Disable execution of unsafe Lisp by Enriched Text mode

* src/xdisp.c (handle_display_spec): If the display property is
wrapped in 'disable-eval' form, disable Lisp evaluation while
processing this property.
(handle_single_display_spec): Accept new argument ENABLE_EVAL_P.
If that argument is false, don't evaluate Lisp while processing
display properties.

* lisp/textmodes/enriched.el
(enriched-allow-eval-in-display-props): New defcustom.
(enriched-decode-display-prop): If
enriched-allow-eval-in-display-props is nil, wrap the display
property with 'disable-eval' to disable Lisp evaluation when the
display property is processed for display.  (Bug#28350)
* lisp/gnus/mm-view.el (mm-inline-text): Re-enable processing of
enriched text.

* doc/lispref/display.texi (Display Property): Document the
'disable-eval' wrapping of 'display' properties.
* doc/emacs/text.texi (Enriched Properties): Document
'enriched-allow-eval-in-display-props'.

* etc/NEWS: Describe the security issues with Enriched Text mode
and their solution.

2 files changed, 23 insertions, 10 deletions

diff --git a/lisp/gnus/mm-view.el b/lisp/gnus/mm-view.el
index 86e217131ac..d7a41b84930 100644
--- a/lisp/gnus/mm-view.el
+++ b/lisp/gnus/mm-view.el
@@ -362,12 +362,10 @@
         (goto-char (point-max))))
     (save-restriction
       (narrow-to-region b (point))
-      ;; Disabled in Emacs 25.3 to avoid execution of arbitrary Lisp
-      ;; forms in display properties supported by enriched.el.
-      ;; (when (member type '("enriched" "richtext"))
-      ;;   (set-text-properties (point-min) (point-max) nil)
-      ;;        (ignore-errors
-      ;;          (enriched-decode (point-min) (point-max))))
+      (when (member type '("enriched" "richtext"))
+        (set-text-properties (point-min) (point-max) nil)
+        (ignore-errors
+          (enriched-decode (point-min) (point-max))))
       (mm-handle-set-undisplayer
        handle
        `(lambda ()
diff --git a/lisp/textmodes/enriched.el b/lisp/textmodes/enriched.el
index d90c207575b..be5cd6b7310 100644
--- a/lisp/textmodes/enriched.el
+++ b/lisp/textmodes/enriched.el
@@ -147,6 +147,22 @@ them and their old values to `enriched-old-bindings'."
   :type 'hook
   :group 'enriched)
 
+(defcustom enriched-allow-eval-in-display-props nil
+  "If non-nil allow to evaluate arbitrary forms in display properties.
+
+Enriched mode recognizes display properties of text stored using
+an extension command to the text/enriched format, \"x-display\".
+These properties must not, by default, include evaluation of
+Lisp forms, otherwise they are not applied.  Customize this option
+to t to turn off this safety feature, and allow Enriched mode to
+apply display properties which evaluate arbitrary Lisp forms.
+Note, however, that applying unsafe display properties could
+execute malicious Lisp code, if that code came from an external source."
+  :risky t
+  :type 'boolean
+  :version "26.1"
+  :group 'enriched)
+
 (defvar enriched-old-bindings nil
   "Store old variable values that we change when entering mode.
 The value is a list of \(VAR VALUE VAR VALUE...).")
@@ -503,9 +519,8 @@ the range of text to assign text property SYMBOL with value VALUE."
                   (error nil)))))
     (unless prop
       (message "Warning: invalid <x-display> parameter %s" param))
-    ;; Disabled in Emacs 25.3 to avoid execution of arbitrary Lisp
-    ;; forms in display properties stored within enriched text.
-    ;; (list start end 'display prop)))
-    (list start end)))
+    (if enriched-allow-eval-in-display-props
+        (list start end 'display prop)
+      (list start end 'display (list 'disable-eval prop)))))
 
 ;;; enriched.el ends here