* Risky local variable mechanism @ 2006-01-31 23:09 Richard M. Stallman 2006-02-01 0:37 ` Stefan Monnier 2006-02-01 2:30 ` Chong Yidong 0 siblings, 2 replies; 99+ messages in thread From: Richard M. Stallman @ 2006-01-31 23:09 UTC (permalink / raw) A few days ago I sent a message about possibly replacing the risky local variable mechanism with something safer. Nobody has responded yet. This problem is important; please help me think about the issue. ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-01-31 23:09 Risky local variable mechanism Richard M. Stallman @ 2006-02-01 0:37 ` Stefan Monnier 2006-02-01 0:41 ` Luc Teirlinck 2006-02-02 4:17 ` Richard M. Stallman 2006-02-01 2:30 ` Chong Yidong 1 sibling, 2 replies; 99+ messages in thread From: Stefan Monnier @ 2006-02-01 0:37 UTC (permalink / raw) Cc: emacs-devel > A few days ago I sent a message about possibly replacing the risky > local variable mechanism with something safer. Nobody has responded > yet. This problem is important; please help me think about the issue. I rarely use file-local variables, so it's hard for me to figure out which set of restrictions will be best. Using custom types sounds like a good idea, but note that setting "boolean" variables can be dangerous as well (e.g. enable-local-eval). I guess we need to play with it a bit. But if we change the way it works, I think it might be a good idea to make sure that what we define is "really" safe. I.e. we only allow some known-safe variable settings. Maybe "string and integer custom vars" are all safe, I don't know. Otherwise we could simply introduce a "safe-local-variable" property which we'd add to every variable we decide is safe to set. Its value could also be a predicate (instead of just t) to allow finer settings. Stefan ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-02-01 0:37 ` Stefan Monnier @ 2006-02-01 0:41 ` Luc Teirlinck 2006-02-01 2:39 ` Stefan Monnier 2006-02-02 4:17 ` Richard M. Stallman 1 sibling, 1 reply; 99+ messages in thread From: Luc Teirlinck @ 2006-02-01 0:41 UTC (permalink / raw) Cc: rms, emacs-devel Stefan Monnier wrote: Otherwise we could simply introduce a "safe-local-variable" property which we'd add to every variable we decide is safe to set. Its value could also be a predicate (instead of just t) to allow finer settings. Introduce? That is exactly what we have already, is it not? Sincerely, Luc. ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-02-01 0:41 ` Luc Teirlinck @ 2006-02-01 2:39 ` Stefan Monnier 0 siblings, 0 replies; 99+ messages in thread From: Stefan Monnier @ 2006-02-01 2:39 UTC (permalink / raw) Cc: rms, emacs-devel > Otherwise we could simply introduce a "safe-local-variable" property > which we'd add to every variable we decide is safe to set. Its value > could also be a predicate (instead of just t) to allow finer settings. > Introduce? That is exactly what we have already, is it not? Do we? Oh I guess we do, but we don't really use it much, because we rely on risky-local-variable instead. So my suggestion would then be to remove risky-local-variable and only rely on safe-local-variable. Stefan ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-02-01 0:37 ` Stefan Monnier 2006-02-01 0:41 ` Luc Teirlinck @ 2006-02-02 4:17 ` Richard M. Stallman 2006-02-02 12:42 ` Kim F. Storm 2006-02-02 12:47 ` Risky local variable mechanism Kim F. Storm 1 sibling, 2 replies; 99+ messages in thread From: Richard M. Stallman @ 2006-02-02 4:17 UTC (permalink / raw) Cc: emacs-devel I rarely use file-local variables, so it's hard for me to figure out which set of restrictions will be best. Using custom types sounds like a good idea, but note that setting "boolean" variables can be dangerous as well (e.g. enable-local-eval). That is a good point--but there are just a few variables which are dangerous in that way, and they already are marked. The big set of variables which are dangerous but not marked are those whose values can be functions to call. That is what I am hoping to recognize using custom types. Another idea: just check to see if the value is a function name, or if any function name (including lambda) appears in it. If so, the value is risky. That is quite simple and does not depend on knowing the custom type. ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-02-02 4:17 ` Richard M. Stallman @ 2006-02-02 12:42 ` Kim F. Storm 2006-02-03 23:43 ` Richard M. Stallman 2006-02-02 12:47 ` Risky local variable mechanism Kim F. Storm 1 sibling, 1 reply; 99+ messages in thread From: Kim F. Storm @ 2006-02-02 12:42 UTC (permalink / raw) Cc: Stefan Monnier, emacs-devel "Richard M. Stallman" <rms@gnu.org> writes: > I rarely use file-local variables, so it's hard for me to figure out which > set of restrictions will be best. Using custom types sounds like a good > idea, but note that setting "boolean" variables can be dangerous as well > (e.g. enable-local-eval). > > That is a good point--but there are just a few variables which are > dangerous in that way, and they already are marked. The big set of > variables which are dangerous but not marked are those whose values > can be functions to call. That is what I am hoping to recognize using > custom types. > > Another idea: just check to see if the value is a function name, or if > any function name (including lambda) appears in it. If so, the value > is risky. That is quite simple and does not depend on knowing the > custom type. Why not make anything risky, except those explicit settings which are recorded in safe-local-eval-forms (and add something similar for variables), and then make it easier to update those lists when user is queried to approve local variables/forms Of course, we can still mark certain things 'safe which we explicitly consider to be safe. -- Kim F. Storm <storm@cua.dk> http://www.cua.dk ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-02-02 12:42 ` Kim F. Storm @ 2006-02-03 23:43 ` Richard M. Stallman 2006-02-04 4:34 ` Luc Teirlinck ` (3 more replies) 0 siblings, 4 replies; 99+ messages in thread From: Richard M. Stallman @ 2006-02-03 23:43 UTC (permalink / raw) Cc: monnier, emacs-devel Why not make anything risky, except those explicit settings which are recorded in safe-local-eval-forms (and add something similar for variables), and then make it easier to update those lists when user is queried to approve local variables/forms That could be a good approach. Would someone like to implement this? ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-02-03 23:43 ` Richard M. Stallman @ 2006-02-04 4:34 ` Luc Teirlinck 2006-02-05 17:34 ` Richard M. Stallman 2006-02-07 16:45 ` Chong Yidong ` (2 subsequent siblings) 3 siblings, 1 reply; 99+ messages in thread From: Luc Teirlinck @ 2006-02-04 4:34 UTC (permalink / raw) Cc: emacs-devel, monnier, storm Richard Stallman wrote: Why not make anything risky, except those explicit settings which are recorded in safe-local-eval-forms (and add something similar for variables), and then make it easier to update those lists when user is queried to approve local variables/forms That could be a good approach. Would someone like to implement this? Note that we _already_ have a similar mechanism, which is more flexible than the proposed one, because it allows the safety to depend on both the variable _and_ its value: >From `(elisp)File Local Variables': These rules can be overridden by giving the variable's name a non-`nil' `safe-local-variable' property. If one gives it a `safe-local-variable' property of `t', then one can give the variable any file local value. One can also give any symbol, including the above, a `safe-local-variable' property that is a function taking exactly one argument. In that case, giving a variable with that name a file local value is only allowed if the function returns non-`nil' when called with that value as argument. Sincerely, Luc. ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-02-04 4:34 ` Luc Teirlinck @ 2006-02-05 17:34 ` Richard M. Stallman 2006-02-06 6:00 ` Luc Teirlinck 2006-02-07 2:47 ` Luc Teirlinck 0 siblings, 2 replies; 99+ messages in thread From: Richard M. Stallman @ 2006-02-05 17:34 UTC (permalink / raw) Cc: emacs-devel, monnier, storm Why not make anything risky, except those explicit settings which are recorded in safe-local-eval-forms (and add something similar for variables), and then make it easier to update those lists when user is queried to approve local variables/forms That could be a good approach. Would someone like to implement this? Note that we _already_ have a similar mechanism, which is more flexible than the proposed one, This seems to be a misunderstanding. You're talking about underlying mechanisms; we're talking about user interfaces. ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-02-05 17:34 ` Richard M. Stallman @ 2006-02-06 6:00 ` Luc Teirlinck 2006-02-07 6:07 ` Richard M. Stallman 2006-02-07 2:47 ` Luc Teirlinck 1 sibling, 1 reply; 99+ messages in thread From: Luc Teirlinck @ 2006-02-06 6:00 UTC (permalink / raw) Cc: storm, monnier, emacs-devel Richard Stallman wrote: This seems to be a misunderstanding. You're talking about underlying mechanisms; we're talking about user interfaces. If I understand the proposed interface correctly, it would try to update the currently customizable (through Custom) variable safe-local-eval-forms automatically when the user visits a file. It would create another option, customizable through Custom, for variables and try to update that one in the same way too. One problem for the variable list option would be that, in its proposed form, it would only handle the variable and not the value it is going to be set to, whereas the value is often crucial. There are way worse problems, if the user would try to customize these variables _through Custom_ instead of .emacs. Customizing `safe-local-eval-forms' through Custom _already_ is problematic right now. The only way to avoid surprises is to customize it in .emacs instead of through Custom. (The reasons are similar to those for hooks.) The automatic updating would make the existing problems worse and would make actually triggering the potential problems _way_ more likely than it is now. The two options would be listvars, whose value should not be set using setq, like Custom does, but using add-to-list or (setq safe-local-eval-forms (delete form safe-local-eval-forms)). Custom can currently not handle such variables in any satisfactory way. The involved problems are similar to those for hooks. There are tons of problems we know about for hooks (but which apply equally to this type of listvar) and whenever we discuss these problems, we find some new ones. We decided earlier to delay solving these problems till after the release, because they required too radical changes in Custom. I do not see how the automatic updating could be done in a way that works well both for people who customize these two options in their .emacs _and_ for people who customize them through Custom, especially not given Custom's current problems with this type of listvars. Sincerely, Luc. ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-02-06 6:00 ` Luc Teirlinck @ 2006-02-07 6:07 ` Richard M. Stallman 0 siblings, 0 replies; 99+ messages in thread From: Richard M. Stallman @ 2006-02-07 6:07 UTC (permalink / raw) Cc: storm, monnier, emacs-devel If I understand the proposed interface correctly, it would try to update the currently customizable (through Custom) variable safe-local-eval-forms automatically when the user visits a file. Not "automatically". It would ask the user questions. It would create another option, customizable through Custom, for variables and try to update that one in the same way too. The idea is not that specific. That could be one way of doing it. The details can be worked out in various ways. There are way worse problems, if the user would try to customize these variables _through Custom_ instead of .emacs. I don't think so. It makes no difference whether the change is made using the Custom buffer or using the ask-questions-when-visiting interface; either way it will update .emacs just the same. But even if you are right, it is just a side issue, not very important. We have a grave problem that we need to solve. If the solution introduces minor problems, that's ok. I do not see how the automatic updating could be done in a way that works well both for people who customize these two options in their .emacs _and_ for people who customize them through Custom, especially not given Custom's current problems with this type of listvars. I think it will work right without any special effort. If not, we can easily work around it by making two variables, one to set with Custom and one that ask-questions-when-visiting will set. Please learn to put minor imperfections in perspective. They are not show-stoppers. ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-02-05 17:34 ` Richard M. Stallman 2006-02-06 6:00 ` Luc Teirlinck @ 2006-02-07 2:47 ` Luc Teirlinck 1 sibling, 0 replies; 99+ messages in thread From: Luc Teirlinck @ 2006-02-07 2:47 UTC (permalink / raw) Cc: storm, monnier, emacs-devel There are some things I misunderstood about this problem, because the documentation in the Elisp manual was misleading. It seemed to suggest that most of the variables and features in question affect whether setting file local variables is allowed, whereas they only determine whether setting them is affected by `enable-local-eval'. If `enable-local-eval' has its default value 'maybe, the user gets _asked_ whether to set the file local variables. The lone exceptions are the variables in `ignored-local-variables', which unconditionally can not be set. Another exception is that a user running as root can not set file local variables to values controlled by `enable-local-eval', regardless of the value of `enable-local-eval'. So we are just talking about which variables to _warn_ the user about. I personally have `enable-local-variables' set to 'query for ages and I have never found these questions too inconvenient. So why do we not play it super-safe and just set the default value of `enable-local-variables' to 'maybe? That would not require _any_ changes, other than a bugfix to ses, for which I am about to submit a patch anyway. If a user wants to live more dangerously, he can always set the value of enable-local-variables back to t. To understand the problem better myself, I rewrote the misleading Elisp manual node. I include a patch below. If we are going to completely change the mechanism (rather than just the default of `enable-local-variables'), the patches below affect nodes that would have to be completely rewritten after the changes anyway, but I could install them if it could help other people understand the present situation and hence the problem better. The current node is misleading. So are several docstrings, but I did not rewrite those, since if we would change the mechanism completely, this would be moot. ===File ~/custom.texi-diff================================== *** custom.texi 05 Feb 2006 16:45:32 -0600 1.107 --- custom.texi 06 Feb 2006 17:53:59 -0600 *************** *** 1196,1202 **** The @code{safe-local-eval-forms} is a customizable list of eval forms which are safe to eval, so Emacs should not ask for confirmation to evaluate these forms, even if ! @code{enable-local-variables} says to ask for confirmation in general. @node Key Bindings @section Customizing Key Bindings --- 1196,1202 ---- The @code{safe-local-eval-forms} is a customizable list of eval forms which are safe to eval, so Emacs should not ask for confirmation to evaluate these forms, even if ! @code{enable-local-eval} says to ask for confirmation in general. @node Key Bindings @section Customizing Key Bindings ============================================================ ===File ~/variables.texi-diff=============================== *** variables.texi 06 Feb 2006 16:02:08 -0600 1.71 --- variables.texi 06 Feb 2006 20:12:58 -0600 *************** *** 1774,1828 **** If a file local variable could specify a function that would be called later, or an expression that would be executed later, simply visiting a file could take over your Emacs. To prevent this, Emacs ! takes care not to allow to set such file local variables. ! For one thing, any variable