[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacscli
From: |
Ulrich Müller |
Subject: |
emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop |
Date: |
Tue, 7 Mar 2023 12:28:16 -0500 (EST) |
branch: emacs-29
commit 3c1693d08b0a71d40a77e7b40c0ebc42dca2d2cc
Author: Ulrich Müller <ulm@gentoo.org>
Commit: Ulrich Müller <ulm@gentoo.org>
Fix Elisp code injection vulnerability in emacsclient-mail.desktop
A crafted mailto URI could contain unescaped double-quote
characters, allowing injection of Elisp code. Therefore, any
'\' and '"' characters are replaced by '\\' and '\"', using Bash
pattern substitution (which is not available in the POSIX shell).
We want to pass literal 'u=${1//\\/\\\\}; u=${u//\"/\\\"};' in the
bash -c command, but in the desktop entry '"', '$', and '\' must
be escaped as '\\"', '\\$', and '\\\\', respectively (backslashes
are expanded twice, see the Desktop Entry Specification).
Reported by Gabriel Corona <gabriel.corona@free.fr>.
* etc/emacsclient-mail.desktop (Exec): Escape backslash and
double-quote characters.
---
etc/emacsclient-mail.desktop | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/etc/emacsclient-mail.desktop b/etc/emacsclient-mail.desktop
index 91df122c594..49c6f99f317 100644
--- a/etc/emacsclient-mail.desktop
+++ b/etc/emacsclient-mail.desktop
@@ -1,7 +1,10 @@
[Desktop Entry]
Categories=Network;Email;
Comment=GNU Emacs is an extensible, customizable text editor - and more
-Exec=sh -c "exec emacsclient --alternate-editor= --display=\\"\\$DISPLAY\\"
--eval \\"(message-mailto \\\\\\"\\$1\\\\\\")\\"" sh %u
+# We want to pass the following commands to the shell wrapper:
+# u=${1//\\/\\\\}; u=${u//\"/\\\"}; exec emacsclient --alternate-editor=
--display="$DISPLAY" --eval "(message-mailto \"$u\")"
+# Special chars '"', '$', and '\' must be escaped as '\\"', '\\$', and '\\\\'.
+Exec=bash -c "u=\\${1//\\\\\\\\/\\\\\\\\\\\\\\\\};
u=\\${u//\\\\\\"/\\\\\\\\\\\\\\"}; exec emacsclient --alternate-editor=
--display=\\"\\$DISPLAY\\" --eval \\"(message-mailto \\\\\\"\\$u\\\\\\")\\""
bash %u
Icon=emacs
Name=Emacs (Mail, Client)
MimeType=x-scheme-handler/mailto;
@@ -13,7 +16,7 @@ Actions=new-window;new-instance;
[Desktop Action new-window]
Name=New Window
-Exec=sh -c "exec emacsclient --alternate-editor= --create-frame --eval
\\"(message-mailto \\\\\\"\\$1\\\\\\")\\"" sh %u
+Exec=bash -c "u=\\${1//\\\\\\\\/\\\\\\\\\\\\\\\\};
u=\\${u//\\\\\\"/\\\\\\\\\\\\\\"}; exec emacsclient --alternate-editor=
--create-frame --eval \\"(message-mailto \\\\\\"\\$u\\\\\\")\\"" bash %u
[Desktop Action new-instance]
Name=New Instance
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- emacs-29 3c1693d08b0: Fix Elisp code injection vulnerability in emacsclient-mail.desktop,
Ulrich Müller <=