diff options
-rw-r--r-- | emacs/26.3/11_all_ol-expand-abbrev.patch | 57 | ||||
-rw-r--r-- | emacs/27.2/13_all_ol-expand-abbrev.patch | 58 | ||||
-rw-r--r-- | emacs/28.2/15_all_ol-expand-abbrev.patch | 58 |
3 files changed, 173 insertions, 0 deletions
diff --git a/emacs/26.3/11_all_ol-expand-abbrev.patch b/emacs/26.3/11_all_ol-expand-abbrev.patch new file mode 100644 index 0000000..9c5d2ce --- /dev/null +++ b/emacs/26.3/11_all_ol-expand-abbrev.patch @@ -0,0 +1,57 @@ +org-mode should not expand link abbrevs that specify an unsafe function +Backported from emacs-29 branch + +commit c645e1d8205f0f0663ec4a2d27575b238c646c7c +Author: Ihor Radchenko <yantar92@posteo.net> +Date: Fri Jun 21 15:45:25 2024 +0200 + + org-link-expand-abbrev: Do not evaluate arbitrary unsafe Elisp code + +--- emacs-26.3/lisp/org/org.el ++++ emacs-26.3/lisp/org/org.el +@@ -9589,16 +9589,35 @@ + (if (not as) + link + (setq rpl (cdr as)) +- (cond +- ((symbolp rpl) (funcall rpl tag)) +- ((string-match "%(\\([^)]+\\))" rpl) +- (replace-match +- (save-match-data +- (funcall (intern-soft (match-string 1 rpl)) tag)) t t rpl)) +- ((string-match "%s" rpl) (replace-match (or tag "") t t rpl)) +- ((string-match "%h" rpl) +- (replace-match (url-hexify-string (or tag "")) t t rpl)) +- (t (concat rpl tag))))) ++ ;; Drop any potentially dangerous text properties like ++ ;; `modification-hooks' that may be used as an attack vector. ++ (substring-no-properties ++ (cond ++ ((symbolp rpl) (funcall rpl tag)) ++ ((string-match "%(\\([^)]+\\))" rpl) ++ (let ((rpl-fun-symbol (intern-soft (match-string 1 rpl)))) ++ ;; Using `unsafep-function' is not quite enough because ++ ;; Emacs considers functions like `genenv' safe, while ++ ;; they can potentially be used to expose private system ++ ;; data to attacker if abbreviated link is clicked. ++ (if (or (eq t (get rpl-fun-symbol 'org-link-abbrev-safe)) ++ (eq t (get rpl-fun-symbol 'pure))) ++ (replace-match ++ (save-match-data ++ (funcall (intern-soft (match-string 1 rpl)) tag)) ++ t t rpl) ++ (org-display-warning ++ (format "Disabling unsafe link abbrev: %s ++You may mark function safe via (put '%s 'org-link-abbrev-safe t)" ++ rpl (match-string 1 rpl))) ++ (setq org-link-abbrev-alist-local (delete as org-link-abbrev-alist-local) ++ org-link-abbrev-alist (delete as org-link-abbrev-alist)) ++ link ++ ))) ++ ((string-match "%s" rpl) (replace-match (or tag "") t t rpl)) ++ ((string-match "%h" rpl) ++ (replace-match (url-hexify-string (or tag "")) t t rpl)) ++ (t (concat rpl tag)))))) + link)) + + ;;; Storing and inserting links diff --git a/emacs/27.2/13_all_ol-expand-abbrev.patch b/emacs/27.2/13_all_ol-expand-abbrev.patch new file mode 100644 index 0000000..6b8761f --- /dev/null +++ b/emacs/27.2/13_all_ol-expand-abbrev.patch @@ -0,0 +1,58 @@ +org-mode should not expand link abbrevs that specify an unsafe function +Backported from emacs-29 branch + +commit c645e1d8205f0f0663ec4a2d27575b238c646c7c +Author: Ihor Radchenko <yantar92@posteo.net> +Date: Fri Jun 21 15:45:25 2024 +0200 + + org-link-expand-abbrev: Do not evaluate arbitrary unsafe Elisp code + +--- emacs-27.2/lisp/org/ol.el ++++ emacs-27.2/lisp/org/ol.el +@@ -1007,17 +1007,35 @@ + (if (not as) + link + (setq rpl (cdr as)) +- (cond +- ((symbolp rpl) (funcall rpl tag)) +- ((string-match "%(\\([^)]+\\))" rpl) +- (replace-match +- (save-match-data +- (funcall (intern-soft (match-string 1 rpl)) tag)) +- t t rpl)) +- ((string-match "%s" rpl) (replace-match (or tag "") t t rpl)) +- ((string-match "%h" rpl) +- (replace-match (url-hexify-string (or tag "")) t t rpl)) +- (t (concat rpl tag))))))) ++ ;; Drop any potentially