bug#27066: 25.1; dired unsafe variables

bug#27066: 25.1; dired unsafe variables

[Francesco Potortì]

Recipe:

$ wget http://fly.isti.cnr.it/tmp/leela.tar	# 48 MB
$ tar -xf leela.tar
$ emacs -nw -Q opt/leela

I am prompted to accept reading the directory because it contains unsafe
variables



In GNU Emacs 25.1.1 (x86_64-pc-linux-gnu, X toolkit, Xaw3d scroll bars)
 of 2017-04-23, modified by Debian built on trouble
Windowing system distributor 'The X.Org Foundation', version 11.0.11902000
System Description:	Debian GNU/Linux 9.0 (stretch)

Configured using:
 'configure --build x86_64-linux-gnu --prefix=/usr
 --sharedstatedir=/var/lib --libexecdir=/usr/lib
 --localstatedir=/var/lib --infodir=/usr/share/info
 --mandir=/usr/share/man --with-pop=yes
 --enable-locallisppath=/etc/emacs25:/etc/emacs:/usr/local/share/emacs/25.1/site-lisp:/usr/local/share/emacs/site-lisp:/usr/share/emacs/25.1/site-lisp:/usr/share/emacs/site-lisp
 --with-sound=alsa --build x86_64-linux-gnu --prefix=/usr
 --sharedstatedir=/var/lib --libexecdir=/usr/lib
 --localstatedir=/var/lib --infodir=/usr/share/info
 --mandir=/usr/share/man --with-pop=yes
 --enable-locallisppath=/etc/emacs25:/etc/emacs:/usr/local/share/emacs/25.1/site-lisp:/usr/local/share/emacs/site-lisp:/usr/share/emacs/25.1/site-lisp:/usr/share/emacs/site-lisp
 --with-sound=alsa --with-x=yes --with-x-toolkit=lucid
 --with-toolkit-scroll-bars --without-gconf --without-gsettings
 'CFLAGS=-g -O2
 -fdebug-prefix-map=/build/emacs25-d2FC1K/emacs25-25.1+1=. -fstack-protector-strong
 -Wformat -Werror=format-security -Wall' 'CPPFLAGS=-Wdate-time
 -D_FORTIFY_SOURCE=2' LDFLAGS=-Wl,-z,relro'

Configured features:
XAW3D XPM JPEG TIFF GIF PNG RSVG IMAGEMAGICK SOUND GPM DBUS NOTIFY ACL
LIBSELINUX GNUTLS LIBXML2 FREETYPE M17N_FLT LIBOTF XFT ZLIB
TOOLKIT_SCROLL_BARS LUCID X11

Important settings:
  value of $LC_COLLATE: it_IT.UTF-8
  value of $LC_CTYPE: it_IT.UTF-8
  value of $LC_NUMERIC: C
  value of $LANG: en_US.UTF-8
  locale-coding-system: utf-8-unix

Major mode: Shell

Minor modes in effect:
  diff-auto-refine-mode: t
  TeX-PDF-mode: t
  desktop-save-mode: t
  epa-global-mail-mode: t
  shell-dirtrack-mode: t
  openwith-mode: t
  xterm-mouse-mode: t
  display-time-mode: t
  tooltip-mode: t
  global-eldoc-mode: t
  electric-indent-mode: t
  mouse-wheel-mode: t
  tool-bar-mode: t
  file-name-shadow-mode: t
  global-font-lock-mode: t
  font-lock-mode: t
  auto-composition-mode: t
  auto-encryption-mode: t
  auto-compression-mode: t
  column-number-mode: t
  line-number-mode: t

Recent messages:
Deleting...done
dbus-launch atril /home/pot/www/tmp/ranieri.pdf? (y or n) y
openwith-file-handler: Opened ranieri.pdf in external program
Deleting...done
Deleting...done
Quit
Deleting...done
Parsing archive file...done.
Deleting...done
Report a bug for a [P]ackage or [F]ile: (default P) 
Quit

