From: Paul Eggert <eggert@cs.ucla.edu>
To: Eli Zaretskii <eliz@gnu.org>, Richard Stallman <rms@gnu.org>
Cc: p.stephani2@gmail.com, 27986@debbugs.gnu.org
Subject: bug#27986: 26.0.50; 'rename-file' can rename files without confirmation
Date: Wed, 16 Aug 2017 10:19:35 -0700 [thread overview]
Message-ID: <c94cf6df-829c-8020-73bc-0417fc940c60@cs.ucla.edu> (raw)
In-Reply-To: <83o9rffqfp.fsf@gnu.org>
Eli Zaretskii wrote:
> Did you look at all the users of these functions in
> our codebase?
I have not looked at every single one in detail. I've looked at a fair sample.
See below for more discussion.
> E.g., I see at least one use of rename-file in Gnus
> that moves a directory, possibly 2 such uses.
Moving a directory is not a problem. The only problem is when the destination is
a directory but not a directory name and the intent is to change an entry in
that directory rather than to change the original destination.
I agree that some uses in code will need to be adjusted. Most won't, though. For
example, in the first occurrence of the string "rename-file" in Gnus, where
gnus-agent-rename-group calls (gnus-rename-file old-path new-path t), the intent
is to rename OLD-PATH to NEW-PATH, not to rename it to be an subsidiary entry to
NEW-PATH. For this particular example, the proposed change is slightly
beneficial, since it prevents rename-file from doing the wrong thing in the
(admittedly unlikely) event that some other process changes NEW-PATH to a
directory while Gnus is operating.
> What's more, some of the use cases will not even
> signal an error after the change, they will instead silently do
> something different from the previous versions, which is really bad.
This should be quite rare. The only scenario I see matching your concern is if
the source is a directory, the destination is not a directory name but is an
empty directory and is not a symlink, and the destination is not a descendant of
the source. Although not impossible, this will happen so rarely that it doesn't
invalidate the proposed change.
> At the very least, all the users in Emacs
> should be audited and fixed as needed.
Sure, I'll volunteer to do that. There are only 172 lines containing the string
"rename-file" in our Emacs Lisp code base, for example, and it shouldn't be that
much work to check them.
I've looked at this issue fairly carefully, and I'm afraid the solution I've
proposed is the best way forward if we want to close the security hole in Emacs.
next prev parent reply other threads:[~2017-08-16 17:19 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-08-06 15:40 bug#27986: 26.0.50; `rename-file' can rename files without confirmation Philipp
2017-08-06 17:05 ` Eli Zaretskii
2017-08-14 17:09 ` Philipp Stephani
2017-08-14 17:22 ` Eli Zaretskii
2017-08-11 8:15 ` bug#27986: 26.0.50; 'rename-file' " Paul Eggert
2017-08-13 22:42 ` Paul Eggert
2017-08-14 15:40 ` Eli Zaretskii
2017-08-14 23:31 ` Paul Eggert
2017-08-15 16:04 ` Eli Zaretskii
2017-08-15 17:24 ` Paul Eggert
2017-08-15 17:42 ` Eli Zaretskii
2017-08-15 19:27 ` Paul Eggert
2017-08-16 2:36 ` Eli Zaretskii
2017-08-16 5:06 ` Paul Eggert
2017-08-16 14:21 ` Eli Zaretskii
2017-08-16 15:15 ` Paul Eggert
2017-08-16 16:06 ` Eli Zaretskii
2017-08-16 17:19 ` Paul Eggert [this message]
2017-08-16 17:30 ` Eli Zaretskii
2017-08-16 18:06 ` Glenn Morris
2017-08-16 22:31 ` Stefan Monnier
2017-08-16 23:56 ` Paul Eggert
2017-08-17 0:04 ` Stefan Monnier
2017-08-19 6:54 ` Eli Zaretskii
2017-09-10 22:49 ` Paul Eggert
2017-09-11 6:07 ` Paul Eggert
2017-09-11 14:47 ` Eli Zaretskii
2017-09-11 16:45 ` Paul Eggert
2017-09-11 17:09 ` Eli Zaretskii
2017-09-11 17:25 ` Paul Eggert
2017-09-12 9:25 ` Michael Albinus
2017-08-13 23:48 ` Paul Eggert
2017-08-14 13:44 ` Ken Brown
2017-08-14 15:21 ` Eli Zaretskii
2017-08-14 15:34 ` Eli Zaretskii
2017-08-14 16:33 ` Eli Zaretskii
2017-08-14 16:58 ` Philipp Stephani
2017-08-14 17:04 ` Eli Zaretskii
2017-08-14 16:50 ` Philipp Stephani
2017-08-14 23:03 ` Paul Eggert
2017-08-15 1:19 ` Paul Eggert
2017-08-15 2:35 ` Eli Zaretskii
2017-08-15 7:00 ` Paul Eggert
2017-08-15 16:08 ` Eli Zaretskii
2017-08-16 19:33 ` Ken Brown
2017-08-19 21:30 ` Ken Brown
2017-08-19 21:37 ` Paul Eggert
2017-08-19 22:04 ` Ken Brown
2017-08-19 22:38 ` Paul Eggert
2017-08-15 12:45 ` Andy Moreton
2017-08-15 16:18 ` Eli Zaretskii
2017-08-19 21:33 ` bug#27986: 26.0.50; 'rename-file' can rename files without Richard Stallman
2017-08-20 2:37 ` Eli Zaretskii
2017-08-25 20:33 ` John Wiegley
2017-08-26 7:30 ` Eli Zaretskii
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c94cf6df-829c-8020-73bc-0417fc940c60@cs.ucla.edu \
--to=eggert@cs.ucla.edu \
--cc=27986@debbugs.gnu.org \
--cc=eliz@gnu.org \
--cc=p.stephani2@gmail.com \
--cc=rms@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).