(Thanks for fixing and your efforts on org. I've been an org user since
at least July of 2010.)
Just to be clear, is this the commit that needs applying to emacs
sources, 29.3, 28.x, and so on? It seems so, but I would rather not
guess. I'm asking on behalf of pkgsrc, where I am managing the release
process for our 2024Q2 branch, due on 30 June. Believe it or not we
have 20, 21, 26, 27, 28, 29 and a from-git version. While some should
be pruned, some people use it on vaxes. Any idea how far back this
goes?
Thanks,
Greg
commit f4cc61636947b5c2f0afc67174dd369fe3277aa8
Author: Ihor Radchenko <yanta...@posteo.net>
Date: Tue Jun 18 13:06:44 2024 +0200
org-link-expand-abbrev: Do not evaluate arbitrary unsafe Elisp code
* lisp/ol.el (org-link-expand-abbrev): Refuse expanding %(...) link
abbrevs that specify unsafe function. Instead, display a warning, and
do not expand the abbrev. Clear all the text properties from the
returned link, to avoid any potential vulnerabilities caused by
properties that may contain arbitrary Elisp.
diff --git a/lisp/ol.el b/lisp/ol.el
index 7a7f4f558..8a556c7b9 100644
--- a/lisp/ol.el
+++ b/lisp/ol.el
@@ -1152,17 +1152,35 @@ Abbreviations are defined in `org-link-abbrev-alist'."
(if (not as)
link
(setq rpl (cdr as))
- (cond
- ((symbolp rpl) (funcall rpl tag))
- ((string-match "%(\\([^)]+\\))" rpl)
- (replace-match
- (save-match-data
- (funcall (intern-soft (match-string 1 rpl)) tag))
- t t rpl))
- ((string-match "%s" rpl) (replace-match (or tag "") t t rpl))
- ((string-match "%h" rpl)
- (replace-match (url-hexify-string (or tag "")) t t rpl))
- (t (concat rpl tag)))))))
+ ;; Drop any potentially dangerous text properties like
+ ;; `modification-hooks' that may be used as an attack vector.
+ (substring-no-properties
+ (cond
+ ((symbolp rpl) (funcall rpl tag))
+ ((string-match "%(\\([^)]+\\))" rpl)
+ (let ((rpl-fun-symbol (intern-soft (match-string 1 rpl))))
+ ;; Using `unsafep-function' is not quite enough because
+ ;; Emacs considers functions like `genenv' safe, while
+ ;; they can potentially be used to expose private system
+ ;; data to attacker if abbreviated link is clicked.
+ (if (or (eq t (get rpl-fun-symbol 'org-link-abbrev-safe))
+ (eq t (get rpl-fun-symbol 'pure)))
+ (replace-match
+ (save-match-data
+ (funcall (intern-soft (match-string 1 rpl)) tag))
+ t t rpl)
+ (org-display-warning
+ (format "Disabling unsafe link abbrev: %s
+You may mark function safe via (put '%s 'org-link-abbrev-safe t)"
+ rpl (match-string 1 rpl)))
+ (setq org-link-abbrev-alist-local (delete as
org-link-abbrev-alist-local)
+ org-link-abbrev-alist (delete as org-link-abbrev-alist))
+ link
+ )))
+ ((string-match "%s" rpl) (replace-match (or tag "") t t rpl))
+ ((string-match "%h" rpl)
+ (replace-match (url-hexify-string (or tag "")) t t rpl))
+ (t (concat rpl tag))))))))
(defun org-link-open (link &optional arg)
"Open a link object LINK.
