org-link-expand-abbrev: Do not evaluate arbitrary unsafe Elisp code

* lisp/org/ol.el (org-link-expand-abbrev): Refuse expanding %(...)
link abbrevs that specify unsafe function.  Instead, display a
warning, and do not expand the abbrev.  Clear all the text properties
from the returned link, to avoid any potential vulnerabilities caused
by properties that may contain arbitrary Elisp.

(cherry picked from commit c645e1d8205f0f0663ec4a2d27575b238c646c7c)

diff --git a/lisp/org/ol.el b/lisp/org/ol.el
index 7a7f4f55896bf7c2e67dcc35e4643a1fe457f274..8a556c7b97921b9c4669eaf2bb282d1d11c15b98 100644 (file)
--- a/lisp/org/ol.el
+++ b/lisp/org/ol.el
@@ -1152,17 +1152,35 @@ Abbreviations are defined in `org-link-abbrev-alist'."
       (if (not as)
          link
        (setq rpl (cdr as))
-       (cond
-        ((symbolp rpl) (funcall rpl tag))
-        ((string-match "%(\\([^)]+\\))" rpl)
-         (replace-match
-          (save-match-data
-            (funcall (intern-soft (match-string 1 rpl)) tag))
-          t t rpl))
-        ((string-match "%s" rpl) (replace-match (or tag "") t t rpl))
-        ((string-match "%h" rpl)
-         (replace-match (url-hexify-string (or tag "")) t t rpl))
-        (t (concat rpl tag)))))))
+        ;; Drop any potentially dangerous text properties like
+        ;; `modification-hooks' that may be used as an attack vector.
+        (substring-no-properties
+        (cond
+         ((symbolp rpl) (funcall rpl tag))
+         ((string-match "%(\\([^)]+\\))" rpl)
+           (let ((rpl-fun-symbol (intern-soft (match-string 1 rpl))))
+             ;; Using `unsafep-function' is not quite enough because
+             ;; Emacs considers functions like `genenv' safe, while
+             ;; they can potentially be used to expose private system
+             ;; data to attacker if abbreviated link is clicked.
+             (if (or (eq t (get rpl-fun-symbol 'org-link-abbrev-safe))
+                     (eq t (get rpl-fun-symbol 'pure)))
+                 (replace-match
+                 (save-match-data
+                   (funcall (intern-soft (match-string 1 rpl)) tag))
+                 t t rpl)
+               (org-display-warning
+                (format "Disabling unsafe link abbrev: %s
+You may mark function safe via (put '%s 'org-link-abbrev-safe t)"
+                        rpl (match-string 1 rpl)))
+               (setq org-link-abbrev-alist-local (delete as org-link-abbrev-alist-local)
+                     org-link-abbrev-alist (delete as org-link-abbrev-alist))
+               link
+              )))
+         ((string-match "%s" rpl) (replace-match (or tag "") t t rpl))
+         ((string-match "%h" rpl)
+          (replace-match (url-hexify-string (or tag "")) t t rpl))
+         (t (concat rpl tag))))))))
 
 (defun org-link-open (link &optional arg)
   "Open a link object LINK.