[elpa] externals-release/org 4077e9e45b 3/6: Backport commit c645e1d82 from Emacs

[ELPA Syncer]

branch: externals-release/org
commit 4077e9e45beaf4ac383b68c9fda39c53bcc1b191
Author: Ihor Radchenko <yanta...@posteo.net>
Commit: Kyle Meyer <k...@kyleam.com>

    Backport commit c645e1d82 from Emacs
    
    org-link-expand-abbrev: Do not evaluate arbitrary unsafe Elisp code
    c645e1d8205f0f0663ec4a2d27575b238c646c7c
    Ihor Radchenko
    Sat Jun 22 00:54:36 2024 +0200
    
    [ km: This was independently covered on the bugfix branch with
      f4cc61636.  I'm applying it here too for bookkeeping/traceability
      purposes. ]
---
 lisp/ol.el | 40 +++++++++++++++++++++++++++++-----------
 1 file changed, 29 insertions(+), 11 deletions(-)

diff --git a/lisp/ol.el b/lisp/ol.el
index 7a7f4f5589..8a556c7b97 100644
--- a/lisp/ol.el
+++ b/lisp/ol.el
@@ -1152,17 +1152,35 @@ Abbreviations are defined in `org-link-abbrev-alist'."
       (if (not as)
          link
        (setq rpl (cdr as))
-       (cond
-        ((symbolp rpl) (funcall rpl tag))
-        ((string-match "%(\\([^)]+\\))" rpl)
-         (replace-match
-          (save-match-data
-            (funcall (intern-soft (match-string 1 rpl)) tag))
-          t t rpl))
-        ((string-match "%s" rpl) (replace-match (or tag "") t t rpl))
-        ((string-match "%h" rpl)
-         (replace-match (url-hexify-string (or tag "")) t t rpl))
-        (t (concat rpl tag)))))))
+        ;; Drop any potentially dangerous text properties like
+        ;; `modification-hooks' that may be used as an attack vector.
+        (substring-no-properties
+        (cond
+         ((symbolp rpl) (funcall rpl tag))
+         ((string-match "%(\\([^)]+\\))" rpl)
+           (let ((rpl-fun-symbol (intern-soft (match-string 1 rpl))))
+             ;; Using `unsafep-function' is not quite enough because
+             ;; Emacs considers functions like `genenv' safe, while
+             ;; they can potentially be used to expose private system
+             ;; data to attacker if abbreviated link is clicked.
+             (if (or (eq t (get rpl-fun-symbol 'org-link-abbrev-safe))
+                     (eq t (get rpl-fun-symbol 'pure)))
+                 (replace-match
+                 (save-match-data
+                   (funcall (intern-soft (match-string 1 rpl)) tag))
+                 t t rpl)
+               (org-display-warning
+                (format "Disabling unsafe link abbrev: %s
+You may mark function safe via (put '%s 'org-link-abbrev-safe t)"
+                        rpl (match-string 1 rpl)))
+               (setq org-link-abbrev-alist-local (delete as 
org-link-abbrev-alist-local)
+                     org-link-abbrev-alist (delete as org-link-abbrev-alist))
+               link
+              )))
+         ((string-match "%s" rpl) (replace-match (or tag "") t t rpl))
+         ((string-match "%h" rpl)
+          (replace-match (url-hexify-string (or tag "")) t t rpl))
+         (t (concat rpl tag))))))))
 
 (defun org-link-open (link &optional arg)
   "Open a link object LINK.