unofficial mirror of bug-gnu-emacs@gnu.org 
 help / color / mirror / code / Atom feed
From: Adam Plaice <plaiceadam@gmail.com>
To: Stefan Kangas <stefan@marxist.se>
Cc: 37656@debbugs.gnu.org, Emacs developers <emacs-devel@gnu.org>
Subject: bug#37656: 27.0.50; Arbitrary code execution with special `mode:'
Date: Wed, 16 Oct 2019 02:35:58 +0200	[thread overview]
Message-ID: <CAJw81daBs7R8RcpBta2ytNvKyJ7McHzkp5RQ51Nwfo8tqwUjcQ@mail.gmail.com> (raw)
In-Reply-To: <CADwFkm=U1zfUsD4jTPj44mNvQX-h2gVrvXCkvjM5V7brhS71_Q@mail.gmail.com>

> Here is a more complete patch.  Does it look like the right fix?

This indeed fixes the issue! Thanks for dealing with it so quickly! (Though
I'm obviously not qualified to say whether it's _the_ right fix for this.)

>  I think the relevant node in the documentation is:
> (info "(emacs)Choosing Modes")

That, and part of:
(info "(emacs)Specifying File Variables")


Unfortunately, I've realised that a similar problem can be introduced
with directory variables. (Should I file separate bug for this as it's
closely related but not quite the same?) This requires at least two
files, so it's not quite as serious:

In .dir-locals.el:

((nil . ((mode . flymake))))

In, say, foobar, in the same directory:

-*- mode: emacs-lisp -*-

(eval-when-compile
  (with-temp-file "~/emacs_flymake_security_bug"
    (insert "Could have also executed any code.")))


(Some other, equivalent arrangements (e.g. (mode . emacs-lisp) directly in
.dir-locals.el), or simply an .el extension, also "work".)

According to the manual (info "(emacs)Directory Variables"):

> The special ‘mode’ element specifies the minor mode to be
> enabled.  So ‘(mode . auto-fill)’ specifies that the minor mode
> ‘auto-fill-mode’ needs to be enabled.

so in this case setting the minor mode _is_ the intended/documented behaviour,
which might make resolving the bug harder.

(OTOH (info "(emacs)Directory Variables") also states:

> You can specify the variables ‘mode’, ‘eval’, and ‘unibyte’ in your
> ‘.dir-locals.el’, and they have the same meanings as they would have in
> file local variables.

while (info "(emacs)Specifying File Variables") says:

> The special variable/value pair ‘mode:
> MODENAME;’, if present, specifies a major mode.

so there's some inconsistency on what `mode' in .dir-locals.el is actually
"supposed" to specify — a major mode, a minor mode or either.)

Thanks,
Adam





  parent reply	other threads:[~2019-10-16  0:35 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <CAJw81dZZmX=z-YFDwvEkuWR6xH+cf=mR9h-fcZTphwdXWrA5wg@mail.gmail.com>
2019-10-15 22:27 ` bug#37656: 27.0.50; Arbitrary code execution with special `mode:' Stefan Kangas
     [not found] ` <CADwFkmnqfbsEEWkWMA2xnN1O+-JsTcCKrSYv0e3g1+jXrxRY5g@mail.gmail.com>
2019-10-15 22:55   ` Stefan Kangas
2019-10-15 23:17     ` Stefan Kangas
2019-10-16  0:35     ` Adam Plaice [this message]
2019-10-16  7:57       ` Eli Zaretskii
2019-10-16  0:55     ` Phil Sainty
     [not found]     ` <CADwFkmk+03=J8YUy51xzBxSK2+u0DuMLq3Ur63Wr_YWv6e=C=g@mail.gmail.com>
2019-10-16  7:58       ` Eli Zaretskii
2019-10-16 11:51         ` Adam Plaice
2019-10-16 17:09           ` Eli Zaretskii
2019-10-16 19:09             ` Phil Sainty
2019-10-16 19:34               ` Eli Zaretskii
2019-10-16 21:02               ` Adam Plaice
2019-10-08  8:48 bug#37656: 27.0.50; Opening file with specially crafted local variables can cause arbitrary code execution Inbox x adam plaice
2019-10-15 21:05 ` bug#37656: 27.0.50; Arbitrary code execution with special `mode:' adam plaice

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://www.gnu.org/software/emacs/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAJw81daBs7R8RcpBta2ytNvKyJ7McHzkp5RQ51Nwfo8tqwUjcQ@mail.gmail.com \
    --to=plaiceadam@gmail.com \
    --cc=37656@debbugs.gnu.org \
    --cc=emacs-devel@gnu.org \
    --cc=stefan@marxist.se \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).