Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop

[Po Lu]

Ulrich Mueller <ulm@gentoo.org> writes:

>>>>>> On Wed, 08 Mar 2023, Po Lu wrote:
>
>> For it to be a vulnerability, you will have to click such mailto URIs in
>> your web browser without first reading them, and some nasty person will
>> have to specifically create URIs that run insidious Emacs Lisp code.
>
>> How about something simpler: one can copy a command to download malware
>> from the Internet, then paste it into a shell buffer.  Let's remove a
>> serious command injection vulnerability, ``M-x shell'', from Emacs 29!
>> While we're at it, how about `interprogram-paste-function' as well?
>
> No, it doesn't work that way. :) When it comes to vulnerabilities, it is
> all about expectations.
>
> If I execute a program (shell code, binary, etc.) that I find somewhere
> in the Internet, then I know that it will execute some code, and that I
> must trust its source that it doesn't do anything malicious.
>
> OTOH, I don't have that expectation when I click on a mailto hyperlink.

Before you click a hyperlink, the URL to which it points pops up on the
lower left corner.  You have every opportunity to see that it doesn't do
anything nasty.

And again, you're already making the very brazen assumption that some
nasty person out there stands ready to take advantage of this bug.

Please, fix this so it works without bash, or remove it from emacs-29.
Once the pretest comes out, I plan to ask many coworkers to try it out.
Many of their systems use the Korn shell and do not have bash.