bug#65902: 29.0.92; emacsclient-mail.desktop fails due to complicated escaping

[Spencer Baugh]

Eli Zaretskii <eliz@gnu.org> writes:
>> Date: Wed, 13 Sep 2023 14:08:01 +0000 (UTC)
>> From: Spencer Baugh <sbaugh@catern.com>
>> Cc: 65902@debbugs.gnu.org
>> 
>> On Sep 13, 2023 09:26, Eli Zaretskii <eliz@gnu.org> wrote:
>> 
>>  > I am not sure what you're suggesting.  Can you show how the equivalent 
>>  > of: 
>>  > 
>>  > emacsclient --apply message-mailto -- %u 
>>  > 
>>  > would work with that design? 
>> 
>>    emacsclient --qeval '(message-mailto %u)'
>> 
>> I don't think this can work in general for arbitrary user input: what if %u 
>> is replaced with something
>> that contains parentheses?
>
> They are inside '..', so the only one who'd care is Emacs, not the
> shell.

Agreed.  The problem I'm referring to is in Emacs, interpreting
arbitrary input from the web as code.  (The .desktop commands don't even
use a shell, a shell doesn't need to be involved at any point)

> In which case it's the job of whoever provides the value for
> %u to handle that.

The value for %u is an arbitrary string from some other application
which wants to open a mailto: URI, and passes it to xdg-open which then
passes it to Emacs.  Other applications are not aware of what escaping
is needed to make Emacs not interpret it as code.  And indeed, there's
no point in doing that: Emacs is in the best position to do that
escaping, if it needs to be done.

> And anyway, how is that different from the same problem happening with
> your suggested --funcall or --apply? they will bump into the same
> issues.

No, they won't: --apply passes the arguments as a string, without ever
trying to parse them as Lisp.

Let's be concrete: imagine %u is replaced with
(shell-command "rm -r /")
as could happen if an application receives some malicious input.

The command line with --qeval is:
emacsclient --qeval '(message-mailto (shell-command "rm -r /"))'

Emacs receives
-eval (message-mailto (shell-command "rm -r /"))
and evals
(message-mailto (shell-command "rm -r /"))
and deletes your files.

The command line with --apply is:
emacsclient --apply message-mailto '(shell-command "rm -r /")'

Emacs receives
-apply message-mailto --applyarg (shell-command "rm -r /")
and evals
(message-mailto "(shell-command \"rm -r /\")")
and nothing bad happens.

Emacs just needs to get the verbatim string without trying to parse it
as Lisp at any point.  This is an extremely standard security technique
when dealing with malicious input, which is why the previous thread
converged on it so quickly.

>>  Let's not do that this time, okay?
>> 
>> Agreed, I think we reached a consensus in that bug and now I am implementing 
>> that consensus.
>
> AFAIU, there was no consensus reached there, so I'm unsure what are
> you alluding to here.

Everyone in that thread agreed that something like this --apply design
(which passes the strings verbatim to Emacs without evaling them) is
what we need, they were just discussing the exact design, and in the end
the design that everyone who posted agreed on, matched what I have
implemented...  I don't think we need to relitigate it.