From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Andrew Cohen Newsgroups: gmane.emacs.devel Subject: Re: Reproducers for recent Emacs security issues Date: Tue, 16 Apr 2024 21:23:58 +0800 Organization: Hong Kong University of Science and Technology Message-ID: <87msptqw41.fsf@ust.hk> References: <875xwk8w5w.fsf@melete.silentflame.com> <706e1218-7451-4221-830a-ae3db3bf842e@gmail.com> <87cyqrf01x.fsf@melete.silentflame.com> <87mspv6kf0.fsf@localhost> <87y19fdklq.fsf@melete.silentflame.com> <87wmoy6dkl.fsf@localhost> <87edb6328y.fsf@mid.deneb.enyo.de> <8734rmmcfg.fsf@ust.hk> <86edb5jxzt.fsf@gnu.org> Mime-Version: 1.0 Content-Type: text/plain Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="40850"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Gnus/5.13 (Gnus v5.13) Cc: emacs-devel@gnu.org To: Eli Zaretskii Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Tue Apr 16 15:25:13 2024 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1rwioA-000AFz-7R for ged-emacs-devel@m.gmane-mx.org; Tue, 16 Apr 2024 15:25:11 +0200 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rwinJ-0006e8-4K; Tue, 16 Apr 2024 09:24:17 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rwinF-0006dl-Ga for emacs-devel@gnu.org; Tue, 16 Apr 2024 09:24:13 -0400 Original-Received: from mail-os0jpn01on2112.outbound.protection.outlook.com ([40.107.113.112] helo=JPN01-OS0-obe.outbound.protection.outlook.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rwinC-0004DN-KF; Tue, 16 Apr 2024 09:24:13 -0400 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=g51yrQb4hKs2hsPwXynwjN1OKZuqGcB7DDwhA7ytKdnxry7QfVQmmA0xM7hm0p3iy57LPTylJKWysLY772MpZTLMgPjugAGTLCoRWE2LJwLf8kVVbSIFWgNbA7hxZbCHKbh4QX9k6+rDx4pPOI6MkDa0po1XlOqjxZwlKbAWg/QY1N3liilhMx07JUewdcWczWgYTC19/McTCZWceeHMDXONhrZJi8h0CXd47qcsAsmycjiTp1lAp3Ap0q0q8DOrwPtxONGmkDBiahu11qVoVXz983UEQun/rDEEI/Prw9YqneABT/z6ExBBO+bl2n/abyFvmjn18IC6Lct0Pro7/g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=HHMiaG5HECpil3WkTdCKtM1LTpN4ab+vOpKLpzw+rUc=; b=CVjFRrbIT2ocXt/wMMbQ/mWmQoOEONObuXb/n2cneey5ZTixUf6n+oEniuOgll6eFxpG5IEmkukTCA/8hnXfhEh1B29JYdwCCms7yU/D/jVpEFJsvSpMSQPENQlCRWrL0yZp7PWqQX2zQbcakJkK2v05BFWqPkdQHx/gdeNvM3uArj03w4srCCHfGbrdR2nBi4uheug4kjT4hSK3/Q7pp283YSJyAJf5zvhgaGNGB8sx9HSnRNo0Ui57H3rpaNi23DeM4dtfrtWLi721JCct0mfe7nh+VKedKpeyy4TABcwXrRZAYmQbu0piJa0yLiSrUb5buPkOsq6XmtCFEXnV+g== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ust.hk; dmarc=pass action=none header.from=ust.hk; dkim=pass header.d=ust.hk; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ust.hk; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=HHMiaG5HECpil3WkTdCKtM1LTpN4ab+vOpKLpzw+rUc=; b=bYZZic52V3XggzYlELErzmCVA9bodGBhoOV6asNkhs1kaDiPQZleZJN6C6+gc6HYTtQgKaDMTV4TUz+QYaTlnTYViyXJUvrsH/mWv9K8EV0Q3WRBDZFYCFtv3DAC9B4mU7w3U3xdKEKOHvQgBqvHgUBZgkK1aUWOqZwXnsuWZLNaXbsFKBkWkNVcO7Sy/NFuFvLrQ25/r9ADH3oZI60iZuJJ14EQIOpFNrqBMnGscN2rs2meOLw0QoyEmLZFjJnsaQix8NDQuCQzIKuavAjKG0ELk9LDW4kyKx2cMcBc1+ggIp1T52ltMcwB5TxsnKbOv7P1wPmA39nwUxXDK/4Auw== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ust.hk; Original-Received: