emacs-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emac

From: Eli Zaretskii
Subject: Re: emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop
Date: Wed, 08 Mar 2023 16:14:34 +0200 
> From: Ulrich Mueller <ulm@gentoo.org>
> Cc: Po Lu <luangruo@yahoo.com>,  emacs-devel@gnu.org
> Date: Wed, 08 Mar 2023 12:08:42 +0100
> 
> >>>>> On Wed, 08 Mar 2023, Robert Pluim wrote:
> 
> > Fair enough, but is there no way to get it to use `sed' instead?
> 
> Sure, something like this (not yet tested):
> 
> -Exec=bash -c "u=\\${1//\\\\\\\\/\\\\\\\\\\\\\\\\}; 
> u=\\${u//\\\\\\"/\\\\\\\\\\\\\\"}; exec emacsclient --alternate-editor= 
> --display=\\"\\$DISPLAY\\" --eval \\"(message-mailto \\\\\\"\\$u\\\\\\")\\"" 
> bash %u
> +Exec=sh -c "u=\\$\\(echo \\"\\$1\\" | sed 
> \\'s/[\\\\\\"]/\\\\\\\\\\&/g\\'\\); exec emacsclient --alternate-editor= 
> --display=\\"\\$DISPLAY\\" --eval \\"(message-mailto \\\\\\"\\$u\\\\\\")\\"" 
> sh %u
> 
> Sorry, but it doesn't get less ugly. :) Also, it will now call _two_
> external programs. Is this acceptable

Yes.  Ugliness is not relevant: no one should be looking at this file
unless they want to hack on it.

> and is it guaranteed that sed will be available on users' systems?

I hope it is, but I thought this about Bash as well...
reply via email to
[Prev in Thread] Current Thread [Next in Thread]