Disable execution of unsafe Lisp by Enriched Text mode

* src/xdisp.c (handle_display_spec): If the display property is
wrapped in 'disable-eval' form, disable Lisp evaluation while
processing this property.
(handle_single_display_spec): Accept new argument ENABLE_EVAL_P.
If that argument is false, don't evaluate Lisp while processing
display properties.

* lisp/textmodes/enriched.el
(enriched-allow-eval-in-display-props): New defcustom.
(enriched-decode-display-prop): If
enriched-allow-eval-in-display-props is nil, wrap the display
property with 'disable-eval' to disable Lisp evaluation when the
display property is processed for display.  (Bug#28350)
* lisp/gnus/mm-view.el (mm-inline-text): Re-enable processing of
enriched text.

* doc/lispref/display.texi (Display Property): Document the
'disable-eval' wrapping of 'display' properties.
* doc/emacs/text.texi (Enriched Properties): Document
'enriched-allow-eval-in-display-props'.

* etc/NEWS: Describe the security issues with Enriched Text mode
and their solution.

1 files changed, 4 insertions, 6 deletions

diff --git a/lisp/gnus/mm-view.el b/lisp/gnus/mm-view.el
index 86e217131ac..d7a41b84930 100644
--- a/lisp/gnus/mm-view.el
+++ b/lisp/gnus/mm-view.el
@@ -362,12 +362,10 @@
 	(goto-char (point-max))))
     (save-restriction
       (narrow-to-region b (point))
-      ;; Disabled in Emacs 25.3 to avoid execution of arbitrary Lisp
-      ;; forms in display properties supported by enriched.el.
-      ;; (when (member type '("enriched" "richtext"))
-      ;;   (set-text-properties (point-min) (point-max) nil)
-      ;; 	(ignore-errors
-      ;; 	  (enriched-decode (point-min) (point-max))))
+      (when (member type '("enriched" "richtext"))
+        (set-text-properties (point-min) (point-max) nil)
+	(ignore-errors
+	  (enriched-decode (point-min) (point-max))))
       (mm-handle-set-undisplayer
        handle
        `(lambda ()