from OS3P286MB1877.JPNP286.PROD.OUTLOOK.COM (2603:1096:604:1bf::11) by TYWP286MB2299.JPNP286.PROD.OUTLOOK.COM (2603:1096:400:13c::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7452.50; Tue, 16 Apr 2024 13:24:01 +0000 Original-Received: from OS3P286MB1877.JPNP286.PROD.OUTLOOK.COM ([fe80::8d10:ce2b:f69c:fa07]) by OS3P286MB1877.JPNP286.PROD.OUTLOOK.COM ([fe80::8d10:ce2b:f69c:fa07%6]) with mapi id 15.20.7452.049; Tue, 16 Apr 2024 13:24:01 +0000 In-Reply-To: <86edb5jxzt.fsf@gnu.org> X-ClientProxiedBy: PS1PR03CA0013.apcprd03.prod.outlook.com (2603:1096:803:3d::25) To OS3P286MB1877.JPNP286.PROD.OUTLOOK.COM (2603:1096:604:1bf::11) X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: OS3P286MB1877:EE_|TYWP286MB2299:EE_ X-MS-Office365-Filtering-Correlation-Id: 605fb6d8-608d-42c5-feea-08dc5e187ace X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: H8i0qJUDwpxcR7M6uDF3nFUe6KTCci7trlLcZetzlKX2Zyu/xgu6Tl5mgI9kALYr7ERofQzFDIlvntVp+whVwS753uHjR9TAOb7rm589sua3JdPU6yrSkq5CoH5jNK15u8D58W/vA0wH1GBwunpQIADext4LdSEAyW3D6UIt3XN0NWuYA7x+C73l5NMpmgZa90qdqhpPbsReJgJqQkRlu8YJiHnx1jLUKhWJ1Fr0mRK2nEZ0aYJ3j4pzZx86O5WXIqpLFc0kNrBUbHbLkbTPy20jYS0ejhMybMDBJzjRWVSysL8VUczgmDdQVp3nYilmHpDWDsI4m3bTnvfQGkZdAuVHbX6VKWyHTUfIJJlQLssewGSxlRRsOWU2B5+4SRZtLK8G4v56EwdUHGxlE7ekzQhp1C+6onMLNlztwGYyHykBqI3Xq4yuZFzcEiDqIbujFy/4x8DDHgSvGvKtmIV/tThMwAKbl10ToXBgPd71iLDciygkfoGTW5tuZJ6PGkiopnN460OHXAE87nv5Gs+wcHqHd8yOvCKjvmlB3wJUHVE4QKmHeYl/p11N2qRPfBNVg2jIRI7e9lHNoAWseJgp4sgo5H/NEfNpaZ5J42T5IIBfzWB8S0fd6y5dfR8u9DryMR+6Fij80VMES2oO0NnP+s5hRaAiHdaYlZGSRa6/ztA= X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:OS3P286MB1877.JPNP286.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(376005)(366007)(1800799015); DIR:OUT; SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?qgw50Zmq9keirysEcJVodZ50pBZ0iG10JAuGgeBGVB+CTjpMDCICgW4+iEnO?= =?us-ascii?Q?RMmF1y7PCRHV6TNepaNa1MY9DZ0jEteWt6pk0gGd0D1h2VlRYjVmgC5KVDD4?= =?us-ascii?Q?OPa2bkfzTsLTll9pes00p2caumn4o8UvxZReOiyOpuXG7hwMEDLRRfDMGADA?= =?us-ascii?Q?m9QQRjilK8zuIfld3V4PuZF1F0CQ3nmzZ0Sb2RQjiGwB++yrw2LdPIjI5HYb?= =?us-ascii?Q?XB95AVLjdxSBK7qz+0Tlg+TUNvzbdoHh0e1KvaG3UFVmcBB/hj0Ng5aaYR1S?= =?us-ascii?Q?2a0pOrmiy2ERfkVWdVxH37q6vWv4bo3TkpfAKfZNIBNZSd4BeaykmE/y+W/M?= =?us-ascii?Q?y5U81j3nP4Bfx0ioK33Z7Um/okeiHTmaHPhJZLNBXShnz8yK1fVV01MM0VPT?= =?us-ascii?Q?NxZkW1W3nvdAb3qrehLzW9cEguLhTKAESW4CEQzLC+Yu4/5QVFEUieyOHLA1?= =?us-ascii?Q?CR2RTrDtKjPwXGGaWtd/PSWhIelUx0KkGevaFIoQZV4MPJ3o+sacvpJ9bWxg?= =?us-ascii?Q?fPOcOy+M+l8U3Vq+Jhjka/cjqyuBawDUbpFrqncstxPvMLx/uEkZNBhfA6yh?