From: Miles Bader <miles@gnu.org>
Subject: Re: security problem in emacs
Date: 01 Jan 2003 03:00:29 +0900 [thread overview]
Message-ID: <87u1gunk5e.fsf@tc-1-100.kawasaki.gol.ne.jp> (raw)
In-Reply-To: mailman.760.1041349397.19936.bug-gnu-emacs@gnu.org
Georgi Guninski <guninski@guninski.com> writes:
> 1. I found 2 security bugs on release version of emacs in less than
> week. How many left do you think are? Of course the idea of warning
> about eval or hooks seems good, but covering all cases of non-obvious
> evals in a large project is difficult task.
To be fair, both your examples were already taken care of.
> 2. Lusers like micro$oft thought in the beginning that scripting in
> email/word is a good idea and it is sandboxed. Now it is off by
> default in their email products. Think about it.
This is not scripting. Whether or not emacs is as restrictive as it
should be, I don't know, but there's clearly a large subset of
variables/values that can quite safely be set.
Yes, if emacs were the kernel, it would have to take a more conservative
approach -- but it's not, and convience _is_ important.
[Of course, it helps that the `local variables' section is not
interpreted for such obviously suspicious sources such as email or news,
and that emacs users are in general a more clueful lot than typical MS
product users]
> 3. Local variables are not portable accross editors, which makes them
> almost useless, unless every document has all the version of local
> variables for every editor.
Who cares about other editors? I certainly don't.
-Miles
--
`Cars give people wonderful freedom and increase their opportunities.
But they also destroy the environment, to an extent so drastic that
they kill all social life' (from _A Pattern Language_)
next prev parent reply other threads:[~2002-12-31 18:00 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <mailman.749.1041337086.19936.bug-gnu-emacs@gnu.org>
[not found] ` <84znqm8f1k.fsf@lucy.cs.uni-dortmund.de>
2002-12-31 14:47 ` security problem in emacs Georgi Guninski
2002-12-31 15:14 ` Alfred M. Szmidt
2002-12-31 15:42 ` Georgi Guninski
[not found] ` <mailman.760.1041349397.19936.bug-gnu-emacs@gnu.org>
2002-12-31 18:00 ` Miles Bader [this message]
[not found] ` <mailman.754.1041346047.19936.bug-gnu-emacs@gnu.org>
2002-12-31 15:30 ` Miles Bader
2002-12-31 12:17 Georgi Guninski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87u1gunk5e.fsf@tc-1-100.kawasaki.gol.ne.jp \
--to=miles@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).