Greg Troxel <g...@lexort.com> writes: > (Thanks for fixing and your efforts on org. I've been an org user since > at least July of 2010.) > > Just to be clear, is this the commit that needs applying to emacs > sources, 29.3, 28.x, and so on?
Yes, that's the correct commit. > It seems so, but I would rather not guess. I'm asking on behalf of > pkgsrc, where I am managing the release process for our 2024Q2 branch, > due on 30 June. Believe it or not we have 20, 21, 26, 27, 28, 29 and a > from-git version. While some should be pruned, some people use it on > vaxes. Any idea how far back this goes? It was introduced in org 7.9 (commit [1] from July of 2012). From what I can tell, it has been present in Emacs since emacs-24.2. [1]: ef3d4b5965b828e85a535ef3f32999473c6a2a7a > > Thanks, > Greg > > commit f4cc61636947b5c2f0afc67174dd369fe3277aa8 > Author: Ihor Radchenko <yanta...@posteo.net> > Date: Tue Jun 18 13:06:44 2024 +0200 > > org-link-expand-abbrev: Do not evaluate arbitrary unsafe Elisp code > > * lisp/ol.el (org-link-expand-abbrev): Refuse expanding %(...) link > abbrevs that specify unsafe function. Instead, display a warning, and > do not expand the abbrev. Clear all the text properties from the > returned link, to avoid any potential vulnerabilities caused by > properties that may contain arbitrary Elisp. > > diff --git a/lisp/ol.el b/lisp/ol.el > index 7a7f4f558..8a556c7b9 100644 > --- a/lisp/ol.el > +++ b/lisp/ol.el > @@ -1152,17 +1152,35 @@ Abbreviations are defined in `org-link-abbrev-alist'." > (if (not as) > link > (setq rpl (cdr as)) > - (cond > - ((symbolp rpl) (funcall rpl tag)) > - ((string-match "%(\\([^)]+\\))" rpl) > - (replace-match > - (save-match-data > - (funcall (intern-soft (match-string 1 rpl)) tag)) > - t t rpl)) > - ((string-match "%s" rpl) (replace-match (or tag "") t t rpl)) > - ((string-match "%h" rpl) > - (replace-match (url-hexify-string (or tag "")) t t rpl)) > - (t (concat rpl tag))))))) > + ;; Drop any potentially dangerous text properties like > + ;; `modification-hooks' that may be used as an attack vector. > + (substring-no-properties > + (cond > + ((symbolp rpl) (funcall rpl tag)) > + ((string-match "%(\\([^)]+\\))" rpl) > + (let ((rpl-fun-symbol (intern-soft (match-string 1 rpl)))) > + ;; Using `unsafep-function' is not quite enough because > + ;; Emacs considers functions like `genenv' safe, while > + ;; they can potentially be used to expose private system > + ;; data to attacker if abbreviated link is clicked. > + (if (or (eq t (get rpl-fun-symbol 'org-link-abbrev-safe)) > + (eq t (get rpl-fun-symbol 'pure))) > + (replace-match > + (save-match-data > + (funcall (intern-soft (match-string 1 rpl)) tag)) > + t t rpl) > + (org-display-warning > + (format "Disabling unsafe link abbrev: %s > +You may mark function safe via (put '%s 'org-link-abbrev-safe t)" > + rpl (match-string 1 rpl))) > + (setq org-link-abbrev-alist-local (delete as > org-link-abbrev-alist-local) > + org-link-abbrev-alist (delete as org-link-abbrev-alist)) > + link > + ))) > + ((string-match "%s" rpl) (replace-match (or tag "") t t rpl)) > + ((string-match "%h" rpl) > + (replace-match (url-hexify-string (or tag "")) t t rpl)) > + (t (concat rpl tag)))))))) > > (defun org-link-open (link &optional arg) > "Open a link object LINK.
