Merge from origin/emacs-29

7a5d7be52c org--confirm-resource-safe: Fix prompt when prompting in ...
2bc865ace0 org-file-contents: Consider all remote files unsafe
6f9ea396f4 org-latex-preview: Add protection when `untrusted-content...
937b9042ad * lisp/gnus/mm-view.el (mm-display-inline-fontify): Mark ...
ccc188fcf9 * lisp/files.el (untrusted-content): New variable.
befa9fcaae org-macro--set-templates: Prevent code evaluation
3221d8d461 * admin/authors.el (authors-aliases): Add ignored authors.
8d8253f899 * etc/NEWS: Update for Emacs 29.3

admin/authors.el

@@ -176,8 +176,10 @@ files.")
     ("Miha Rihtaršič" "Miha Rihtarsic")
     ("Mikio Nakajima" "Nakajima Mikio")
     (nil "montag451@laposte\\.net")
-    (nil "na@aisrntairetnraoitn")
     ("Morgan Smith" "Morgan J\\. Smith")
+    ("Mou Tong" "mou\\.tong@outlook\\.com")
+    (nil "na@aisrntairetnraoitn")
+    (nil "nibon7@163\\.com")
     ("Nelson Jose dos Santos Ferreira" "Nelson Ferreira")
     ("Noah Peart" "noah\\.v\\.peart@gmail\\.com")
     ("Noorul Islam" "Noorul Islam K M")

etc/NEWS.29

@@ -15,32 +15,28 @@ in older Emacs versions.
 You can narrow news to a specific version by calling 'view-emacs-news'
 with a prefix argument or by typing 'C-u C-h C-n'.
 
-
-* Installation Changes in Emacs 29.3
-
-
-* Startup Changes in Emacs 29.3
-
 
 * Changes in Emacs 29.3
+Emacs 29.3 is an emergency bugfix release intended to fix several
+security vulnerabilities described below.
 
-
-* Editing Changes in Emacs 29.3
+** Arbitrary Lisp code is no longer evaluated as part of turning on Org mode.
+This is for security reasons, to avoid evaluating malicious Lisp code.
 
-
-* Changes in Specialized Modes and Packages in Emacs 29.3
+** New buffer-local variable 'untrusted-content'.
+When this is non-nil, Lisp programs should treat buffer contents with
+extra caution.
 
-
-* New Modes and Packages in Emacs 29.3
+** Gnus now treats inline MIME contents as untrusted.
+To get back previous insecure behavior, 'untrusted-content' should be
+reset to nil in the buffer.
 
-
-* Incompatible Lisp Changes in Emacs 29.3
+** LaTeX preview is now by default disabled for email attachments.
+To get back previous insecure behavior, set the variable
+'org--latex-preview-when-risky' to a non-nil value.
 
-
-* Lisp Changes in Emacs 29.3
-
-
-* Changes in Emacs 29.3 on Non-Free Operating Systems
+** Org mode now considers contents of remote files to be untrusted.
+Remote files are recognized by calling 'file-remote-p'.
 
 
 * Installation Changes in Emacs 29.2

lisp/files.el

@@ -698,6 +698,14 @@ Also see the `permanently-enabled-local-variables' and
 Some modes may wish to set this to nil to prevent directory-local
 settings being applied, but still respect file-local ones.")
 
+(defvar-local untrusted-content nil
+  "Non-nil means that current buffer originated from an untrusted source.
+Email clients and some other modes may set this non-nil to mark the
+buffer contents as untrusted.
+
+This variable might be subject to change without notice.")
+(put 'untrusted-content 'permanent-local t)
+
 ;; This is an odd variable IMO.
 ;; You might wonder why it is needed, when we could just do:
 ;; (setq-local enable-local-variables nil)

lisp/gnus/mm-view.el

@@ -502,6 +502,7 @@ If MODE is not set, try to find mode automatically."
 	  (setq coding-system (mm-find-buffer-file-coding-system)))
 	(setq text (buffer-string))))
     (with-temp-buffer
+      (setq untrusted-content t)
       (insert (cond ((eq charset 'gnus-decoded)
 		     (with-current-buffer (mm-handle-buffer handle)
 		       (buffer-string)))

