[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#28350: enriched.el code execution
From: |
Charles A. Roelli |
Subject: |
bug#28350: enriched.el code execution |
Date: |
Sat, 09 Sep 2017 22:37:29 +0200 |
> Date: Sat, 09 Sep 2017 19:55:37 +0300
> From: Eli Zaretskii <eliz@gnu.org>
> CC: 28350@debbugs.gnu.org
>
> > > > +See Info node `(elisp)Display Property' for the use of these
> > > > +display specifications."
> > > > + (ignore-errors
> > > > + (or (stringp prop)
> > > ^^^^^^^^^^^^
> > > What about an image spec (including a slice spec)?
> >
> > Okay, I see that image specs can be safe. But are they all safe?
>
> I think they are. Does anyone know different?
I read over the documentation some more and they do look alright.
> > And I don't understand how a slice spec is used together with an image
> > spec. Is the slice spec used inside of IMAGE-PROPS, i.e. as you might
> > gather from the manual:
> >
> > ‘(image . IMAGE-PROPS)’
> > This kind of display specification is an image descriptor (*note
> > Images). When used as a display specification, it means to
> > display the image instead of the text that has the display
> > specification.
> >
> > ‘(slice X Y WIDTH HEIGHT)’
> > This specification together with ‘image’ specifies a “slice” (a
> > partial area) of the image to display.
> >
> > ?
>
> AFAIU, like this:
>
> ((slice X Y WIDTH HEIGHT) (image . IMAGE-PROPS))
>
> You can see examples of this in image.el and image-mode.el.
Thanks. I forgot that the display property can be set to a list or
vector of display specifications. I've updated the patch to reflect
this:
+ (and (seqp prop) (seq-every-p 'enriched-display-prop-safe-p prop)))))
and I've added slice/image specifications.
> > At this point it seems that unsafe display specs are more the
> > exception than the rule, so it might make sense to define the
> > `enriched-display-prop-safe-p' function by excluding the unsafe
> > specifications instead of including the safe ones. What do you
> > think?
>
> I'm not sure. The display spec can be complex, so to make sure none
> of these exceptions sneak through, you will have to recursively unpack
> the spec data structure and examine each of the elements, which smells
> too similar to emulating 'eval'. No?
Thank you. I've kept the current approach. Please see again the
attached patch.
Also, should the left-fringe/right-fringe display specifications be
considered safe? They seem innocuous.
0001-Prevent-code-execution-by-text-enriched-files-Bug-28.patch
Description: Text Data
- bug#28350: enriched.el code execution, Charles A. Roelli, 2017/09/04
- bug#28350: enriched.el code execution, Charles A. Roelli, 2017/09/06
- bug#28350: enriched.el code execution, Eli Zaretskii, 2017/09/06
- bug#28350: enriched.el code execution, Charles A. Roelli, 2017/09/09
- bug#28350: enriched.el code execution, Eli Zaretskii, 2017/09/09
- bug#28350: enriched.el code execution, Charles A. Roelli, 2017/09/09
- bug#28350: enriched.el code execution, Eli Zaretskii, 2017/09/09
- bug#28350: enriched.el code execution,
Charles A. Roelli <=
- bug#28350: enriched.el code execution, Eli Zaretskii, 2017/09/10
- bug#28350: enriched.el code execution, Glenn Morris, 2017/09/11
- bug#28350: enriched.el code execution, Eli Zaretskii, 2017/09/11
bug#28350: enriched.el code execution, Paul Eggert, 2017/09/09
bug#28350: enriched.el code execution, Eli Zaretskii, 2017/09/11
bug#28350: enriched.el code execution, Charles A. Roelli, 2017/09/11