[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emac
From: |
Eli Zaretskii |
Subject: |
Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop |
Date: |
Wed, 08 Mar 2023 16:14:34 +0200 |
> From: Ulrich Mueller <ulm@gentoo.org>
> Cc: Po Lu <luangruo@yahoo.com>, emacs-devel@gnu.org
> Date: Wed, 08 Mar 2023 12:08:42 +0100
>
> >>>>> On Wed, 08 Mar 2023, Robert Pluim wrote:
>
> > Fair enough, but is there no way to get it to use `sed' instead?
>
> Sure, something like this (not yet tested):
>
> -Exec=bash -c "u=\\${1//\\\\\\\\/\\\\\\\\\\\\\\\\};
> u=\\${u//\\\\\\"/\\\\\\\\\\\\\\"}; exec emacsclient --alternate-editor=
> --display=\\"\\$DISPLAY\\" --eval \\"(message-mailto \\\\\\"\\$u\\\\\\")\\""
> bash %u
> +Exec=sh -c "u=\\$\\(echo \\"\\$1\\" | sed
> \\'s/[\\\\\\"]/\\\\\\\\\\&/g\\'\\); exec emacsclient --alternate-editor=
> --display=\\"\\$DISPLAY\\" --eval \\"(message-mailto \\\\\\"\\$u\\\\\\")\\""
> sh %u
>
> Sorry, but it doesn't get less ugly. :) Also, it will now call _two_
> external programs. Is this acceptable
Yes. Ugliness is not relevant: no one should be looking at this file
unless they want to hack on it.
> and is it guaranteed that sed will be available on users' systems?
I hope it is, but I thought this about Bash as well...
- Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, (continued)
- Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Robert Pluim, 2023/03/08
- Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Jim Porter, 2023/03/08
- Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Robert Pluim, 2023/03/08
- Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Eli Zaretskii, 2023/03/08
- Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Jim Porter, 2023/03/08
- Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Robert Pluim, 2023/03/09
- Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Po Lu, 2023/03/09
- Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Robert Pluim, 2023/03/09
- Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Jim Porter, 2023/03/09
- Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Po Lu, 2023/03/08
- Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop,
Eli Zaretskii <=
- Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Po Lu, 2023/03/08
- Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Eli Zaretskii, 2023/03/09
- Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Po Lu, 2023/03/09
- Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Manuel Giraud, 2023/03/09
- Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, tomas, 2023/03/09
- Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Po Lu, 2023/03/08
- Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Ulrich Mueller, 2023/03/08
- Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Eli Zaretskii, 2023/03/08
- Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Eli Zaretskii, 2023/03/08
- Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop, Robert Pluim, 2023/03/08