Load-path shadows:
~/elisp/bhl hides /usr/share/emacs/25.1/site-lisp/bhl
~/elisp/bhl hides /usr/share/emacs/site-lisp/bhl
/usr/share/emacs/25.1/site-lisp/debian-startup hides /usr/share/emacs/site-lisp/debian-startup
/usr/share/emacs25/site-lisp/flim/md4 hides /usr/share/emacs/25.1/lisp/md4
/usr/share/emacs25/site-lisp/flim/hex-util hides /usr/share/emacs/25.1/lisp/hex-util
/usr/share/emacs/site-lisp/rst hides /usr/share/emacs/25.1/lisp/textmodes/rst
~/elisp/bibtex hides /usr/share/emacs/25.1/lisp/textmodes/bibtex
/usr/share/emacs25/site-lisp/flim/ntlm hides /usr/share/emacs/25.1/lisp/net/ntlm
/usr/share/emacs25/site-lisp/flim/hmac-md5 hides /usr/share/emacs/25.1/lisp/net/hmac-md5
/usr/share/emacs25/site-lisp/flim/sasl-ntlm hides /usr/share/emacs/25.1/lisp/net/sasl-ntlm
/usr/share/emacs25/site-lisp/flim/sasl-digest hides /usr/share/emacs/25.1/lisp/net/sasl-digest
/usr/share/emacs25/site-lisp/flim/sasl hides /usr/share/emacs/25.1/lisp/net/sasl
/usr/share/emacs25/site-lisp/flim/sasl-cram hides /usr/share/emacs/25.1/lisp/net/sasl-cram
/usr/share/emacs25/site-lisp/flim/hmac-def hides /usr/share/emacs/25.1/lisp/net/hmac-def
/usr/share/emacs25/site-lisp/auctex/tex-fold hides /usr/share/emacs/site-lisp/auctex/tex-fold
/usr/share/emacs25/site-lisp/auctex/context-en hides /usr/share/emacs/site-lisp/auctex/context-en
/usr/share/emacs25/site-lisp/auctex/tex-info hides /usr/share/emacs/site-lisp/auctex/tex-info
/usr/share/emacs25/site-lisp/auctex/plain-tex hides /usr/share/emacs/site-lisp/auctex/plain-tex
/usr/share/emacs25/site-lisp/auctex/tex-mik hides /usr/share/emacs/site-lisp/auctex/tex-mik
/usr/share/emacs25/site-lisp/auctex/texmathp hides /usr/share/emacs/site-lisp/auctex/texmathp
/usr/share/emacs25/site-lisp/auctex/context-nl hides /usr/share/emacs/site-lisp/auctex/context-nl
/usr/share/emacs25/site-lisp/auctex/toolbar-x hides /usr/share/emacs/site-lisp/auctex/toolbar-x
/usr/share/emacs25/site-lisp/auctex/tex hides /usr/share/emacs/site-lisp/auctex/tex
/usr/share/emacs25/site-lisp/auctex/tex-jp hides /usr/share/emacs/site-lisp/auctex/tex-jp
/usr/share/emacs25/site-lisp/auctex/tex-ispell hides /usr/share/emacs/site-lisp/auctex/tex-ispell
/usr/share/emacs25/site-lisp/auctex/bib-cite hides /usr/share/emacs/site-lisp/auctex/bib-cite
/usr/share/emacs25/site-lisp/auctex/multi-prompt hides /usr/share/emacs/site-lisp/auctex/multi-prompt
/usr/share/emacs25/site-lisp/auctex/font-latex hides /usr/share/emacs/site-lisp/auctex/font-latex
/usr/share/emacs25/site-lisp/auctex/prv-emacs hides /usr/share/emacs/site-lisp/auctex/prv-emacs
/usr/share/emacs25/site-lisp/auctex/tex-style hides /usr/share/emacs/site-lisp/auctex/tex-style
/usr/share/emacs25/site-lisp/auctex/context hides /usr/share/emacs/site-lisp/auctex/context
/usr/share/emacs25/site-lisp/auctex/preview hides /usr/share/emacs/site-lisp/auctex/preview
/usr/share/emacs25/site-lisp/auctex/tex-font hides /usr/share/emacs/site-lisp/auctex/tex-font
/usr/share/emacs25/site-lisp/auctex/tex-bar hides /usr/share/emacs/site-lisp/auctex/tex-bar
/usr/share/emacs25/site-lisp/auctex/latex hides /usr/share/emacs/site-lisp/auctex/latex
/usr/share/emacs25/site-lisp/auctex/tex-buf hides /usr/share/emacs/site-lisp/auctex/tex-buf

