[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Reproducers for recent Emacs security issues
|
From: |
Andrew Cohen |
|
Subject: |
Re: Reproducers for recent Emacs security issues |
|
Date: |
Tue, 16 Apr 2024 21:23:58 +0800 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) |
>>>>> "EZ" == Eli Zaretskii <eliz@gnu.org> writes:
>> From: Andrew Cohen <acohen@ust.hk> Date: Tue, 16 Apr 2024
>> 07:30:27 +0800
>>
>> >>>>> "FW" == Florian Weimer <fw@deneb.enyo.de> writes:
>>
>> [...]
>>
FW> It's a feature. I think it comes the regular expression in
FW> mm-uu-type-alist. Some of the features are quite nice, like
FW> diff highlighting. Others are a bit scary (and not just the
FW> org-mode integration).
>>
>> I stand corrected---this still looks quite useful and seems to be
>> working as intended. I was thrown off by the documentation which
>> indicated it was just for uuencoded and yencoded content.
EZ> Maybe I misunderstand something (I don't use Gnus), but isn't it
EZ> a security problem that the presence of such a line in an email
EZ> message causes Emacs to download a remote file?
It doesn't cause the file to be downloaded immediately---it displays a
message identifying downloading the file as a possible security risk,
and requires confirmation in order to proceed with the download. This
seems OK from the security viewpoint.
If I understand correctly, Max is concerned that the behavior of this
part of the multipart mime message (text/plain) invokes org to deal with
the link. But this is what 'gnus-article-emulate-mime is supposed to do:
it consults a list of regular expressions to match and invokes handlers
to deal with them (whether the article is mime or not). The particular
line in question matches an org expression and org is then invoked to
handle it. The security issue is whether or not org handles the link
reasonably, and it does.
In Max's example message there is another part to the message of type
(text/org). This makes it appear that the involvement of org is related
to this other part. But it isn't---just the line by itself (#+setupfile:
http://localhost/test.html) will trigger the org handling.
My only issue is that the documentation is not very clear about all
this. I'll try to update it if I can find some time.
--
Andrew Cohen
- Re: Reproducers for recent Emacs security issues, (continued)
- Re: Reproducers for recent Emacs security issues, Ihor Radchenko, 2024/04/15
- Re: Reproducers for recent Emacs security issues, Sean Whitton, 2024/04/15
- Re: Reproducers for recent Emacs security issues, Ihor Radchenko, 2024/04/15
- Re: Reproducers for recent Emacs security issues, Max Nikulin, 2024/04/15
- Re: Reproducers for recent Emacs security issues, Ihor Radchenko, 2024/04/15
- Re: Reproducers for recent Emacs security issues, Andrew Cohen, 2024/04/15
- Re: Reproducers for recent Emacs security issues, Florian Weimer, 2024/04/15
- Re: Reproducers for recent Emacs security issues, Andrew Cohen, 2024/04/15
- Re: Reproducers for recent Emacs security issues, Max Nikulin, 2024/04/16
- Re: Reproducers for recent Emacs security issues, Eli Zaretskii, 2024/04/16
- Re: Reproducers for recent Emacs security issues,
Andrew Cohen <=
- Re: Reproducers for recent Emacs security issues, Max Nikulin, 2024/04/17