dangerous text properties like ++ ;; `modification-hooks' that may be used as an attack vector. ++ (substring-no-properties ++ (cond ++ ((symbolp rpl) (funcall rpl tag)) ++ ((string-match "%(\\([^)]+\\))" rpl) ++ (let ((rpl-fun-symbol (intern-soft (match-string 1 rpl)))) ++ ;; Using `unsafep-function' is not quite enough because ++ ;; Emacs considers functions like `genenv' safe, while ++ ;; they can potentially be used to expose private system ++ ;; data to attacker if abbreviated link is clicked. ++ (if (or (eq t (get rpl-fun-symbol 'org-link-abbrev-safe)) ++ (eq t (get rpl-fun-symbol 'pure))) ++ (replace-match ++ (save-match-data ++ (funcall (intern-soft (match-string 1 rpl)) tag)) ++ t t rpl) ++ (org-display-warning ++ (format "Disabling unsafe link abbrev: %s ++You may mark function safe via (put '%s 'org-link-abbrev-safe t)" ++ rpl (match-string 1 rpl))) ++ (setq org-link-abbrev-alist-local (delete as org-link-abbrev-alist-local) ++ org-link-abbrev-alist (delete as org-link-abbrev-alist)) ++ link ++ ))) ++ ((string-match "%s" rpl) (replace-match (or tag "") t t rpl)) ++ ((string-match "%h" rpl) ++ (replace-match (url-hexify-string (or tag "")) t t rpl)) ++ (t (concat rpl tag)))))))) + + (defun org-link-open (link &optional arg) + "Open a link object LINK. diff --git a/emacs/28.2/15_all_ol-expand-abbrev.patch b/emacs/28.2/15_all_ol-expand-abbrev.patch new file mode 100644 index 0000000..df04355 --- /dev/null +++ b/emacs/28.2/15_all_ol-expand-abbrev.patch @@ -0,0 +1,58 @@ +org-mode should not expand link abbrevs that specify an unsafe function +Backported from emacs-29 branch + +commit c645e1d8205f0f0663ec4a2d27575b238c646c7c +Author: Ihor Radchenko <yantar92@posteo.net> +Date: Fri Jun 21 15:45:25 2024 +0200 + + org-link-expand-abbrev: Do not evaluate arbitrary unsafe Elisp code + +--- emacs-28.2/lisp/org/ol.el ++++ emacs-28.2/lisp/org/ol.el +@@ -1020,17 +1020,35 @@ + (if (not as) + link + (setq rpl (cdr as)) +- (cond +- ((symbolp rpl) (funcall rpl tag)) +- ((string-match "%(\\([^)]+\\))" rpl) +- (replace-match +- (save-match-data +- (funcall (intern-soft (match-string 1 rpl)) tag)) +- t t rpl)) +- ((string-match "%s" rpl) (replace-match (or tag "") t t rpl)) +- ((string-match "%h" rpl) +- (replace-match (url-hexify-string (or tag "")) t t rpl)) +- (t (concat rpl tag))))))) ++ ;; Drop any potentially dangerous text properties like ++ ;; `modification-hooks' that may be used as an attack vector. ++ (substring-no-properties ++ (cond ++ ((symbolp rpl) (funcall rpl tag)) ++ ((string-match "%(\\([^)]+\\))" rpl) ++ (let ((rpl-fun-symbol (intern-soft (match-string 1 rpl)))) ++ ;; Using `unsafep-function' is not quite enough because ++ ;; Emacs considers functions like `genenv' safe, while ++ ;; they can potentially be used to expose private system ++ ;; data to attacker if abbreviated link is clicked. ++ (if (or (eq t (get rpl-fun-symbol 'org-link-abbrev-safe)) ++ (eq t (get rpl-fun-symbol 'pure))) ++ (replace-match ++ (save-match-data ++ (funcall (intern-soft (match-string 1 rpl)) tag)) ++ t t rpl) ++ (org-display-warning ++ (format "Disabling unsafe link abbrev: %s ++You may mark function safe via (put '%s 'org-link-abbrev-safe t)" ++ rpl (match-string 1 rpl))) ++ (setq org-link-abbrev-alist-local (delete as org-link-abbrev-alist-local) ++ org-link-abbrev-alist (delete as org-link-abbrev-alist)) ++ link ++ ))) ++ ((string-match "%s" rpl) (replace-match (or tag "") t t rpl)) ++ ((string-match "%h" rpl) ++ (replace-match (url-hexify-string (or tag "")) t t rpl)) ++ (t (concat rpl tag)))))))) + + (defun org-link-open (link &optional arg) + "Open a link object LINK. |