whose name ends in any of ! @samp{-command}, @samp{-frame-alist}, @samp{-function}, ! @samp{-functions}, @samp{-hook}, @samp{-hooks}, @samp{-form}, ! @samp{-forms}, @samp{-map}, @samp{-map-alist}, @samp{-mode-alist}, ! @samp{-program}, or @samp{-predicate} cannot be given a file local ! value. In general, you should use such a name whenever it is ! appropriate for the variable's meaning. The variables ! @samp{font-lock-keywords}, @samp{font-lock-keywords} followed by a ! digit, and @samp{font-lock-syntactic-keywords} cannot be given file ! local values either. These rules can be overridden by giving the ! variable's name a non-@code{nil} @code{safe-local-variable} property. ! If one gives it a @code{safe-local-variable} property of @code{t}, ! then one can give the variable any file local value. One can also ! give any symbol, including the above, a @code{safe-local-variable} ! property that is a function taking exactly one argument. In that ! case, giving a variable with that name a file local value is only ! allowed if the function returns non-@code{nil} when called with that ! value as argument. ! In addition, any variable whose name has a non-@code{nil} ! @code{risky-local-variable} property is also ignored. So are all ! variables listed in @code{ignored-local-variables}: ! @defvar ignored-local-variables ! This variable holds a list of variables that should not be given local ! values by files. Any value specified for one of these variables is ! ignored. ! @end defvar @defun risky-local-variable-p sym &optional val ! If @var{val} is non-@code{nil}, returns non-@code{nil} if giving ! @var{sym} a file local value of @var{val} would be risky, for any of ! the reasons stated above. If @var{val} is @code{nil} or omitted, only ! returns @code{nil} if @var{sym} can be safely assigned any file local ! value whatsoever. @end defun ! The @samp{Eval:} ``variable'' is also a potential loophole, so Emacs ! normally asks for confirmation before handling it. ! ! @defopt enable-local-eval ! This variable controls processing of @samp{Eval:} in @samp{-*-} lines ! or local variables ! lists in files being visited. A value of @code{t} means process them ! unconditionally; @code{nil} means ignore them; anything else means ask ! the user what to do for each file. The default value is @code{maybe}. ! @end defopt Text properties are also potential loopholes, since their values could include functions to call. So Emacs discards all text --- 1774,1832 ---- If a file local variable could specify a function that would be called later, or an expression that would be executed later, simply visiting a file could take over your Emacs. To prevent this, Emacs ! normally queries you before setting such file local variables. ! @defopt enable-local-eval ! This variable controls processing of the @samp{Eval:} ``variable'' and ! other risky local variables in @samp{-*-} lines or local variables ! lists in files being visited. A value of @code{t} means process them ! unconditionally; @code{nil} means ignore them; anything else means ask ! the user what to do for each file. The default value is @code{maybe}. ! A user running as root can not set these risky variables, regardless ! of the value of @code{enable-local-eval}. ! @end defopt ! Any variable whose name ends in any of @samp{-command}, ! @samp{-frame-alist}, @samp{-function}, @samp{-functions}, ! @samp{-hook}, @samp{-hooks}, @samp{-form}, @samp{-forms}, @samp{-map}, ! @samp{-map-alist}, @samp{-mode-alist}, @samp{-program}, or ! @samp{-predicate} is subject to @code{enable-local-eval}. In general, ! you should use such a name whenever it is appropriate for the ! variable's meaning. @code{enable-local-eval} also affects the ! variables @samp{font-lock-keywords}, @samp{font-lock-keywords} ! followed by a digit, and @samp{font-lock-syntactic-keywords}. These ! rules can be overridden by giving the variable's name a non-@code{nil} ! @code{safe-local-variable} property. If one gives it a ! @code{safe-local-variable} property of @code{t}, then the variable is ! only subject to @code{enable-local-variables}. One can also give any ! symbol, including the above, a @code{safe-local-variable} property ! that is a function taking exactly one argument. In that case, giving ! a variable with that name a file local value is only subject to ! @code{enable-local-eval} if the function returns non-@code{nil} when ! called with that value as argument. ! ! In addition, any variable whose name has a non-@code{nil} ! @code{risky-local-variable} property is also subject to ! @code{enable-local-eval}. @defun risky-local-variable-p sym &optional val ! If @var{val} is non-@code{nil}, returns non-@code{nil} if ! @code{enable-local-eval} affects giving @var{sym} a file local value ! of @var{val}. If @var{val} is @code{nil} or omitted, only returns ! @code{nil} if @code{enable-local-eval} does not affect assigning ! @var{sym} any file local value whatsoever. ! ! This function ignores the value of @code{ignored-local-variables} (see ! below), because Emacs ignores the variables in that list, ! @emph{regardless} of the value of @code{enable-local-eval}. @end defun ! @defvar ignored-local-variables ! This variable holds a list of variables that should not be given local ! values by files, regardless of the value of @code{enable-local-eval}. ! Any value specified for one of these variables is unconditionally ignored. ! @end defvar Text properties are also potential loopholes, since their values could include functions to call. So Emacs discards all text ============================================================ ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-02-03 23:43 ` Richard M. Stallman 2006-02-04 4:34 ` Luc Teirlinck @ 2006-02-07 16:45 ` Chong Yidong 2006-02-08 1:49 ` Luc Teirlinck 2006-02-09 17:48 ` Richard M. Stallman 2006-02-10 5:34 ` Chong Yidong 2006-02-14 1:33 ` Chong Yidong 3 siblings, 2 replies; 99+ messages in thread From: Chong Yidong @ 2006-02-07 16:45 UTC (permalink / raw) Cc: emacs-devel, monnier, Kim F. Storm "Richard M. Stallman" <rms@gnu.org> writes: > Why not make anything risky, except those explicit settings which > are recorded in safe-local-eval-forms (and add something similar > for variables), and then make it easier to update those lists > when user is queried to approve local variables/forms > > That could be a good approach. > > Would someone like to implement this? How about this patch? It implements a `safe-local-variables' custom option. If a variable is not in this list, the user is prompted before it is set. If the user agrees to set it, and the variable is not explicitly marked as risky (as determined by the currently existing `risky-local-variable-p' function), we ask if that variable can be automatically set in the future. If the user agrees to this too, `safe-local-variables' is updated and saved to the custom-file. *** emacs/lisp/files.el.~1.804.~ 2006-02-06 23:43:16.000000000 -0500 --- emacs/lisp/files.el 2006-02-07 11:35:06.000000000 -0500 *************** *** 2393,2405 **** (run-hooks 'hack-local-variables-hook)) mode-specified)) ! (defvar ignored-local-variables () ! "Variables to be ignored in a file's local variable spec.") ;; Get confirmation before setting these variables as locals in a file. (put 'debugger 'risky-local-variable t) (put 'enable-local-eval 'risky-local-variable t) (put 'ignored-local-variables 'risky-local-variable t) (put 'eval 'risky-local-variable t) (put 'file-name-handler-alist 'risky-local-variable t) (put 'inhibit-quit 'risky-local-variable t) --- 2393,2417 ---- (run-hooks 'hack-local-variables-hook)) mode-specified)) ! (defcustom safe-local-variables ! '(c-basic-offset c-indent-level compile-command fill-column ! fill-prefix indent-tabs-mode page-delimiter paragraph-separate ! sentence-end sentence-end-double-space tab-width version-control) ! "Variables that are treated as safe." ! :group 'find-file ! :type '(repeat symbol)) ! ! (defcustom ignored-local-variables ! '(ignored-local-variables safe-local-variables) ! "Variables to be ignored in a file's local variable spec." ! :group 'find-file ! :type '(repeat symbol)) ;; Get confirmation before