Features:
(shadow emacsbug debian-bug arc-mode archive-mode pcmpl-gnu tabify
vc-git pcmpl-unix nero url-handlers etags xref project anything-config
anything woman man cl shr-color color rmailkwd doc-view grep locate
log-edit pcvs-util add-log nroff-mode dabbrev diff-mode vc mailalias
rmailout dired-aux time-stamp parse-time unrmail misearch multi-isearch
server url-util shr dom subr-x browse-url jka-compr sh-script executable
generic image-mode js json map imenu info sgml-mode cc-mode cc-fonts
cc-guess cc-menus cc-cmds cc-styles cc-align cc-engine cc-vars cc-defs
bibtex qp plain-tex latexenc rmailmm message rfc822 mml mml-sec
mm-decode mm-bodies mm-encode mailabbrev gmm-utils mailheader mail-parse
rfc2231 vc-dispatcher vc-svn preview prv-emacs tex-bar tex-buf toolbar-x
noutline outline font-latex latex easy-mmode edmacro kmacro tex-ispell
tex-style tex dbus xml crm tex-mode compile vc-filewise vc-rcs octave
smie desktop frameset solar cal-dst pot skeleton warnings rmailsum rmail
sendmail rfc2047 rfc2045 ietf-drums mime-compose epa-mail mail-utils epa
derived epg view holidays hol-loaddefs appt diary-lib diary-loaddefs
cal-menu calendar cal-loaddefs tramp tramp-compat tramp-loaddefs
trampver ucs-normalize shell pcomplete comint ring format-spec advice
bhl visual-fill-column switch-to-shell openwith hi-lock xt-mouse ffap
thingatpt url-parse auth-source cl-seq eieio eieio-core cl-macs
gnus-util time-date mm-util help-fns mail-prsvr password-cache url-vars
scroll-in-place filladapt ansi-color time quail dired-x dired generic-x
disp-table finder-inf package epg-config seq byte-opt gv bytecomp
byte-compile cl-extra help-mode easymenu cconv cl-loaddefs pcase cl-lib
debian-el debian-el-loaddefs w3m-load vm-autoload vm-autoloads
vm-version vm-vars vm-init preview-latex tex-site auto-loads mule-util
tooltip eldoc electric uniquify ediff-hook vc-hooks lisp-float-type
mwheel x-win term/common-win x-dnd tool-bar dnd fontset image regexp-opt
fringe tabulated-list newcomment elisp-mode lisp-mode prog-mode register
page menu-bar rfn-eshadow timer select scroll-bar mouse jit-lock
font-lock syntax facemenu font-core frame cl-generic cham georgian
utf-8-lang misc-lang vietnamese tibetan thai tai-viet lao korean
japanese eucjp-ms cp51932 hebrew greek romanian slovak czech european
ethiopic indian cyrillic chinese charscript case-table epa-hook
jka-cmpr-hook help simple abbrev minibuffer cl-preloaded nadvice
loaddefs button faces cus-face macroexp files text-properties overlay
sha1 md5 base64 format env code-pages mule custom widget
hashtable-print-readable backquote dbusbind inotify dynamic-setting
font-render-setting x-toolkit x multi-tty make-network-process emacs)

Memory information:
((conses 16 710983 83547)
 (symbols 48 41997 12)
 (miscs 40 4426 3546)
 (strings 32 120046 15486)
 (string-bytes 1 3656642)
 (vectors 16 65564)
 (vector-slots 8 1797200 184111)
 (floats 8 918 594)
 (intervals 56 52443 108)
 (buffers 976 143))

bug#27066: 25.1; dired unsafe variables

[Eli Zaretskii]

> Date: Thu, 25 May 2017 13:57:12 +0200
> From: Francesco Potortì <pot@gnu.org>
> 
> Recipe:
> 
> $ wget http://fly.isti.cnr.it/tmp/leela.tar	# 48 MB
> $ tar -xf leela.tar
> $ emacs -nw -Q opt/leela
> 
> I am prompted to accept reading the directory because it contains unsafe
> variables

