emacs-diffs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

master cd60fa42f68 1/7: Merge from origin/emacs-29

From: Eli Zaretskii
Subject: master cd60fa42f68 1/7: Merge from origin/emacs-29
Date: Sat, 30 Mar 2024 04:40:39 -0400 (EDT) 
branch: master
commit cd60fa42f6803d4d34dedfaea3d1ed5c16349670
Merge: 06882a2d768 7a5d7be52c5
Author: Eli Zaretskii <eliz@gnu.org>
Commit: Eli Zaretskii <eliz@gnu.org>

    Merge from origin/emacs-29
    
    7a5d7be52c5 org--confirm-resource-safe: Fix prompt when prompting in ...
    2bc865ace05 org-file-contents: Consider all remote files unsafe
    6f9ea396f49 org-latex-preview: Add protection when `untrusted-content...
    937b9042ad7 * lisp/gnus/mm-view.el (mm-display-inline-fontify): Mark ...
    ccc188fcf98 * lisp/files.el (untrusted-content): New variable.
    befa9fcaae2 org-macro--set-templates: Prevent code evaluation
    3221d8d4611 * admin/authors.el (authors-aliases): Add ignored authors.
    8d8253f8991 * etc/NEWS: Update for Emacs 29.3
---
 admin/authors.el                         |  4 +++-
 etc/NEWS.29                              | 34 ++++++++++++++------------------
 lisp/files.el                            |  8 ++++++++
 lisp/gnus/mm-view.el                     |  1 +
 lisp/org/org-macro.el                    |  9 ++++++++-
 lisp/org/org.el                          | 27 +++++++++++++++++++++++--
 test/lisp/emacs-lisp/cl-generic-tests.el |  1 -
 7 files changed, 60 insertions(+), 24 deletions(-)

diff --git a/admin/authors.el b/admin/authors.el
index 8ea6064423f..da9f4257153 100644
--- a/admin/authors.el
+++ b/admin/authors.el
@@ -176,8 +176,10 @@ files.")
     ("Miha Rihtaršič" "Miha Rihtarsic")
     ("Mikio Nakajima" "Nakajima Mikio")
     (nil "montag451@laposte\\.net")
-    (nil "na@aisrntairetnraoitn")
     ("Morgan Smith" "Morgan J\\. Smith")
+    ("Mou Tong" "mou\\.tong@outlook\\.com")
+    (nil "na@aisrntairetnraoitn")
+    (nil "nibon7@163\\.com")
     ("Nelson Jose dos Santos Ferreira" "Nelson Ferreira")
     ("Noah Peart" "noah\\.v\\.peart@gmail\\.com")
     ("Noorul Islam" "Noorul Islam K M")
diff --git a/etc/NEWS.29 b/etc/NEWS.29
index 06086e9bdfb..3f94b0d4634 100644
--- a/etc/NEWS.29
+++ b/etc/NEWS.29
@@ -16,31 +16,27 @@ You can narrow news to a specific version by calling 
'view-emacs-news'
 with a prefix argument or by typing 'C-u C-h C-n'.
 
 
-* Installation Changes in Emacs 29.3
-
-
-* Startup Changes in Emacs 29.3
-
-
 * Changes in Emacs 29.3
+Emacs 29.3 is an emergency bugfix release intended to fix several
+security vulnerabilities described below.
 
-
-* Editing Changes in Emacs 29.3
+** Arbitrary Lisp code is no longer evaluated as part of turning on Org mode.
+This is for security reasons, to avoid evaluating malicious Lisp code.
 
-
-* Changes in Specialized Modes and Packages in Emacs 29.3
+** New buffer-local variable 'untrusted-content'.
+When this is non-nil, Lisp programs should treat buffer contents with
+extra caution.
 
-
-* New Modes and Packages in Emacs 29.3
+** Gnus now treats inline MIME contents as untrusted.
+To get back previous insecure behavior, 'untrusted-content' should be
+reset to nil in the buffer.
 
-
-* Incompatible Lisp Changes in Emacs 29.3
+** LaTeX preview is now by default disabled for email attachments.
+To get back previous insecure behavior, set the variable
+'org--latex-preview-when-risky' to a non-nil value.
 
-
-* Lisp Changes in Emacs 29.3
-
-
-* Changes in Emacs 29.3 on Non-Free Operating Systems
+** Org mode now considers contents of remote files to be untrusted.
+Remote files are recognized by calling 'file-remote-p'.
 
 
 * Installation Changes in Emacs 29.2
diff --git a/lisp/files.el b/lisp/files.el
index 766ed573392..20d63d33fef 100644
--- a/lisp/files.el
+++ b/lisp/files.el
@@ -698,6 +698,14 @@ Also see the `permanently-enabled-local-variables' and
 Some modes may wish to set this to nil to prevent directory-local
 settings being applied, but still respect file-local ones.")
 