setting these variables as locals in a file. (put 'debugger 'risky-local-variable t) (put 'enable-local-eval 'risky-local-variable t) (put 'ignored-local-variables 'risky-local-variable t) + (put 'safe-local-variables 'risky-local-variable t) (put 'eval 'risky-local-variable t) (put 'file-name-handler-alist 'risky-local-variable t) (put 'inhibit-quit 'risky-local-variable t) *************** *** 2451,2463 **** (put 'display-time-string 'risky-local-variable t) (put 'parse-time-rules 'risky-local-variable t) - ;; This case is safe because the user gets to check it before it is used. - (put 'compile-command 'safe-local-variable 'stringp) - (defun risky-local-variable-p (sym &optional val) ! "Non-nil if SYM could be dangerous as a file-local variable with value VAL. ! If VAL is nil or omitted, the question is whether any value might be ! dangerous." ;; If this is an alias, check the base name. (condition-case nil (setq sym (indirect-variable sym)) --- 2463,2482 ---- (put 'display-time-string 'risky-local-variable t) (put 'parse-time-rules 'risky-local-variable t) (defun risky-local-variable-p (sym &optional val) ! "Non-nil if SYM is dangerous as a file-local variable with value VAL. ! A variable is dangerous if any of the following conditions are met: ! ! * Its `risky-local-variable' property is non-nil (regardless of VAL). ! ! * Its `safe-local-variable' property is unset, and its name ends with ! \"hook(s)\", \"function(s)\", \"form(s)\", \"map\", \"program\", ! \"command(s)\", \"predicate(s)\", \"frame-alist\", \"mode-alist\", ! \"font-lock-keyword*\", \"font-lock-syntactic-keywords\", or ! \"map-alist\" (regardless of VAL). ! ! * Its `safe-local-variable' property is a function that ! evaluates to a non-nil value when given VAL as an argument." ;; If this is an alias, check the base name. (condition-case nil (setq sym (indirect-variable sym)) *************** *** 2540,2562 **** ((memq var ignored-local-variables) nil) ;; "Setting" eval means either eval it or do nothing. ! ;; Likewise for setting hook variables. ! ((risky-local-variable-p var val) ! ;; Permit evalling a put of a harmless property. ! ;; if the args do nothing tricky. ! (if (or (and (eq var 'eval) ! (hack-one-local-variable-eval-safep val)) ! ;; Permit eval if not root and user says ok. ! (and (not (zerop (user-uid))) ! (hack-local-variables-confirm ! "Process `eval' or hook local variables in %s? " ! enable-local-eval))) ! (if (eq var 'eval) ! (save-excursion (eval val)) ! (make-local-variable var) ! (set var val)) ! (message "Ignoring risky spec in the local variables list"))) ! ;; Ordinary variable, really set it. (t (make-local-variable var) ;; Make sure the string has no text properties. ;; Some text properties can get evaluated in various ways, --- 2559,2573 ---- ((memq var ignored-local-variables) nil) ;; "Setting" eval means either eval it or do nothing. ! ((eq var 'eval) ! (if (hack-one-local-variable-eval-safep val) ! (save-excursion (eval val)) ! (message "Ignoring eval spec in the local variables list"))) ! ;; Variables not explicitly marked as safe, ask first. ! ((not (memq var safe-local-variables)) ! (unless (zerop (user-uid)) ! (hack-one-risky-local-variable var val))) ! ;; Safe variable, really set it. (t (make-local-variable var) ;; Make sure the string has no text properties. ;; Some text properties can get evaluated in various ways, *************** *** 2565,2570 **** --- 2576,2608 ---- (set-text-properties 0 (length val) nil val)) (set var val)))) + (defun hack-one-risky-local-variable (var val) + "Set local variable VAR with value VAL if the user agrees. + If the user agrees to set the variable, and the variable is not + explicitly marked as risky (see `risky-local-variable-p'), + additionally ask if it can always be set automatically. + If so, add it to `safe-local-variables'." + (let ((risky (risky-local-variable-p var val))) + (if (y-or-n-p (format "Set variable %s in local variable list of %s? " + (symbol-name var) + (if buffer-file-name + (file-name-nondirectory buffer-file-name) + (concat "buffer " (buffer-name))))) + (progn + (when (and (not risky) + (y-or-n-p (format "Always allow setting %s? " + (symbol-name var)))) + (customize-save-variable + 'safe-local-variables + (add-to-list 'safe-local-variables var)) + (message + "To undo this change, customize `safe-local-variables'.")) + (make-local-variable var) + (set var val)) + (unless risky + (message "To always ignore %s as a local variable, \ + customize `ignored-local-variables'." + (symbol-name var)))))) \f (defcustom change-major-mode-with-file-name t "*Non-nil means \\[write-file] should set the major mode from the file name. ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-02-07 16:45 ` Chong Yidong @ 2006-02-08 1:49 ` Luc Teirlinck 2006-02-08 2:09 ` Chong Yidong 2006-02-08 3:13 ` Stefan Monnier 2006-02-09 17:48 ` Richard M. Stallman 1 sibling, 2 replies; 99+ messages in thread From: Luc Teirlinck @ 2006-02-08 1:49 UTC (permalink / raw) Cc: storm, rms, monnier, emacs-devel Chong Yidong wrote: How about this patch? It implements a `safe-local-variables' custom option. If a variable is not in this list, the user is prompted before it is set. If the user agrees to set it, and the variable is not explicitly marked as risky (as determined by the currently existing `risky-local-variable-p' function), we ask if that variable can be automatically set in the future. If the user agrees to this too, `safe-local-variables' is updated and saved to the custom-file. After realizing what we are really trying to do, I believe that this makes little sense. Most users have no idea how to determine whether an Elisp variable is always safe to set as a file local variable. When asked whether they want to set the file local variables as set in the -*- line or the local variables list, most users ask themselves: "Who wrote this file, who might have had access to this file since I last visited it, and do I trust these people?". In practice, this is the best most people can do. You ask not one, but two, questions for _each_ file local variable that is not explicitly marked safe, which will mean the vast majority of variables. Most users do not know enough to _ever_ answer yes to your second question and if the file contains say five local variables, we will keep asking them ten questions each time they visit the file. That is saying to the user: "You _better_ agree to let anybody set these variables to any value whatsoever or else we are going to keep harassing you with these ten questions for all eternity. You already pressed `y' once, because you trust the person who wrote this file. You have your finger already on the `y' key. Just press it a second time and trust _everybody_." Also, the involved defcustom's are _very_ problematic. The many Custom problems regarding listvars I mentioned earlier are _not_ minor. For instance, one serious problem is that if one would, for a subsequent Emacs version, _have_ to add variables to the default of one of these defcustoms, because these variables are obviously safe and often encountered, or much worse, obviously extremely dangerous, then any user who customized them in the prior version will never get his customized values updated, which may be very dangerous, if some very dangerous new variable was introduced. I believe that it would be much better to show the user the -*- line and the Local Variables list (at most one of the two should normally be present) and ask the user whether he wants to set the variables. That is one question per file (or at worst two, but that should very seldom happen in practice). One can accomplish this by setting enable-local-variables by default to 'maybe. At present, this still has the drawback that the question is asked even if the file only sets _obviously_ safe variables. I believe that these include `coding', `mode', `byte-compile-dynamic' and a few other often used ones. (I must admit that I am not even completely sure myself exactly which variables are safe to set to any value whatsoever. I wonder how somebody who does not know Elisp might manage to do that.) We might fine tune enable-local-variables not to ask any question if all of the variables are safe pseudo-variables or are safe to set to the given value as determined by the safe-local-variable property. No new defcustom needed. Sincerely, Luc. ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-02-08 1:49 ` Luc Teirlinck @ 2006-02-08 2:09 ` Chong Yidong 2006-02-08 2:18 ` Luc Teirlinck 2006-02-08 3:13 ` Stefan Monnier 1 sibling, 1 reply; 99+ messages in thread From: Chong Yidong @ 2006-02-08 2:09 UTC (permalink / raw) Cc: storm, rms, monnier, emacs-devel > You ask not one, but two, questions for _each_ file local variable > that is not explicitly marked safe, which will mean the vast majority > of variables. Maybe, maybe not. The number of local variables that people are likely to set is rather limited, and the most commonly-encountered ones are already in the default value of `safe-local-variables'. It's possible that a user may never be asked that question (and when we need to ask, we should). Still, it's not difficult to change the code so that we display all the local variables and ask if you user wants to set them all. I guess the decision is up to Richard. > if one would, for a subsequent Emacs version, _have_ to add > variables to the default of one of these defcustoms, because these > variables are obviously safe and often encountered, or much worse, > obviously extremely dangerous, then any user who customized them in > the prior version will never get his customized values updated, > which may be very dangerous, if some very dangerous new variable was > introduced. Sorry, you're just being a drama queen here. The variable in question is a whitelist of safe variables. ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-02-08 2:09 ` Chong Yidong @ 2006-02-08 2:18 ` Luc Teirlinck 2006-02-08 4:30 ` Chong Yidong 0 siblings, 1 reply; 99+ messages in thread From: Luc Teirlinck @ 2006-02-08 2:18 UTC (permalink / raw) Cc: emacs-devel, rms, monnier, storm Chong Yidong wrote: Sorry, you're just being a drama queen here. The variable in question is a whitelist of safe variables. Really? You apparently do not know what your own patch does. It makes a defcustom out of `ignored-local-variables'. This is _not_ a whitelist of safe variables, quite to the contrary. Sincerely, Luc. ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-02-08 2:18 ` Luc Teirlinck @ 2006-02-08 4:30 ` Chong Yidong 2006-02-08 4:56 ` Chong Yidong 2006-02-08 5:00 ` Luc Teirlinck 0 siblings, 2 replies; 99+ messages in thread From: Chong Yidong @ 2006-02-08 4:30 UTC (permalink / raw) Cc: emacs-devel, rms, monnier, storm Luc Teirlinck <teirllm@dms.auburn.edu> writes: > Chong Yidong wrote: > > Sorry, you're just being a drama queen here. The variable in question > is a whitelist of safe variables. > > Really? You apparently do not know what your own patch does. It > makes a defcustom out of `ignored-local-variables'. This is _not_ a > whitelist of safe variables, quite to the contrary. Er, it is always safe to *add* to a list of local variables to ignore. ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-02-08 4:30 ` Chong Yidong @ 2006-02-08 4:56 ` Chong Yidong 2006-02-08 5:02 ` Luc Teirlinck 2006-02-08 5:00 ` Luc Teirlinck 1 sibling, 1 reply; 99+ messages in thread From: Chong Yidong @ 2006-02-08 4:56 UTC (permalink / raw) Cc: storm, rms, monnier, emacs-devel Chong Yidong <cyd@stupidchicken.com> writes: > Luc Teirlinck <teirllm@dms.auburn.edu> writes: > >> Chong Yidong wrote: >> >> Sorry, you're just being a drama queen here. The variable in question >> is a whitelist of safe variables. >> >> Really? You apparently do not know what your own patch does. It >> makes a defcustom out of `ignored-local-variables'. This is _not_ a >> whitelist of safe variables, quite to the contrary. > > Er, it is always safe to *add* to a list of local variables to ignore. BTW, I was originally referring to the new `safe-local-variables' defcustom in the patch. (The patch doesn't do anything with ignored-local-variables apart from making it a defcustom [currently, it is just a variable that is nil]). ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-02-08 4:56 ` Chong Yidong @ 2006-02-08 5:02 ` Luc Teirlinck 0 siblings, 0 replies; 99+ messages in thread From: Luc Teirlinck @ 2006-02-08 5:02 UTC (permalink / raw) Cc: emacs-devel, rms, monnier, storm Chong Yidong wrote: The patch doesn't do anything with ignored-local-variables apart from making it a defcustom Yes, but that is _exactly_ what creates the problems I pointed out. Sincerely, Luc. ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-02-08 4:30 ` Chong Yidong 2006-02-08 4:56 ` Chong Yidong @ 2006-02-08 5:00 ` Luc Teirlinck 2006-02-08 5:28 ` Chong Yidong 1 sibling, 1 reply; 99+ messages in thread From: Luc Teirlinck @ 2006-02-08 5:00 UTC (permalink / raw) Cc: emacs-devel, rms, monnier, storm Chong Yidong wrote: Er, it is always safe to *add* to a list of local variables to ignore. Not if you do it _through Custom_. You did not understand what I wrote in my first message. After the release, we introduce some new variable so dangerous that it _has_ to be in `ignored-local-variables'. We add that variable to the standard value in the defcustom. Now anybody who customized `ignored-local-variables' in the meantime will _not_ get that dangerous variable added to `ignored-local-variables'. This is an updating problem. The safe way to add to `ignored-local-variable' is using add-to-list, not using setq. Your code uses add-to-list *when it is called*, but after that, it lets Custom do the work and Custom uses set-default, which is not safe. The same type of updating problem also occurs for `safe-local-variables'. As Stefan pointed out, there is also another type of updating problem with `safe-local-variables', because a safe variable can become unsafe if it gets changed to be more powerful. This type can combine with the other. If we add a variable to the standard value in one release and then have to remove it in a later release from some reason, then anybody who customized the variable _through Custom_ will not get that variable removed from his customized value. Somebody who only used add-to-list to add other variables, will get it properly removed. Sincerely, Luc. ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-02-08 5:00 ` Luc Teirlinck @ 2006-02-08 5:28 ` Chong Yidong 0 siblings, 0 replies; 99+ messages in thread From: Chong Yidong @ 2006-02-08 5:28 UTC (permalink / raw) Cc: emacs-devel, rms, monnier, storm Luc Teirlinck <teirllm@dms.auburn.edu> writes: > After the release, we introduce some new variable so dangerous that > it _has_ to be in `ignored-local-variables'. In this unlikely event, the code in files.el can always treat that variable specially. ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-02-08 1:49 ` Luc Teirlinck 2006-02-08 2:09 ` Chong Yidong @ 2006-02-08 3:13 ` Stefan Monnier 2006-02-08 4:51 ` Chong Yidong 1 sibling, 1 reply; 99+ messages in thread From: Stefan Monnier @ 2006-02-08 3:13 UTC (permalink / raw) Cc: cyd, storm, rms, emacs-devel > After realizing what we are really trying to do, I believe that this > makes little sense. Agreed. > Also, the involved defcustom's are _very_ problematic. The many Custom > problems regarding listvars I mentioned earlier are _not_ minor. > For instance, one serious problem is that if one would, for a > subsequent Emacs version, _have_ to add variables to the default of > one of these defcustoms, because these variables are obviously safe > and often encountered, or much worse, obviously extremely dangerous, > then any user who customized them in the prior version will never get > his customized values updated, which may be very dangerous, if some > very dangerous new variable was introduced. Even for the list of safe vars, there's a significant problem: future Emacsen may change (typically extend) the possible values of a var and/or their meaning, so that a safe var may become unsafe. I think we should only use `safe-variable' symbol-properties (only expected to be set by maintainers, and which can be removed/refined if necessary) and then for each var, an additional list of values