= =?us-ascii?Q?23fgfSDS5eDBtieovTLEMCjL7UCfvPjUXItxu3UuSTJytuQ7IQgaldF3U+dP?= =?us-ascii?Q?KT X-OriginatorOrg: ust.hk X-MS-Exchange-CrossTenant-Network-Message-Id: 605fb6d8-608d-42c5-feea-08dc5e187ace X-MS-Exchange-CrossTenant-AuthSource: OS3P286MB1877.JPNP286.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 16 Apr 2024 13:24:01.4219 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: c917f3e2-9322-4926-9bb3-daca730413ca X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: VPQSsafYesqXWtNryr5RgFZHIZCzcaGCMymbWeS22Zm35FYcBIj14J3ymEg3UnPg X-MS-Exchange-Transport-CrossTenantHeadersStamped: TYWP286MB2299 Received-SPF: pass client-ip=40.107.113.112; envelope-from=acohen@ust.hk; helo=JPN01-OS0-obe.outbound.protection.outlook.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.devel:317751 Archived-At: >>>>> "EZ" == Eli Zaretskii writes: >> From: Andrew Cohen Date: Tue, 16 Apr 2024 >> 07:30:27 +0800 >> >> >>>>> "FW" == Florian Weimer writes: >> >> [...] >> FW> It's a feature. I think it comes the regular expression in FW> mm-uu-type-alist. Some of the features are quite nice, like FW> diff highlighting. Others are a bit scary (and not just the FW> org-mode integration). >> >> I stand corrected---this still looks quite useful and seems to be >> working as intended. I was thrown off by the documentation which >> indicated it was just for uuencoded and yencoded content. EZ> Maybe I misunderstand something (I don't use Gnus), but isn't it EZ> a security problem that the presence of such a line in an email EZ> message causes Emacs to download a remote file? It doesn't cause the file to be downloaded immediately---it displays a message identifying downloading the file as a possible security risk, and requires confirmation in order to proceed with the download. This seems OK from the security viewpoint. If I understand correctly, Max is concerned that the behavior of this part of the multipart mime message (text/plain) invokes org to deal with the link. But this is what 'gnus-article-emulate-mime is supposed to do: it consults a list of regular expressions to match and invokes handlers to deal with them (whether the article is mime or not). The particular line in question matches an org expression and org is then invoked to handle it. The security issue is whether or not org handles the link reasonably, and it does. In Max's example message there is another part to the message of type (text/org). This makes it appear that the involvement of org is related to this other part. But it isn't---just the line by itself (#+setupfile: http://localhost/test.html) will trigger the org handling. My only issue is that the documentation is not very clear about all this. I'll try to update it if I can find some time. -- Andrew Cohen