From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED.blaine.gmane.org!not-for-mail From: Lars Ingebrigtsen Newsgroups: gmane.emacs.bugs Subject: bug#33264: Whitelist vc-follow-symlinks as a safe file variable Date: Mon, 15 Jul 2019 17:50:26 +0200 Message-ID: <87lfwzcn5p.fsf@mouse.gnus.org> References: <87tvbu3ug3.fsf@mouse.gnus.org> <0c431e43-3d2a-74cf-914f-00297df210d8@yandex.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Injection-Info: blaine.gmane.org; posting-host="blaine.gmane.org:195.159.176.226"; logging-data="222971"; mail-complaints-to="usenet@blaine.gmane.org" User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux) Cc: "Eugene J." , 33264@debbugs.gnu.org To: Dmitry Gutov Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Mon Jul 15 17:51:09 2019 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([209.51.188.17]) by blaine.gmane.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1hn3Fs-000vrE-1O for geb-bug-gnu-emacs@m.gmane.org; Mon, 15 Jul 2019 17:51:08 +0200 Original-Received: from localhost ([::1]:40276 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.86_2) (envelope-from ) id 1hn3Fr-0000lW-3e for geb-bug-gnu-emacs@m.gmane.org; Mon, 15 Jul 2019 11:51:07 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:53633) by lists.gnu.org with esmtp (Exim 4.86_2) (envelope-from ) id 1hn3Fo-0000gJ-DO for bug-gnu-emacs@gnu.org; Mon, 15 Jul 2019 11:51:05 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1hn3Fn-00088I-90 for bug-gnu-emacs@gnu.org; Mon, 15 Jul 2019 11:51:04 -0400 Original-Received: from debbugs.gnu.org ([209.51.188.43]:39996) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1hn3Fn-000887-3h for bug-gnu-emacs@gnu.org; Mon, 15 Jul 2019 11:51:03 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1hn3Fl-00079k-UQ for bug-gnu-emacs@gnu.org; Mon, 15 Jul 2019 11:51:03 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Lars Ingebrigtsen Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Mon, 15 Jul 2019 15:51:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 33264 X-GNU-PR-Package: emacs Original-Received: via spool by 33264-submit@debbugs.gnu.org id=B33264.156320583527465 (code B ref 33264); Mon, 15 Jul 2019 15:51:01 +0000 Original-Received: (at 33264) by debbugs.gnu.org; 15 Jul 2019 15:50:35 +0000 Original-Received: from localhost ([127.0.0.1]:48817 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hn3FK-00078v-DG for submit@debbugs.gnu.org; Mon, 15 Jul 2019 11:50:34 -0400 Original-Received: from quimby.gnus.org ([80.91.231.51]:44726) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hn3FH-00078h-TO for 33264@debbugs.gnu.org; Mon, 15 Jul 2019 11:50:33 -0400 Original-Received: from cm-84.212.202.86.getinternet.no ([84.212.202.86] helo=sandy) by quimby.gnus.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1hn3FD-0000jO-8r; Mon, 15 Jul 2019 17:50:29 +0200 In-Reply-To: <0c431e43-3d2a-74cf-914f-00297df210d8@yandex.ru> (Dmitry Gutov's message of "Mon, 15 Jul 2019 18:29:58 +0300") X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 209.51.188.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.org gmane.emacs.bugs:163134 Archived-At: Dmitry Gutov writes: > I've tried to imagine a security issue stemming from it (e.g. linking > to an external directory tree with its own dir-locals values, and > then... what?), but didn't really come up with anything significant. The doc string says that a nil is "dangerous", but doesn't say what the danger is: --- What to do if visiting a symbolic link to a file under version control. Editing such a file through the link bypasses the version control system, which is dangerous and probably not what you want. If this variable is t, VC follows the link and visits the real file, telling you about it in the echo area. If it is =E2=80=98ask=E2=80=99, VC = asks for confirmation whether it should follow the link. If nil, the link is visited and a warning displayed. --- I'm guessing it doesn't really mean "dangerous", but instead "not optimal in most cases". Anyway, what would the safe-local values be? nil, t and ask or just nil? --=20 (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no