I'm not sure why this is deemed a bug: you have a .dir-locals.el file
in that directory, which specifies directory-local variables.  What
exactly is the problem with the prompt?

bug#27066: 25.1; dired unsafe variables

[Francesco Potortì]

>> Date: Thu, 25 May 2017 13:57:12 +0200
>> From: Francesco Potortì <pot@gnu.org>
>> 
>> Recipe:
>> 
>> $ wget http://fly.isti.cnr.it/tmp/leela.tar	# 48 MB
>> $ tar -xf leela.tar
>> $ emacs -nw -Q opt/leela
>> 
>> I am prompted to accept reading the directory because it contains unsafe
>> variables
>
>I'm not sure why this is deemed a bug: you have a .dir-locals.el file
>in that directory, which specifies directory-local variables.  What
>exactly is the problem with the prompt?

I have not created that file myself (downloaded the source code from
Github), and before reading your answer I did not know about the
existence of .dir-locals.el files which get loaded automatically.  I
can't find the "dir-local" string anywhere either in the Emacs or Elisp
manuals.  Moreover the warning message does not mention .dir-locals.el
anywhere. 

So first, there is a documentation problem about the .dir-locals.el
files.

Second, probably dired should prompt *before* ever loading that file and
parse it only if the user agrees.  Am I too conservative?  Anyway, that
is something that is unespected, and should be treated differently, in
my opinion.

bug#27066: 25.1; dired unsafe variables

[Eli Zaretskii]

> Date: Thu, 25 May 2017 17:54:50 +0200
> From: Francesco Potortì <pot@gnu.org>
> Cc: 27066@debbugs.gnu.org
> 
> >I'm not sure why this is deemed a bug: you have a .dir-locals.el file
> >in that directory, which specifies directory-local variables.  What
> >exactly is the problem with the prompt?
> 
> I have not created that file myself (downloaded the source code from
> Github), and before reading your answer I did not know about the
> existence of .dir-locals.el files which get loaded automatically. I
> can't find the "dir-local" string anywhere either in the Emacs or Elisp
> manuals.

How did you search?  Typing "i directory-local RET" lands me on the
right place, as does "C-s dir-local" followed by C-s enough times.

> Moreover the warning message does not mention .dir-locals.el
> anywhere. 
> 
> So first, there is a documentation problem about the .dir-locals.el
> files.

Please suggest how to improve the existing docs.

> Second, probably dired should prompt *before* ever loading that file and
> parse it only if the user agrees.  Am I too conservative?

I think you are too conservative.  We treat directory-local variables
like we treat file-local variables: as soon as you visit the
file/directory, the variables are interpreted.

Perhaps we should offer an option to ask the question you mentioned,
but I think in general it will annoy too much.

bug#27066: 25.1; dired unsafe variables

[Francesco Potortì]

>> Date: Thu, 25 May 2017 17:54:50 +0200
>> From: Francesco Potortì <pot@gnu.org>
>> Cc: 27066@debbugs.gnu.org
>> 
>> >I'm not sure why this is deemed a bug: you have a .dir-locals.el file
>> >in that directory, which specifies directory-local variables.  What
>> >exactly is the problem with the prompt?
>> 
>> I have not created that file myself (downloaded the source code from
>> Github), and before reading your answer I did not know about the
>> existence of .dir-locals.el files which get loaded automatically. I
>> can't find the "dir-local" string anywhere either in the Emacs or Elisp
>> manuals.
>
>How did you search?  Typing "i directory-local RET" lands me on the
>right place, as does "C-s dir-local" followed by C-s enough times.

Hm.  It turns out that Debian, for some reason, did not update my dir
info file after installing emacs25 side-by-side with emacs22, so I was
reading emacs22 docs.  Sorry for the inaccurate info.

>> Moreover the warning message does not mention .dir-locals.el
>> anywhere. 
>> 
>> So first, there is a documentation problem about the .dir-locals.el
>> files.
>
>Please suggest how to improve the existing docs.

The warning message should not say that risky variables are present in the
directory: that makes sense only if you know where to look.  When
reading that message, I thought about some bug somewhere.

The warning message should name the file where the offending variables
were found, instead.

