Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emac

emacs-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emac

From:	Ulrich Mueller
Subject:	Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop
Date:	Wed, 08 Mar 2023 08:15:48 +0100
User-agent:	Gnus/5.13 (Gnus v5.13) Emacs/28.3 (gnu/linux)

>>>>> On Wed, 08 Mar 2023, Po Lu wrote:

> Ulrich Mueller <ulm@gentoo.org> writes:
>> Then the desktop file won't work, obviously. The problem is that
>> ${PARAMETER//PATTERN/STRING} substitution is not available in POSIX
>> parameter expansion. So with POSIX sh, an external program (e.g. sed)
>> would have to be called.
>> 
>> The long term solution (suggested by Stefan Monnier) might be to add
>> a --funcall option to emacsclient. Then there would be no need for a
>> shell wrapper, in the first place.
>> 
>> Should the Makefile skip installation of emacsclient-mail.desktop
>> when bash isn't available on the system?

> Could we install this change not on emacs-29, but on master?

> I don't think the problem it solves is severe, nor a regression from
> Emacs 28.  It is rather a minor nusiance with certain URLs.

Seriously? It is a vulnerability that allows remote injection of
arbitrary Elisp code through a crafted "mailto" URI.

[Prev in Thread]

Current Thread

[Next in Thread]

Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Po Lu, 2023/03/07
- Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Ulrich Mueller, 2023/03/07
  - Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Po Lu, 2023/03/07
    - Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Ulrich Mueller <=
    - Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Po Lu, 2023/03/08
    - Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Ulrich Mueller, 2023/03/08
    - Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Po Lu, 2023/03/08
    - Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Ulrich Mueller, 2023/03/08
    - Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Robert Pluim, 2023/03/08
    - Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Ulrich Mueller, 2023/03/08
    - Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Ulrich Mueller, 2023/03/08
    - Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Robert Pluim, 2023/03/08
    - Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Eli Zaretskii, 2023/03/08
    - Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Robert Pluim, 2023/03/08

Prev by Date: Re: Merging feature/android
Next by Date: Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop
Previous by thread: Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop
Next by thread: Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop
Index(es):
- Date
- Thread