summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--emacs/26.3/11_all_ol-expand-abbrev.patch57
-rw-r--r--emacs/27.2/13_all_ol-expand-abbrev.patch58
-rw-r--r--emacs/28.2/15_all_ol-expand-abbrev.patch58
3 files changed, 173 insertions, 0 deletions
diff --git a/emacs/26.3/11_all_ol-expand-abbrev.patch b/emacs/26.3/11_all_ol-expand-abbrev.patch
new file mode 100644
index 0000000..9c5d2ce
--- /dev/null
+++ b/emacs/26.3/11_all_ol-expand-abbrev.patch
@@ -0,0 +1,57 @@
+org-mode should not expand link abbrevs that specify an unsafe function
+Backported from emacs-29 branch
+
+commit c645e1d8205f0f0663ec4a2d27575b238c646c7c
+Author: Ihor Radchenko <yantar92@posteo.net>
+Date: Fri Jun 21 15:45:25 2024 +0200
+
+ org-link-expand-abbrev: Do not evaluate arbitrary unsafe Elisp code
+
+--- emacs-26.3/lisp/org/org.el
++++ emacs-26.3/lisp/org/org.el
+@@ -9589,16 +9589,35 @@
+ (if (not as)
+ link
+ (setq rpl (cdr as))
+- (cond
+- ((symbolp rpl) (funcall rpl tag))
+- ((string-match "%(\\([^)]+\\))" rpl)
+- (replace-match
+- (save-match-data
+- (funcall (intern-soft (match-string 1 rpl)) tag)) t t rpl))
+- ((string-match "%s" rpl) (replace-match (or tag "") t t rpl))
+- ((string-match "%h" rpl)
+- (replace-match (url-hexify-string (or tag "")) t t rpl))
+- (t (concat rpl tag)))))
++ ;; Drop any potentially dangerous text properties like
++ ;; `modification-hooks' that may be used as an attack vector.
++ (substring-no-properties
++ (cond
++ ((symbolp rpl) (funcall rpl tag))
++ ((string-match "%(\\([^)]+\\))" rpl)
++ (let ((rpl-fun-symbol (intern-soft (match-string 1 rpl))))
++ ;; Using `unsafep-function' is not quite enough because
++ ;; Emacs considers functions like `genenv' safe, while
++ ;; they can potentially be used to expose private system
++ ;; data to attacker if abbreviated link is clicked.
++ (if (or (eq t (get rpl-fun-symbol 'org-link-abbrev-safe))
++ (eq t (get rpl-fun-symbol 'pure)))
++ (replace-match
++ (save-match-data
++ (funcall (intern-soft (match-string 1 rpl)) tag))
++ t t rpl)
++ (org-display-warning
++ (format "Disabling unsafe link abbrev: %s
++You may mark function safe via (put '%s 'org-link-abbrev-safe t)"
++ rpl (match-string 1 rpl)))
++ (setq org-link-abbrev-alist-local (delete as org-link-abbrev-alist-local)
++ org-link-abbrev-alist (delete as org-link-abbrev-alist))
++ link
++ )))
++ ((string-match "%s" rpl) (replace-match (or tag "") t t rpl))
++ ((string-match "%h" rpl)
++ (replace-match (url-hexify-string (or tag "")) t t rpl))
++ (t (concat rpl tag))))))
+ link))
+
+ ;;; Storing and inserting links
diff --git a/emacs/27.2/13_all_ol-expand-abbrev.patch b/emacs/27.2/13_all_ol-expand-abbrev.patch
new file mode 100644
index 0000000..6b8761f
--- /dev/null
+++ b/emacs/27.2/13_all_ol-expand-abbrev.patch
@@ -0,0 +1,58 @@
+org-mode should not expand link abbrevs that specify an unsafe function
+Backported from emacs-29 branch
+
+commit c645e1d8205f0f0663ec4a2d27575b238c646c7c
+Author: Ihor Radchenko <yantar92@posteo.net>
+Date: Fri Jun 21 15:45:25 2024 +0200
+
+ org-link-expand-abbrev: Do not evaluate arbitrary unsafe Elisp code
+
+--- emacs-27.2/lisp/org/ol.el
++++ emacs-27.2/lisp/org/ol.el
+@@ -1007,17 +1007,35 @@
+ (if (not as)
+ link
+ (setq rpl (cdr as))
+- (cond
+- ((symbolp rpl) (funcall rpl tag))
+- ((string-match "%(\\([^)]+\\))" rpl)
+- (replace-match
+- (save-match-data
+- (funcall (intern-soft (match-string 1 rpl)) tag))
+- t t rpl))
+- ((string-match "%s" rpl) (replace-match (or tag "") t t rpl))
+- ((string-match "%h" rpl)
+- (replace-match (url-hexify-string (or tag "")) t t rpl))
+- (t (concat rpl tag)))))))
++ ;; Drop any potentially dangerous text properties like
++ ;; `modification-hooks' that may be used as an attack vector.