lisp/org/org-macro.el

@@ -109,6 +109,13 @@ previous one, unless VALUE is nil.  Return the updated list."
   (let ((new-templates nil))
     (pcase-dolist (`(,name . ,value) templates)
       (let ((old-definition (assoc name new-templates)))
+        ;; This code can be evaluated unconditionally, as a part of
+        ;; loading Org mode.  We *must not* evaluate any code present
+        ;; inside the Org buffer while loading.  Org buffers may come
+        ;; from various sources, like received email messages from
+        ;; potentially malicious senders.  Org mode might be used to
+        ;; preview such messages and no code evaluation from inside the
+        ;; received Org text should ever happen without user consent.
         (when (and (stringp value) (string-match-p "\\`(eval\\>" value))
           ;; Pre-process the evaluation form for faster macro expansion.
           (let* ((args (org-macro--makeargs value))
@@ -121,7 +128,7 @@ previous one, unless VALUE is nil.  Return the updated list."
 		      (cadr (read value))
 		    (error
                      (user-error "Invalid definition for macro %S" name)))))
-	    (setq value (eval (macroexpand-all `(lambda ,args ,body)) t))))
+	    (setq value `(lambda ,args ,body))))
         (cond ((and value old-definition) (setcdr old-definition value))
 	      (old-definition)
 	      (t (push (cons name (or value "")) new-templates)))))

lisp/org/org.el

@@ -1140,6 +1140,24 @@ the following lines anywhere in the buffer:
   :package-version '(Org . "8.0")
   :type 'boolean)
 
+(defvar untrusted-content) ; defined in files.el
+(defvar org--latex-preview-when-risky nil
+  "If non-nil, enable LaTeX preview in Org buffers from unsafe source.
+
+Some specially designed LaTeX code may generate huge pdf or log files
+that may exhaust disk space.
+
+This variable controls how to handle LaTeX preview when rendering LaTeX
+fragments that originate from incoming email messages.  It has no effect
+when Org mode is unable to determine the origin of the Org buffer.
+
+An Org buffer is considered to be from unsafe source when the
+variable `untrusted-content' has a non-nil value in the buffer.
+
+If this variable is non-nil, LaTeX previews are rendered unconditionally.
+
+This variable may be renamed or changed in the future.")
+
 (defcustom org-insert-mode-line-in-empty-file nil
   "Non-nil means insert the first line setting Org mode in empty files.
 When the function `org-mode' is called interactively in an empty file, this
@@ -4558,12 +4576,16 @@ from file or URL, and return nil.
 If NOCACHE is non-nil, do a fresh fetch of FILE even if cached version
 is available.  This option applies only if FILE is a URL."
   (let* ((is-url (org-url-p file))
+         (is-remote (condition-case nil
+                        (file-remote-p file)
+                      ;; In case of error, be safe.
+                      (t t)))
          (cache (and is-url
                      (not nocache)
                      (gethash file org--file-cache))))
     (cond
      (cache)
-     (is-url
+     ((or is-url is-remote)
       (if (org--should-fetch-remote-resource-p file)
           (condition-case error
               (with-current-buffer (url-retrieve-synchronously file)
@@ -4649,9 +4671,9 @@ returns non-nil if any of them match."
                      (propertize domain 'face '(:inherit org-link :weight normal))
                      ") as safe.\n ")
                   "")
-                (propertize "f" 'face 'success)
                 (if current-file
                     (concat
+                     (propertize "f" 'face 'success)
                      " to download this resource, and permanently mark all resources in "
                      (propertize current-file 'face 'underline)
                      " as safe.\n ")
@@ -15696,6 +15718,7 @@ fragments in the buffer."
   (interactive "P")
   (cond
    ((not (display-graphic-p)) nil)
+   ((and untrusted-content (not org--latex-preview-when-risky)) nil)
    ;; Clear whole buffer.
    ((equal arg '(64))
     (org-clear-latex-preview (point-min) (point-max))

test/lisp/emacs-lisp/cl-generic-tests.el

@@ -331,7 +331,6 @@ Edebug symbols (Bug#42672)."
     (goto-char (point-min))
     ;; But we don't want (eql '4) to turn into (eql (quote 4)) either.
     (should (re-search-forward "(eql '4)" nil t))))
-    
 
 (provide 'cl-generic-tests)
 ;;; cl-generic-tests.el ends here