summaryrefslogtreecommitdiff
path: root/lisp
diff options
context:
space:
mode:
authorEli Zaretskii <eliz@gnu.org>2017-09-16 12:45:24 +0300
committerEli Zaretskii <eliz@gnu.org>2017-09-16 12:45:24 +0300
commita103dbe36022cd2454eaeed96def1c777c049762 (patch)
treea3455f3e0ef50b9bbc1085c3199b4434851ebf35 /lisp
parent6d6dc246f93486fc8370399b6e1af8a17f371e4f (diff)
downloademacs-a103dbe36022cd2454eaeed96def1c777c049762.tar.gz
Disable execution of unsafe Lisp by Enriched Text mode
* src/xdisp.c (handle_display_spec): If the display property is wrapped in 'disable-eval' form, disable Lisp evaluation while processing this property. (handle_single_display_spec): Accept new argument ENABLE_EVAL_P. If that argument is false, don't evaluate Lisp while processing display properties. * lisp/textmodes/enriched.el (enriched-allow-eval-in-display-props): New defcustom. (enriched-decode-display-prop): If enriched-allow-eval-in-display-props is nil, wrap the display property with 'disable-eval' to disable Lisp evaluation when the display property is processed for display. (Bug#28350) * lisp/gnus/mm-view.el (mm-inline-text): Re-enable processing of enriched text. * doc/lispref/display.texi (Display Property): Document the 'disable-eval' wrapping of 'display' properties. * doc/emacs/text.texi (Enriched Properties): Document 'enriched-allow-eval-in-display-props'. * etc/NEWS: Describe the security issues with Enriched Text mode and their solution.
Diffstat (limited to 'lisp')
-rw-r--r--lisp/gnus/mm-view.el10
-rw-r--r--lisp/textmodes/enriched.el23
2 files changed, 23 insertions, 10 deletions
diff --git a/lisp/gnus/mm-view.el b/lisp/gnus/mm-view.el
index 86e217131ac..d7a41b84930 100644
--- a/lisp/gnus/mm-view.el
+++ b/lisp/gnus/mm-view.el
@@ -362,12 +362,10 @@
(goto-char (point-max))))
(save-restriction
(narrow-to-region b (point))
- ;; Disabled in Emacs 25.3 to avoid execution of arbitrary Lisp
- ;; forms in display properties supported by enriched.el.
- ;; (when (member type '("enriched" "richtext"))
- ;; (set-text-properties (point-min) (point-max) nil)
- ;; (ignore-errors
- ;; (enriched-decode (point-min) (point-max))))
+ (when (member type '("enriched" "richtext"))
+ (set-text-properties (point-min) (point-max) nil)
+ (ignore-errors
+ (enriched-decode (point-min) (point-max))))
(mm-handle-set-undisplayer
handle
`(lambda ()
diff --git a/lisp/textmodes/enriched.el b/lisp/textmodes/enriched.el
index d90c207575b..be5cd6b7310 100644
--- a/lisp/textmodes/enriched.el
+++ b/lisp/textmodes/enriched.el
@@ -147,6 +147,22 @@ them and their old values to `enriched-old-bindings'."
:type 'hook
:group 'enriched)
+(defcustom enriched-allow-eval-in-display-props nil
+ "If non-nil allow to evaluate arbitrary forms in display properties.
+
+Enriched mode recognizes display properties of text stored using
+an extension command to the text/enriched format, \"x-display\".
+These properties must not, by default, include evaluation of
+Lisp forms, otherwise they are not applied. Customize this option
+to t to turn off this safety feature, and allow Enriched mode to
+apply display properties which evaluate arbitrary Lisp forms.
+Note, however, that applying unsafe display properties could
+execute malicious Lisp code, if that code came from an external source."
+ :risky t
+ :type 'boolean
+ :version "26.1"
+ :group 'enriched)
+
(defvar enriched-old-bindings nil
"Store old variable values that we change when entering mode.
The value is a list of \(VAR VALUE VAR VALUE...).")
@@ -503,9 +519,8 @@ the range of text to assign text property SYMBOL with value VALUE."
(error nil)))))
(unless prop
(message "Warning: invalid <x-display> parameter %s" param))
- ;; Disabled in Emacs 25.3 to avoid execution of arbitrary Lisp
- ;; forms in display properties stored within enriched text.
- ;; (list start end 'display prop)))
- (list start end)))
+ (if enriched-allow-eval-in-display-props
+ (list start end 'display prop)
+ (list start end 'display (list 'disable-eval prop)))))
;;; enriched.el ends here