GNU bug report logs - #65902
29.0.92; emacsclient-mail.desktop fails due to complicated escaping

Previous Next

Package: emacs;

Reported by: sbaugh <at> catern.com

Date: Wed, 13 Sep 2023 02:25:01 UTC

Severity: normal

Tags: patch

Found in version 29.0.92

Done: Eli Zaretskii <eliz <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

Message #124 received at 65902 <at> debbugs.gnu.org (full text, mbox):

From: Stefan Kangas <stefankangas <at> gmail.com>
To: sbaugh <at> catern.com, Eli Zaretskii <eliz <at> gnu.org>
Cc: jporterbugs <at> gmail.com, 65902 <at> debbugs.gnu.org,
 Spencer Baugh <sbaugh <at> janestreet.com>
Subject: Re: bug#65902: 29.0.92; emacsclient-mail.desktop fails due to
 complicated escaping
Date: Fri, 22 Sep 2023 00:05:20 -0700

sbaugh <at> catern.com writes:

> diff --git a/etc/emacsclient-mail.desktop b/etc/emacsclient-mail.desktop
> index 0a2420ddead..5962fa1764c 100644
> --- a/etc/emacsclient-mail.desktop
> +++ b/etc/emacsclient-mail.desktop
> @@ -1,10 +1,7 @@
>  [Desktop Entry]
>  Categories=Network;Email;
>  Comment=GNU Emacs is an extensible, customizable text editor - and more
> -# We want to pass the following commands to the shell wrapper:
> -# u=$(echo "$1" | sed 's/[\"]/\\&/g'); exec emacsclient --alternate-editor= --display="$DISPLAY" --eval "(message-mailto \"$u\")"
> -# Special chars '"', '$', and '\' must be escaped as '\\"', '\\$', and '\\\\'.
> -Exec=sh -c "u=\\$(echo \\"\\$1\\" | sed 's/[\\\\\\"]/\\\\\\\\&/g'); exec emacsclient --alternate-editor= --display=\\"\\$DISPLAY\\" --eval \\"(message-mailto \\\\\\"\\$u\\\\\\")\\"" sh %u
> +Exec=emacsclient --alternate-editor= --eval '(message-mailto (pop server-eval-args-left))' %u

As Spencer pointed out upthread, the mailto: links come from untrusted
sources (e.g. websites).  Escaping is infamous for being hard to get
right, and for that reason is a popular attack vector among bad actors.

I think it would be good if we could reduce the amount of stuff we have
to remember escaping here, or even better if we didn't need to escape
anything at all.  It's analogous to the case `shell-command-to-string'
(which uses a shell) vs `call-process' (which doesn't).

To my mind, this speaks in favor of some type of change in this
direction.  My two cents.
This bug report was last modified 1 year and 205 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.