>> Second, probably dired should prompt *before* ever loading that file and
>> parse it only if the user agrees.  Am I too conservative?
>
>I think you are too conservative.  We treat directory-local variables
>like we treat file-local variables: as soon as you visit the
>file/directory, the variables are interpreted.
>
>Perhaps we should offer an option to ask the question you mentioned,
>but I think in general it will annoy too much.

I don't know.  It's a relatively recent innovation, and I bet very few
users have ever stumbled into it.  In my opinion, dired should warn the
user and ask for permission to go on whenever it wants to read a
.dir-locals.el file.  Probably a customisation variable could avoid this
prompt.  And maybe in the future the current behaviour could become the
default, but not now.

bug#27066: 25.1; dired unsafe variables

[Eli Zaretskii]

> Date: Thu, 25 May 2017 18:58:11 +0200
> From: Francesco Potortì <pot@gnu.org>
> Cc: 27066@debbugs.gnu.org
> 
> >How did you search?  Typing "i directory-local RET" lands me on the
> >right place, as does "C-s dir-local" followed by C-s enough times.
> 
> Hm.  It turns out that Debian, for some reason, did not update my dir
> info file after installing emacs25 side-by-side with emacs22, so I was
> reading emacs22 docs.  Sorry for the inaccurate info.

Ah, Debian with its user-unfriendly documentation policies...

> >Please suggest how to improve the existing docs.
> 
> The warning message should not say that risky variables are present in the
> directory: that makes sense only if you know where to look.  When
> reading that message, I thought about some bug somewhere.
> 
> The warning message should name the file where the offending variables
> were found, instead.

Patches are welcome to add the file name.  AFAICT, the function that
actually applies the variables doesn't know on which file the
variables were found, as there could be more than one of them, and
they all are read to produce a list of variables, before the
variables' values are applied.

> >Perhaps we should offer an option to ask the question you mentioned,
> >but I think in general it will annoy too much.
> 
> I don't know.  It's a relatively recent innovation, and I bet very few
> users have ever stumbled into it.

Well, not too recent: it was introduced in Emacs 23.1, 8 years ago.
Time flies...

bug#27066: 25.1; dired unsafe variables

[Francesco Potortì]

>> >Please suggest how to improve the existing docs.
>> 
>> The warning message should not say that risky variables are present in the
>> directory: that makes sense only if you know where to look.  When
>> reading that message, I thought about some bug somewhere.
>> 
>> The warning message should name the file where the offending variables
>> were found, instead.
>
>Patches are welcome to add the file name.  AFAICT, the function that
>actually applies the variables doesn't know on which file the
>variables were found, as there could be more than one of them, and
>they all are read to produce a list of variables, before the
>variables' values are applied.

First, sorry to say this, there is no hope I could ever create a patch
of tht kind.

Second, I already suspected that.  Unfortunately, I fear that in fact
this is important.  It makes no sense to me to know that the directory
contains some risky variables.  I personally know what are file-local
variables.  Probably a minority of Emacs users know that.  But I had no
idea that directory-local risky variables existed.

>> >Perhaps we should offer an option to ask the question you mentioned,
>> >but I think in general it will annoy too much.
>> 
>> I don't know.  It's a relatively recent innovation, and I bet very few
>> users have ever stumbled into it.
>
>Well, not too recent: it was introduced in Emacs 23.1, 8 years ago.
>Time flies...

Yes.  Time flies :)

But that is not something that you are bound to see.  You only notice it
when someone else us uses it and you download a tree where that's used.
A pretty unlikely situation, all in all.  I understand that this is a
matter of (personal?) judgement, but it is an uncommon corner case.  And
given the problem above, when you don't even know where that variables
come from, it should not be treated lightly, in my opinion.

bug#27066: 25.1; dired unsafe variables

[Lars Ingebrigtsen]

Eli Zaretskii <eliz@gnu.org> writes:

> Patches are welcome to add the file name.  AFAICT, the function that
> actually applies the variables doesn't know on which file the
> variables were found, as there could be more than one of them, and
> they all are read to produce a list of variables, before the
> variables' values are applied.

I've now just mentioned "or .dir-locals.el" in the message in Emacs 29.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no