From: Ulrich Müller Date: Tue, 7 Mar 2023 17:25:37 +0000 (+0100) Subject: Fix Elisp code injection vulnerability in emacsclient-mail.desktop X-Git-Tag: emacs-29.0.90~228 X-Git-Url: http://git.eshelyaron.com/gitweb/?a=commitdiff_plain;h=3c1693d08b0a71d40a77e7b40c0ebc42dca2d2cc;p=emacs.git Fix Elisp code injection vulnerability in emacsclient-mail.desktop A crafted mailto URI could contain unescaped double-quote characters, allowing injection of Elisp code. Therefore, any '\' and '"' characters are replaced by '\\' and '\"', using Bash pattern substitution (which is not available in the POSIX shell). We want to pass literal 'u=${1//\\/\\\\}; u=${u//\"/\\\"};' in the bash -c command, but in the desktop entry '"', '$', and '\' must be escaped as '\\"', '\\$', and '\\\\', respectively (backslashes are expanded twice, see the Desktop Entry Specification). Reported by Gabriel Corona . * etc/emacsclient-mail.desktop (Exec): Escape backslash and double-quote characters. --- diff --git a/etc/emacsclient-mail.desktop b/etc/emacsclient-mail.desktop index 91df122c594..49c6f99f317 100644 --- a/etc/emacsclient-mail.desktop +++ b/etc/emacsclient-mail.desktop @@ -1,7 +1,10 @@ [Desktop Entry] Categories=Network;Email; Comment=GNU Emacs is an extensible, customizable text editor - and more -Exec=sh -c "exec emacsclient --alternate-editor= --display=\\"\\$DISPLAY\\" --eval \\"(message-mailto \\\\\\"\\$1\\\\\\")\\"" sh %u +# We want to pass the following commands to the shell wrapper: +# u=${1//\\/\\\\}; u=${u//\"/\\\"}; exec emacsclient --alternate-editor= --display="$DISPLAY" --eval "(message-mailto \"$u\")" +# Special chars '"', '$', and '\' must be escaped as '\\"', '\\$', and '\\\\'. +Exec=bash -c "u=\\${1//\\\\\\\\/\\\\\\\\\\\\\\\\}; u=\\${u//\\\\\\"/\\\\\\\\\\\\\\"}; exec emacsclient --alternate-editor= --display=\\"\\$DISPLAY\\" --eval \\"(message-mailto \\\\\\"\\$u\\\\\\")\\"" bash %u Icon=emacs Name=Emacs (Mail, Client) MimeType=x-scheme-handler/mailto; @@ -13,7 +16,7 @@ Actions=new-window;new-instance; [Desktop Action new-window] Name=New Window -Exec=sh -c "exec emacsclient --alternate-editor= --create-frame --eval \\"(message-mailto \\\\\\"\\$1\\\\\\")\\"" sh %u +Exec=bash -c "u=\\${1//\\\\\\\\/\\\\\\\\\\\\\\\\}; u=\\${u//\\\\\\"/\\\\\\\\\\\\\\"}; exec emacsclient --alternate-editor= --create-frame --eval \\"(message-mailto \\\\\\"\\$u\\\\\\")\\"" bash %u [Desktop Action new-instance] Name=New Instance