+(defvar-local untrusted-content nil
+  "Non-nil means that current buffer originated from an untrusted source.
+Email clients and some other modes may set this non-nil to mark the
+buffer contents as untrusted.
+
+This variable might be subject to change without notice.")
+(put 'untrusted-content 'permanent-local t)
+
 ;; This is an odd variable IMO.
 ;; You might wonder why it is needed, when we could just do:
 ;; (setq-local enable-local-variables nil)
diff --git a/lisp/gnus/mm-view.el b/lisp/gnus/mm-view.el
index 3a7192092af..109b6c17c2c 100644
--- a/lisp/gnus/mm-view.el
+++ b/lisp/gnus/mm-view.el
@@ -502,6 +502,7 @@ If MODE is not set, try to find mode automatically."
          (setq coding-system (mm-find-buffer-file-coding-system)))
        (setq text (buffer-string))))
     (with-temp-buffer
+      (setq untrusted-content t)
       (insert (cond ((eq charset 'gnus-decoded)
                     (with-current-buffer (mm-handle-buffer handle)
                       (buffer-string)))
diff --git a/lisp/org/org-macro.el b/lisp/org/org-macro.el
index 737eab5d2bb..fe3bbc658ff 100644
--- a/lisp/org/org-macro.el
+++ b/lisp/org/org-macro.el
@@ -109,6 +109,13 @@ previous one, unless VALUE is nil.  Return the updated 
list."
   (let ((new-templates nil))
     (pcase-dolist (`(,name . ,value) templates)
       (let ((old-definition (assoc name new-templates)))
+        ;; This code can be evaluated unconditionally, as a part of
+        ;; loading Org mode.  We *must not* evaluate any code present
+        ;; inside the Org buffer while loading.  Org buffers may come
+        ;; from various sources, like received email messages from
+        ;; potentially malicious senders.  Org mode might be used to
+        ;; preview such messages and no code evaluation from inside the
+        ;; received Org text should ever happen without user consent.
         (when (and (stringp value) (string-match-p "\\`(eval\\>" value))
           ;; Pre-process the evaluation form for faster macro expansion.
           (let* ((args (org-macro--makeargs value))
@@ -121,7 +128,7 @@ previous one, unless VALUE is nil.  Return the updated 
list."
                      (cadr (read value))
                    (error
                      (user-error "Invalid definition for macro %S" name)))))
-           (setq value (eval (macroexpand-all `(lambda ,args ,body)) t))))
+           (setq value `(lambda ,args ,body))))
         (cond ((and value old-definition) (setcdr old-definition value))
              (old-definition)
              (t (push (cons name (or value "")) new-templates)))))
diff --git a/lisp/org/org.el b/lisp/org/org.el
index d361408eaca..678936f3417 100644
--- a/lisp/org/org.el
+++ b/lisp/org/org.el
@@ -1140,6 +1140,24 @@ the following lines anywhere in the buffer:
   :package-version '(Org . "8.0")
   :type 'boolean)
 
+(defvar untrusted-content) ; defined in files.el
+(defvar org--latex-preview-when-risky nil
+  "If non-nil, enable LaTeX preview in Org buffers from unsafe source.
+
+Some specially designed LaTeX code may generate huge pdf or log files
+that may exhaust disk space.
+
+This variable controls how to handle LaTeX preview when rendering LaTeX
+fragments that originate from incoming email messages.  It has no effect
+when Org mode is unable to determine the origin of the Org buffer.
+
+An Org buffer is considered to be from unsafe source when the
+variable `untrusted-content' has a non-nil value in the buffer.
+
+If this variable is non-nil, LaTeX previews are rendered unconditionally.
+
+This variable may be renamed or changed in the future.")
+
 (defcustom org-insert-mode-line-in-empty-file nil
   "Non-nil means insert the first line setting Org mode in empty files.
 When the function `org-mode' is called interactively in an empty file, this
@@ -4558,12 +4576,16 @@ from file or URL, and return nil.
 If NOCACHE is non-nil, do a fresh fetch of FILE even if cached version
 is available.  This option applies only if FILE is a URL."
   (let* ((is-url (org-url-p file))
+         (is-remote (condition-case nil
+                        (file-remote-p file)
+                      ;; In case of error, be safe.
+                      (t t)))
          (cache (and is-url
                      (not nocache)
                      (gethash file org--file-cache))))
     (cond
      (cache)
-     (is-url
+     ((or is-url is-remote)
       (if (org--should-fetch-remote-resource-p file)
           (condition-case error
               (with-current-buffer (url-retrieve-synchronously file)
@@ -4649,9 +4671,9 @@ returns non-nil if any of them match."
                      (propertize domain 'face '(:inherit org-link :weight 
normal))
                      ") as safe.\n ")
                   "")
-                (propertize "f" 'face 'success)
                 (if current-file
                     (concat
+                     (propertize "f" 'face 'success)
                      " to download this resource, and permanently mark all 
resources in "
                      (propertize current-file 'face 'underline)
                      " as safe.\n ")
@@ -15696,6 +15718,7 @@ fragments in the buffer."
   (interactive "P")
   (cond
    ((not (display-graphic-p)) nil)
+   ((and untrusted-content (not org--latex-preview-when-risky)) nil)
    ;; Clear whole buffer.
    ((equal arg '(64))
     (org-clear-latex-preview (point-min) (point-max))
diff --git a/test/lisp/emacs-lisp/cl-generic-tests.el 
b/test/lisp/emacs-lisp/cl-generic-tests.el
index 990fa580c54..1241d28ab74 100644
--- a/test/lisp/emacs-lisp/cl-generic-tests.el
+++ b/test/lisp/emacs-lisp/cl-generic-tests.el
@@ -331,7 +331,6 @@ Edebug symbols (Bug#42672)."
     (goto-char (point-min))
     ;; But we don't want (eql '4) to turn into (eql (quote 4)) either.
     (should (re-search-forward "(eql '4)" nil t))))
-    
 
 (provide 'cl-generic-tests)
 ;;; cl-generic-tests.el ends here
reply via email to
[Prev in Thread] Current Thread [Next in Thread]