bug-gnu-emacs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#65902: 29.0.92; emacsclient-mail.desktop fails due to complicated es

From: Stefan Kangas
Subject: bug#65902: 29.0.92; emacsclient-mail.desktop fails due to complicated escaping
Date: Fri, 22 Sep 2023 00:05:20 -0700 
sbaugh@catern.com writes:

> diff --git a/etc/emacsclient-mail.desktop b/etc/emacsclient-mail.desktop
> index 0a2420ddead..5962fa1764c 100644
> --- a/etc/emacsclient-mail.desktop
> +++ b/etc/emacsclient-mail.desktop
> @@ -1,10 +1,7 @@
>  [Desktop Entry]
>  Categories=Network;Email;
>  Comment=GNU Emacs is an extensible, customizable text editor - and more
> -# We want to pass the following commands to the shell wrapper:
> -# u=$(echo "$1" | sed 's/[\"]/\\&/g'); exec emacsclient --alternate-editor= 
> --display="$DISPLAY" --eval "(message-mailto \"$u\")"
> -# Special chars '"', '$', and '\' must be escaped as '\\"', '\\$', and 
> '\\\\'.
> -Exec=sh -c "u=\\$(echo \\"\\$1\\" | sed 's/[\\\\\\"]/\\\\\\\\&/g'); exec 
> emacsclient --alternate-editor= --display=\\"\\$DISPLAY\\" --eval 
> \\"(message-mailto \\\\\\"\\$u\\\\\\")\\"" sh %u
> +Exec=emacsclient --alternate-editor= --eval '(message-mailto (pop 
> server-eval-args-left))' %u

As Spencer pointed out upthread, the mailto: links come from untrusted
sources (e.g. websites).  Escaping is infamous for being hard to get
right, and for that reason is a popular attack vector among bad actors.

I think it would be good if we could reduce the amount of stuff we have
to remember escaping here, or even better if we didn't need to escape
anything at all.  It's analogous to the case `shell-command-to-string'
(which uses a shell) vs `call-process' (which doesn't).

To my mind, this speaks in favor of some type of change in this
direction.  My two cents.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]