procyberian/emacs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

org-link-expand-abbrev: Do not evaluate arbitrary unsafe Elisp code

Browse source 
* lisp/org/ol.el (org-link-expand-abbrev): Refuse expanding %(...)
link abbrevs that specify unsafe function.  Instead, display a
warning, and do not expand the abbrev.  Clear all the text properties
from the returned link, to avoid any potential vulnerabilities caused
by properties that may contain arbitrary Elisp.
This commit is contained in:
Ihor Radchenko 2024-06-21 15:45:25 +02:00 committed by Stefan Kangas
parent 50a237c468
commit c645e1d820
1 changed files with 29 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

40
lisp/org/ol.el
View file

@ -1063,17 +1063,35 @@ Abbreviations are defined in `org-link-abbrev-alist'."
(if (not as) (if (not as)
link link
(setq rpl (cdr as)) (setq rpl (cdr as))
(cond ;; Drop any potentially dangerous text properties like
((symbolp rpl) (funcall rpl tag)) ;; `modification-hooks' that may be used as an attack vector.
((string-match "%(\\([^)]+\\))" rpl) (substring-no-properties
(replace-match (cond
(save-match-data ((symbolp rpl) (funcall rpl tag))
(funcall (intern-soft (match-string 1 rpl)) tag)) ((string-match "%(\\([^)]+\\))" rpl)
t t rpl)) (let ((rpl-fun-symbol (intern-soft (match-string 1 rpl))))
((string-match "%s" rpl) (replace-match (or tag "") t t rpl)) ;; Using `unsafep-function' is not quite enough because
((string-match "%h" rpl) ;; Emacs considers functions like `genenv' safe, while
(replace-match (url-hexify-string (or tag "")) t t rpl)) ;; they can potentially be used to expose private system
(t (concat rpl tag))))))) ;; data to attacker if abbreviated link is clicked.
(if (or (eq t (get rpl-fun-symbol 'org-link-abbrev-safe))
(eq t (get rpl-fun-symbol 'pure)))
(replace-match
(save-match-data
(funcall (intern-soft (match-string 1 rpl)) tag))
t t rpl)
(org-display-warning
(format "Disabling unsafe link abbrev: %s
You may mark function safe via (put '%s 'org-link-abbrev-safe t)"
rpl (match-string 1 rpl)))
(setq org-link-abbrev-alist-local (delete as org-link-abbrev-alist-local)
org-link-abbrev-alist (delete as org-link-abbrev-alist))
link
)))
((string-match "%s" rpl) (replace-match (or tag "") t t rpl))
((string-match "%h" rpl)
(replace-match (url-hexify-string (or tag "")) t t rpl))
(t (concat rpl tag))))))))
(defun org-link-open (link &optional arg) (defun org-link-open (link &optional arg)
"Open a link object LINK. "Open a link object LINK.