Disable execution of unsafe Lisp by Enriched Text mode

* src/xdisp.c (handle_display_spec): If the display property is
wrapped in 'disable-eval' form, disable Lisp evaluation while
processing this property.
(handle_single_display_spec): Accept new argument ENABLE_EVAL_P.
If that argument is false, don't evaluate Lisp while processing
display properties.

* lisp/textmodes/enriched.el
(enriched-allow-eval-in-display-props): New defcustom.
(enriched-decode-display-prop): If
enriched-allow-eval-in-display-props is nil, wrap the display
property with 'disable-eval' to disable Lisp evaluation when the
display property is processed for display.  (Bug#28350)
* lisp/gnus/mm-view.el (mm-inline-text): Re-enable processing of
enriched text.

* doc/lispref/display.texi (Display Property): Document the
'disable-eval' wrapping of 'display' properties.
* doc/emacs/text.texi (Enriched Properties): Document
'enriched-allow-eval-in-display-props'.

* etc/NEWS: Describe the security issues with Enriched Text mode
and their solution.

2 files changed, 28 insertions, 0 deletions

diff --git a/doc/emacs/text.texi b/doc/emacs/text.texi
index 3b54aa82631..496b43ce1e3 100644
--- a/doc/emacs/text.texi
+++ b/doc/emacs/text.texi
@@ -2398,6 +2398,23 @@ these special properties from the text in the region.
 
   The @code{invisible} and @code{intangible} properties are not saved.
 
+@vindex enriched-allow-eval-in-display-props
+@cindex security, when displaying enriched text
+  Enriched mode also supports saving and restoring @code{display}
+properties (@pxref{Display Property,,,elisp, the Emacs Lisp Reference
+Manual}), which affect how text is displayed on the screen, and also
+allow displaying images and strings that come from sources other than
+buffer text.  The @code{display} properties also support execution of
+arbitrary Lisp forms as part of processing the property for display,
+thus providing a means to dynamically tailor the display to some
+conditions that can only be known at display time.  Since execution of
+arbitrary Lisp opens Emacs to potential attacks, especially when the
+source of enriched text is outside of Emacs or even outside of your
+system (e.g., if it was received in an email message), such execution
+is by default disabled in Enriched mode.  You can enable it by
+customizing the variable @code{enriched-allow-eval-in-display-props}
+to a non-@code{nil} value.
+
 @node Text Based Tables
 @section Editing Text-based Tables
 @cindex table mode
diff --git a/doc/lispref/display.texi b/doc/lispref/display.texi
index 1dbc0bbb5bf..3dae984f339 100644
--- a/doc/lispref/display.texi
+++ b/doc/lispref/display.texi
@@ -4486,6 +4486,17 @@ for the @code{display} property, only one of the values takes effect,
 following the rules of @code{get-char-property}.  @xref{Examining
 Properties}.
 
+@cindex display property, unsafe evaluation
+@cindex security, and display specifications
+  Some of the display specifications allow inclusion of Lisp forms,
+which are evaluated at display time.  This could be unsafe in certain
+situations, e.g., when the display specification was generated by some
+external program/agent.  Wrapping a display specification in a list
+that begins with the special symbol @code{disable-eval}, as in
+@w{@code{('disable-eval @var{spec})}}, will disable evaluation of any
+Lisp in @var{spec}, while still supporting all the other display
+property features.
+
   The rest of this section describes several kinds of
 display specifications and what they mean.