++ (substring-no-properties
++ (cond
++ ((symbolp rpl) (funcall rpl tag))
++ ((string-match "%(\\([^)]+\\))" rpl)
++ (let ((rpl-fun-symbol (intern-soft (match-string 1 rpl))))
++ ;; Using `unsafep-function' is not quite enough because
++ ;; Emacs considers functions like `genenv' safe, while
++ ;; they can potentially be used to expose private system
++ ;; data to attacker if abbreviated link is clicked.
++ (if (or (eq t (get rpl-fun-symbol 'org-link-abbrev-safe))
++ (eq t (get rpl-fun-symbol 'pure)))
++ (replace-match
++ (save-match-data
++ (funcall (intern-soft (match-string 1 rpl)) tag))
++ t t rpl)
++ (org-display-warning
++ (format "Disabling unsafe link abbrev: %s
++You may mark function safe via (put '%s 'org-link-abbrev-safe t)"
++ rpl (match-string 1 rpl)))
++ (setq org-link-abbrev-alist-local (delete as org-link-abbrev-alist-local)
++ org-link-abbrev-alist (delete as org-link-abbrev-alist))
++ link
++ )))
++ ((string-match "%s" rpl) (replace-match (or tag "") t t rpl))
++ ((string-match "%h" rpl)
++ (replace-match (url-hexify-string (or tag "")) t t rpl))
++ (t (concat rpl tag))))))))
+
+ (defun org-link-open (link &optional arg)
+ "Open a link object LINK.
diff --git a/emacs/28.2/15_all_ol-expand-abbrev.patch b/emacs/28.2/15_all_ol-expand-abbrev.patch
new file mode 100644
index 0000000..df04355
--- /dev/null
+++ b/emacs/28.2/15_all_ol-expand-abbrev.patch
@@ -0,0 +1,58 @@
+org-mode should not expand link abbrevs that specify an unsafe function
+Backported from emacs-29 branch
+
+commit c645e1d8205f0f0663ec4a2d27575b238c646c7c
+Author: Ihor Radchenko <yantar92@posteo.net>
+Date: Fri Jun 21 15:45:25 2024 +0200
+
+ org-link-expand-abbrev: Do not evaluate arbitrary unsafe Elisp code
+
+--- emacs-28.2/lisp/org/ol.el
++++ emacs-28.2/lisp/org/ol.el
+@@ -1020,17 +1020,35 @@
+ (if (not as)
+ link
+ (setq rpl (cdr as))
+- (cond
+- ((symbolp rpl) (funcall rpl tag))
+- ((string-match "%(\\([^)]+\\))" rpl)
+- (replace-match
+- (save-match-data
+- (funcall (intern-soft (match-string 1 rpl)) tag))
+- t t rpl))
+- ((string-match "%s" rpl) (replace-match (or tag "") t t rpl))
+- ((string-match "%h" rpl)
+- (replace-match (url-hexify-string (or tag "")) t t rpl))
+- (t (concat rpl tag)))))))
++ ;; Drop any potentially dangerous text properties like
++ ;; `modification-hooks' that may be used as an attack vector.
++ (substring-no-properties
++ (cond
++ ((symbolp rpl) (funcall rpl tag))
++ ((string-match "%(\\([^)]+\\))" rpl)
++ (let ((rpl-fun-symbol (intern-soft (match-string 1 rpl))))
++ ;; Using `unsafep-function' is not quite enough because
++ ;; Emacs considers functions like `genenv' safe, while
++ ;; they can potentially be used to expose private system
++ ;; data to attacker if abbreviated link is clicked.
++ (if (or (eq t (get rpl-fun-symbol 'org-link-abbrev-safe))
++ (eq t (get rpl-fun-symbol 'pure)))
++ (replace-match
++ (save-match-data
++ (funcall (intern-soft (match-string 1 rpl)) tag))
++ t t rpl)
++ (org-display-warning
++ (format "Disabling unsafe link abbrev: %s
++You may mark function safe via (put '%s 'org-link-abbrev-safe t)"
++ rpl (match-string 1 rpl)))
++ (setq org-link-abbrev-alist-local (delete as org-link-abbrev-alist-local)
++ org-link-abbrev-alist (delete as org-link-abbrev-alist))
++ link
++ )))
++ ((string-match "%s" rpl) (replace-match (or tag "") t t rpl))
++ ((string-match "%h" rpl)
++ (replace-match (url-hexify-string (or tag "")) t t rpl))
++ (t (concat rpl tag))))))))
+
+ (defun org-link-open (link &optional arg)
+ "Open a link object LINK.