From: Eli Zaretskii <eliz@gnu.org>
To: Ihor Radchenko <yantar92@posteo.net>
Cc: mail@daniel-mendler.de, 74879@debbugs.gnu.org,
monnier@iro.umontreal.ca, stefankangas@gmail.com
Subject: bug#74879: 30.0.92; trusted-content-p and trusted-files cannot be used for non-file buffers
Date: Sun, 15 Dec 2024 15:38:42 +0200 [thread overview]
Message-ID: <86wmg1qd5p.fsf@gnu.org> (raw)
In-Reply-To: <87cyht9kke.fsf@localhost> (message from Ihor Radchenko on Sun, 15 Dec 2024 12:50:41 +0000)
> From: Ihor Radchenko <yantar92@posteo.net>
> Cc: mail@daniel-mendler.de, 74879@debbugs.gnu.org, monnier@iro.umontreal.ca,
> stefankangas@gmail.com
> Date: Sun, 15 Dec 2024 12:50:41 +0000
>
> Eli Zaretskii <eliz@gnu.org> writes:
>
> > And can we really trust arbitrary ELisp code that to set trust?
>
> When an arbitrary Elisp code is already running, there is nothing that
> can prevent that code from doing anything at all, including, for
> example, re-defining `trusted-content-p'. So, discussing whether we can
> trust a running Elisp code or not makes no sense in my book. We have to
> trust it.
"Arbitrary ELisp code" doesn't have to be malicious, just too
trusting.
> > And what about buffers whose contents came from a network connection?
>
> The code that is putting text received from network connection should be
> responsible for marking the buffer appropriately.
How can that work in practice? What can that code do to know whether
the stuff can or cannot be trusted?
> > What about buffers whose contents came from inserting some file or
> > part thereof, or were generated by processing some file?
>
> Again, the code should be responsible to check things, maybe using some
> kind of API function to check whether a given source file should be
> trusted or not.
>
> > What about buffers whose contents came from a program Emacs invoked?
>
> Same thing.
> I'd say that the codes receiving text contents from network or from a
> program should not mark it as trusted.
Now we are getting somewhere.
My point is that we should probably not leave this open to some
function, but instead code our own ways of deciding whether a given
buffer is trusted.
> One alternative might be storing "trust flag" as text property for Emacs
> primitives that read file contents, network stream, or program
> output. Then, if any part of buffer has "trust flag" set to be not
> trusted, the whole buffer should not be considered trusted.
My problem is not how NOT to trust, my problem is in which cases to
trust. Saying that by default such buffers are not trusted is easy --
we already do that, in fact.
next prev parent reply other threads:[~2024-12-15 13:38 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-15 0:39 bug#74879: 30.0.92; trusted-content-p and trusted-files cannot be used for non-file buffers Daniel Mendler via Bug reports for GNU Emacs, the Swiss army knife of text editors
2024-12-15 10:16 ` Daniel Mendler via Bug reports for GNU Emacs, the Swiss army knife of text editors
2024-12-15 10:47 ` Eli Zaretskii
2024-12-15 10:56 ` Daniel Mendler via Bug reports for GNU Emacs, the Swiss army knife of text editors
2024-12-15 11:18 ` Eli Zaretskii
2024-12-15 11:37 ` Ihor Radchenko
2024-12-15 12:29 ` Eli Zaretskii
2024-12-15 12:50 ` Ihor Radchenko
2024-12-15 13:38 ` Eli Zaretskii [this message]
2024-12-15 13:46 ` Stefan Kangas
2024-12-15 14:03 ` Stefan Monnier via Bug reports for GNU Emacs, the Swiss army knife of text editors
2024-12-15 14:30 ` Stefan Kangas
2024-12-15 14:55 ` Gerd Möllmann
2024-12-15 15:10 ` Stefan Monnier via Bug reports for GNU Emacs, the Swiss army knife of text editors
2024-12-15 15:16 ` Gerd Möllmann
2024-12-15 18:38 ` Daniel Mendler via Bug reports for GNU Emacs, the Swiss army knife of text editors
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=86wmg1qd5p.fsf@gnu.org \
--to=eliz@gnu.org \
--cc=74879@debbugs.gnu.org \
--cc=mail@daniel-mendler.de \
--cc=monnier@iro.umontreal.ca \
--cc=stefankangas@gmail.com \
--cc=yantar92@posteo.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).