=acohen@ust.hk \
--cc=eliz@gnu.org \
--cc=emacs-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.