Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emac

emacs-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emac

From:	Eli Zaretskii
Subject:	Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop
Date:	Wed, 08 Mar 2023 16:04:03 +0200

> From: Robert Pluim <rpluim@gmail.com>
> Cc: Po Lu <luangruo@yahoo.com>,  emacs-devel@gnu.org
> Date: Wed, 08 Mar 2023 11:37:06 +0100
> 
> Itʼs certainly not a regression, but it is fairly serious. We could
> mitigate it somewhat by adding '--funcall', I guess.
> 
> The last time --funcall was discussed, there was no consensus on how
> arguments should be handled, so Iʼve just gone ahead and implemented
> one variant. We could add any restrictions we like on the server side,
> it currently just disallows direct `eval'
> 
> Not for emacs-29, I think.

Indeed, not for emacs-29.  So if requiring Bash is not going to fly,
we need to find a different way to fix the original problem.  Adding a
general-purpose command-line option to emacsclient, which also
requires a change in the client-server protocol, is out of the
question for emacs-29.

[Prev in Thread]

Current Thread

[Next in Thread]

Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, (continued)

Prev by Date: Re: Explain a bit more on how to configure language server in Eglot's manual
Next by Date: Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop
Previous by thread: Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop
Next by thread: python-mode: Why python-interpreter defaults to "python" instead of looking for python/python3
Index(es):
- Date
- Thread