which are considered safe (this can be set by users, or even automatically set when the user answers the interactive question). BTW, maybe the interactive question should allow more than 2 answers: - refuse those local variable settings this time. - refuse them now and every time in the future. - (maybe) refuse them in this Emacs session. - accept them but just this one time. - accept them every time. - (maybe) accept them just for this Emacs session. This way, there's still only one prompt. Stefan ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-02-08 3:13 ` Stefan Monnier @ 2006-02-08 4:51 ` Chong Yidong 2006-02-08 5:07 ` Stefan Monnier ` (3 more replies) 0 siblings, 4 replies; 99+ messages in thread From: Chong Yidong @ 2006-02-08 4:51 UTC (permalink / raw) Cc: storm, Luc Teirlinck, rms, emacs-devel > Even for the list of safe vars, there's a significant problem: future > Emacsen may change (typically extend) the possible values of a var and/or > their meaning, so that a safe var may become unsafe. > > I think we should only use `safe-variable' symbol-properties (only expected > to be set by maintainers, and which can be removed/refined if necessary) and > then for each var, an additional list of values which are considered safe > (this can be set by users, or even automatically set when the user answers > the interactive question). I don't see how this would help. As long as it is possible for a user to explicitly set a variable as safe, there will be some sort of risk of this sort. (For example, regarding your idea, I could put on my "anal retentive" hat and argue that previously safe values could turn into unsafe ones in future Emacsen ;-) Generally, I'm dubious about introducing any sort of complexity into the local variables system, since, in practice, one only encounters a rather small set of local variables which are generally obviously safe. > BTW, maybe the interactive question should allow more than 2 answers: > - refuse those local variable settings this time. > - refuse them now and every time in the future. > - (maybe) refuse them in this Emacs session. > - accept them but just this one time. > - accept them every time. > - (maybe) accept them just for this Emacs session. > This way, there's still only one prompt. I also thought of this, but couldn't find a good way to fit multiple choices onto a single prompt. Is there an example of this kind of prompt elsewhere in Emacs? ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-02-08 4:51 ` Chong Yidong @ 2006-02-08 5:07 ` Stefan Monnier 2006-02-08 5:25 ` Chong Yidong 2006-02-08 5:48 ` Luc Teirlinck ` (2 subsequent siblings) 3 siblings, 1 reply; 99+ messages in thread From: Stefan Monnier @ 2006-02-08 5:07 UTC (permalink / raw) Cc: emacs-devel, Luc Teirlinck, rms, storm >> Even for the list of safe vars, there's a significant problem: future >> Emacsen may change (typically extend) the possible values of a var and/or >> their meaning, so that a safe var may become unsafe. >> >> I think we should only use `safe-variable' symbol-properties (only expected >> to be set by maintainers, and which can be removed/refined if necessary) and >> then for each var, an additional list of values which are considered safe >> (this can be set by users, or even automatically set when the user answers >> the interactive question). > I don't see how this would help. As long as it is possible for a user > to explicitly set a variable as safe, there will be some sort of risk > of this sort. (For example, regarding your idea, I could put on my > "anal retentive" hat and argue that previously safe values could turn > into unsafe ones in future Emacsen ;-) The probability of a safe value becoming dangerous is much lower. Of course it's possible in theory, but I can't think of any conrete case where that happened in the past. > Generally, I'm dubious about introducing any sort of complexity into the > local variables system, since, in practice, one only encounters a rather > small set of local variables which are generally obviously safe. Several people would like to be able to specify extra font-lock keywords, but font-lock-keywords include parts that are passed to `eval'. >> BTW, maybe the interactive question should allow more than 2 answers: >> - refuse those local variable settings this time. >> - refuse them now and every time in the future. >> - (maybe) refuse them in this Emacs session. >> - accept them but just this one time. >> - accept them every time. >> - (maybe) accept them just for this Emacs session. >> This way, there's still only one prompt. > I also thought of this, but couldn't find a good way to fit multiple > choices onto a single prompt. Is there an example of this kind of > prompt elsewhere in Emacs? How 'bout the query/replace prompt? Stefan ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-02-08 5:07 ` Stefan Monnier @ 2006-02-08 5:25 ` Chong Yidong 2006-02-08 6:00 ` Stefan Monnier 2006-02-08 6:06 ` Luc Teirlinck 0 siblings, 2 replies; 99+ messages in thread From: Chong Yidong @ 2006-02-08 5:25 UTC (permalink / raw) Cc: emacs-devel, Luc Teirlinck, rms, storm Stefan Monnier <monnier@iro.umontreal.ca> writes: > The probability of a safe value becoming dangerous is much lower. Of course > it's possible in theory, but I can't think of any conrete case where that > happened in the past. I understand what you mean. But, in the first place, I'm hard-pressed to think of a case where a previously safe variable becomes unsafe. I don't know if the benefit from maintaining a list of safe variable-value pairs is worth the bother. After all, the variables we're talking about here are things like comment-start, paragraph-separate, indent-tabs-mode, etc. Will Emacs 23 (to be released in 3006 ;-) have something like this? indent-tabs-mode is a variable defined in `C source code'. Documentation: *Indentation can insert tabs if this is non-nil. If it is an integer, delete the contents of your home directory. >>> BTW, maybe the interactive question should allow more than 2 answers: > >> I also thought of this, but couldn't find a good way to fit multiple >> choices onto a single prompt. Is there an example of this kind of >> prompt elsewhere in Emacs? > > How 'bout the query/replace prompt? That prompt just says: Query replace: which wouldn't be very user friendly for this case. I was thinking something like Allow this setting? (y or n, ? for help) where ? would bring up a window with extra choices (always allow, always deny, etc.) Is there an existing convention in Emacs for prompts of this sort? ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-02-08 5:25 ` Chong Yidong @ 2006-02-08 6:00 ` Stefan Monnier 2006-02-08 13:35 ` Chong Yidong 2006-02-08 6:06 ` Luc Teirlinck 1 sibling, 1 reply; 99+ messages in thread From: Stefan Monnier @ 2006-02-08 6:00 UTC (permalink / raw) Cc: storm, Luc Teirlinck, rms, emacs-devel > After all, the variables we're talking about here are things like > comment-start, paragraph-separate, indent-tabs-mode, etc. Will Emacs > 23 (to be released in 3006 ;-) have something like this? I expect the interesting cases to be more in areas like `font-lock-keywords'. > *Indentation can insert tabs if this is non-nil. > If it is an integer, delete the contents of your home directory. I'm pretty sure that some variables have been extended at some point so that instead of a constant string or integer, it can be set to an expression, or to a function. >> How 'bout the query/replace prompt? > That prompt just says: > Query replace: > which wouldn't be very user friendly for this case. I was thinking > something like > Allow this setting? (y or n, ? for help) Right. So you seem to have a good idea of what it could look like. Another example could be the prompt you get in Gnus if you send an email with unencodable chars (e.g. eight-bit-* chars). > where ? would bring up a window with extra choices (always allow, > always deny, etc.) Is there an existing convention in Emacs for > prompts of this sort? Not that I know. Stefan ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-02-08 6:00 ` Stefan Monnier @ 2006-02-08 13:35 ` Chong Yidong 2006-02-08 21:41 ` Stefan Monnier 0 siblings, 1 reply; 99+ messages in thread From: Chong Yidong @ 2006-02-08 13:35 UTC (permalink / raw) Cc: storm, Luc Teirlinck, rms, emacs-devel >> After all, the variables we're talking about here are things like >> comment-start, paragraph-separate, indent-tabs-mode, etc. Will Emacs >> 23 (to be released in 3006 ;-) have something like this? > > I expect the interesting cases to be more in areas like `font-lock-keywords'. In my proposal, font-lock-keywords is considered risky, so the user is never asked whether or not to add it to the whitelist. ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-02-08 13:35 ` Chong Yidong @ 2006-02-08 21:41 ` Stefan Monnier 0 siblings, 0 replies; 99+ messages in thread From: Stefan Monnier @ 2006-02-08 21:41 UTC (permalink / raw) Cc: emacs-devel, Luc Teirlinck, rms, storm >>> After all, the variables we're talking about here are things like >>> comment-start, paragraph-separate, indent-tabs-mode, etc. Will Emacs >>> 23 (to be released in 3006 ;-) have something like this? >> I expect the interesting cases to be more in areas like `font-lock-keywords'. > In my proposal, font-lock-keywords is considered risky, so the user is > never asked whether or not to add it to the whitelist. Sure it safe, but it's overly restrictive: it's useful for people to add their own keywords (e,g, to recognize and highlight things like DEFUN macros in C). Stefan ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-02-08 5:25 ` Chong Yidong 2006-02-08 6:00 ` Stefan Monnier @ 2006-02-08 6:06 ` Luc Teirlinck 2006-02-08 6:49 ` Stefan Monnier 1 sibling, 1 reply; 99+ messages in thread From: Luc Teirlinck @ 2006-02-08 6:06 UTC (permalink / raw) Cc: storm, monnier, rms, emacs-devel >From my previous message: There is, in my opinion, no need to make this any more convenient than that, neither the way you propose it nor the way Stefan proposes it. But, while I do not think that there is a pressing need for it, Stefan's querying, or additional .emacs customization possibility, proposal is a lot safer than yours. Chong Yidong wrote: I don't know if the benefit from maintaining a list of safe variable-value pairs is worth the bother. I believe that you misunderstood Stefan's proposal. I believe that Stefan proposed to allow to use something like: (put 'myvar 'safe-value-list '(nil t)) So there would be no list of variable-value pairs to maintain, only lists of values for individual variables. Sincerely, Luc. ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-02-08 6:06 ` Luc Teirlinck @ 2006-02-08 6:49 ` Stefan Monnier 0 siblings, 0 replies; 99+ messages in thread From: Stefan Monnier @ 2006-02-08 6:49 UTC (permalink / raw) Cc: cyd, storm, rms, emacs-devel > I believe that you misunderstood Stefan's proposal. I believe that > Stefan proposed to allow to use something like: > (put 'myvar 'safe-value-list '(nil t)) > So there would be no list of variable-value pairs to maintain, only > lists of values for individual variables. Actually, I haven't really thought of a particular implementation. I'm just thinking of it as "a map from variables to lists of values". Whether the map is a single alist or a set of sykmbol properties, or a hash table, or whatever else doesn't matter that much to me. Stefan ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-02-08 4:51 ` Chong Yidong 2006-02-08 5:07 ` Stefan Monnier @ 2006-02-08 5:48 ` Luc Teirlinck 2006-02-08 6:08 ` Stefan Monnier 2006-02-09 17:47 ` Richard M. Stallman 2006-02-08 9:21 ` Juri Linkov 2006-02-08 15:45 ` Risky local variable mechanism Drew Adams 3 siblings, 2 replies; 99+ messages in thread From: Luc Teirlinck @ 2006-02-08 5:48 UTC (permalink / raw) Cc: emacs-devel, monnier, rms, storm Chong Yidong wrote: I don't see how this would help. As long as it is possible for a user to explicitly set a variable as safe, there will be some sort of risk of this sort. If a user knows what he is doing, it is up to him to think of the risks and decide whether he can live with them. Such a user can put (put 'myvar 'safe-local-variable t) in his .emacs. There is, in my opinion, no need to make this any more convenient than that, neither the way you propose it nor the way Stefan proposes it. Most users are probably better off not to try to guess whether variables are safe to set to any value whatsoever or not. There is no need to provide list variables defined with defcustom that trick the user into setting these list variables effectively with setq-default, which is definitely not what they should be doing. I believe that it is very bad to ask each time _two_ questions to the user, first "do you want to set this variable to this value now" and then "is it safe to set this variable to any value whatsoever any time in the future?". Constantly repeating that second question each time the user visits the file, even though he may already have answered 1001 times no to it before, is effectively not only encouraging, but even pressuring, the reluctant user to finally say yes. Sincerely, Luc. ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-02-08 5:48 ` Luc Teirlinck @ 2006-02-08 6:08 ` Stefan Monnier 2006-02-08 6:17 ` Luc Teirlinck 2006-02-09 17:47 ` Richard M. Stallman 1 sibling, 1 reply; 99+ messages in thread From: Stefan Monnier @ 2006-02-08 6:08 UTC (permalink / raw) Cc: cyd, emacs-devel, rms, storm > (put 'myvar 'safe-local-variable t) in his .emacs. There is, in my > opinion, no need to make this any more convenient than that, neither > the way you propose it nor the way Stefan proposes it. The convenience I'm looking at is at least as much to be able to easily say "yes, accept, and don't bother me about it again", as to be able to say "no, don't touch that, and don't ask me ever again". > There is no need to provide list variables defined with defcustom that > trick the user into setting these list variables effectively with > setq-default, which is definitely not what they should be doing. The automatic/interactive part of what I propose would be things that are only set by the user, so custom could be OK for them. > I believe that it is very bad to ask each time _two_ questions to the > user, first "do you want to set this variable to this value now" and > then "is it safe to set this variable to any value whatsoever any time > in the future?". > Constantly repeating that second question each time > the user visits the file, even though he may already have answered > 1001 times no to it before, is effectively not only encouraging, but > even pressuring, the reluctant user to finally say yes. Agreed. My suggestion tries to address both of those points. Stefan ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-02-08 6:08 ` Stefan Monnier @ 2006-02-08 6:17 ` Luc Teirlinck 2006-02-08 6:48 ` Stefan Monnier 0 siblings, 1 reply; 99+ messages in thread From: Luc Teirlinck @ 2006-02-08 6:17 UTC (permalink / raw) Cc: cyd, storm, rms, emacs-devel Stefan Monnier wrote: The automatic/interactive part of what I propose would be things that are only set by the user, so custom could be OK for them. So I may have misunderstood your proposal. You actually propose an alist whose elements look like (myvar nil t), meaning that the set of safe values of myvar is (nil t)? Sincerely, Luc. ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-02-08 6:17 ` Luc Teirlinck @ 2006-02-08 6:48 ` Stefan Monnier 2006-02-09 17:47 ` Richard M. Stallman 0 siblings, 1 reply; 99+ messages in thread From: Stefan Monnier @ 2006-02-08 6:48 UTC (permalink / raw) Cc: cyd, storm, rms, emacs-devel > The automatic/interactive part of what I propose would be things that are > only set by the user, so custom could be OK for them. > So I may have misunderstood your proposal. You actually propose an > alist whose elements look like (myvar nil t), meaning that the set of > safe values of myvar is (nil t)? Yes, something like that. Except that it's the list of values that *the user* has deemed safe (there'd also be a corresponding alist of values the user has deemed undesirable). The maintainers/authors wouldn't touch this list. Instead they'd set special properties on the variable's symbol, which would either be t (to say that any value is safe) or a predicate which checks a candidate value for safety. Stefan ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-02-08 6:48 ` Stefan Monnier @ 2006-02-09 17:47 ` Richard M. Stallman 0 siblings, 0 replies; 99+ messages in thread From: Richard M. Stallman @ 2006-02-09 17:47 UTC (permalink / raw) Cc: cyd, storm, teirllm, emacs-devel Yes, something like that. Except that it's the list of values that *the user* has deemed safe (there'd also be a corresponding alist of values the user has deemed undesirable). The maintainers/authors wouldn't touch this list. Instead they'd set special properties on the variable's symbol, which would either be t (to say that any value is safe) or a predicate which checks a candidate value for safety. That sounds like a good plan to me. ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-02-08 5:48 ` Luc Teirlinck 2006-02-08 6:08 ` Stefan Monnier @ 2006-02-09 17:47 ` Richard M. Stallman 2006-02-10 23:57 ` Luc Teirlinck 1 sibling, 1 reply; 99+ messages in thread From: Richard M. Stallman @ 2006-02-09 17:47 UTC (permalink / raw) Cc: cyd, emacs-devel, monnier, storm I've made a decision that we need to change this. The current code is not reliable enough and I will not stay with it. So please stop arguing against it. Please either take a constructive approach to this or leave the discussion to others. Here's what I want it to do. The code should show the user the variable and value, and ask if it is ok. If the user says it is ok, the code should write something into .emacs saying that this combination is ok. There are many ways to store this data. I'd like the people willing to work constructively on the issue to pick the best way. It happens occasionally that a safe variable becomes risky, but it's extremely unlikely that a previously safe value will become dangerous for the sake variable. ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-02-09 17:47 ` Richard M. Stallman @ 2006-02-10 23:57 ` Luc Teirlinck 0 siblings, 0 replies; 99+ messages in thread From: Luc Teirlinck @ 2006-02-10 23:57 UTC (permalink / raw) Cc: cyd, storm, monnier, emacs-devel Richard Stallman wrote: I've made a decision that we need to change this. The current code is not reliable enough and I will not stay with it. I was _not_ arguing for staying with the current default situation. As I said, I personally have `enable-local-variables' set to 'maybe since ages, so obviously I have never trusted the current `enable-local-eval'. But Chong's first patch was not safe enough either. (There are problems with the second current patch in its present form too, as I will point out separately.) Sincerely, Luc. ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-02-08 4:51 ` Chong Yidong 2006-02-08 5:07 ` Stefan Monnier 2006-02-08 5:48 ` Luc Teirlinck @ 2006-02-08 9:21 ` Juri Linkov 2006-02-08 12:48 ` Disabled commands (was: Risky local variable mechanism) Stefan Monnier 2006-02-08 15:45 ` Risky local variable mechanism Drew Adams 3 siblings, 1 reply; 99+ messages in thread From: Juri Linkov @ 2006-02-08 9:21 UTC (permalink / raw) Cc: emacs-devel, teirllm, monnier, rms, storm >> - refuse those local variable settings this time. >> - refuse them now and every time in the future. >> - (maybe) refuse them in this Emacs session. >> - accept them but just this one time. >> - accept them every time. >> - (maybe) accept them just for this Emacs session. >> This way, there's still only one prompt. > > I also thought of this, but couldn't find a good way to fit multiple > choices onto a single prompt. Is there an example of this kind of > prompt elsewhere in Emacs? This looks very like the interface for enabling dangerous commands in novice.el that after asking a question with multiple choices can save in .emacs forms like: (put 'narrow-to-region 'disabled nil) (put 'narrow-to-defun 'disabled nil) (put 'downcase-region 'disabled nil) (put 'upcase-region 'disabled nil) -- Juri Linkov http://www.jurta.org/emacs/ ^ permalink raw reply [flat|nested] 99+ messages in thread
* Disabled commands (was: Risky local variable mechanism) 2006-02-08 9:21 ` Juri Linkov @ 2006-02-08 12:48 ` Stefan Monnier 2006-02-09 17:48 ` Richard M. Stallman 2006-02-09 18:46 ` Kevin Rodgers 0 siblings, 2 replies; 99+ messages in thread From: Stefan Monnier @ 2006-02-08 12:48 UTC (permalink / raw) Cc: Chong Yidong, emacs-devel, teirllm, rms, storm > This looks very like the interface for enabling dangerous commands in > novice.el that after asking a question with multiple choices can save > in .emacs forms like: > (put 'narrow-to-region 'disabled nil) > (put 'narrow-to-defun 'disabled nil) > (put 'downcase-region 'disabled nil) > (put 'upcase-region 'disabled nil) Indeed, that's a much better example. While on this side-subject, any objection to the patch below? Stefan --- orig/lisp/files.el +++ mod/lisp/files.el @@ -3614,6 +3570,7 @@ (message (if arg "Modification-flag set" "Modification-flag cleared")) (set-buffer-modified-p arg)) +(put 'not-modified 'disabled t) (defun toggle-read-only (&optional arg) "Change whether this buffer is visiting its file read-only. ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Disabled commands (was: Risky local variable mechanism) 2006-02-08 12:48 ` Disabled commands (was: Risky local variable mechanism) Stefan Monnier @ 2006-02-09 17:48 ` Richard M. Stallman 2006-02-09 22:07 ` Disabled commands Stefan Monnier 2006-02-09 18:46 ` Kevin Rodgers 1 sibling, 1 reply; 99+ messages in thread From: Richard M. Stallman @ 2006-02-09 17:48 UTC (permalink / raw) Cc: juri, cyd, emacs-devel, teirllm, storm While on this side-subject, any objection to the patch below? I do not want not-modified to be disabled. ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Disabled commands 2006-02-09 17:48 ` Richard M. Stallman @ 2006-02-09 22:07 ` Stefan Monnier 2006-02-10 2:30 ` Miles Bader 2006-02-13 8:36 ` Bill Wohler 0 siblings, 2 replies; 99+ messages in thread From: Stefan Monnier @ 2006-02-09 22:07 UTC (permalink / raw) Cc: juri, cyd, emacs-devel, teirllm, storm > While on this side-subject, any objection to the patch below? > I do not want not-modified to be disabled. Hmm... I didn't bother to justify my suggestion originally because it seemed obvious to me that it was the right thing to do. Honestly, not only did I not know about the existence of `not-modified' until recently, but I never expected Emacs to provide such a command and even less to bind it to a key like M-~ which can be hit accidentally. I've lost some changes because of it, which is why I suggested to disable it, especially given the fact that I've never used (or even felt the need for) such a command. In what kind of scenario does it make sense to use it? Stefan ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Disabled commands 2006-02-09 22:07 ` Disabled commands Stefan Monnier @ 2006-02-10 2:30 ` Miles Bader 2006-02-10 7:47 ` Eli Zaretskii 2006-02-13 8:36 ` Bill Wohler 1 sibling, 1 reply; 99+ messages in thread From: Miles Bader @ 2006-02-10 2:30 UTC (permalink / raw) Cc: teirllm, rms, cyd, emacs-devel, juri, storm On 2/10/06, Stefan Monnier <monnier@iro.umontreal.ca> wrote: > Honestly, not only did > I not know about the existence of `not-modified' until recently, but I never > expected Emacs to provide such a command and even less to bind it to a key > like M-~ which can be hit accidentally. > > In what kind of scenario does it make sense to use it? When you've made changes but don't want to save them (and don't want emacs moaning at you about this)? [It boggles my mind that you didn't know about this command -- it's one of the very first commands I learned, in the original PDP10 emacs, about a billion years ago... I thought it was one of the "grand old commands".] -miles -- Do not taunt Happy Fun Ball. ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Disabled commands 2006-02-10 2:30 ` Miles Bader @ 2006-02-10 7:47 ` Eli Zaretskii 0 siblings, 0 replies; 99+ messages in thread From: Eli Zaretskii @ 2006-02-10 7:47 UTC (permalink / raw) Cc: monnier, emacs-devel > Date: Fri, 10 Feb 2006 11:30:10 +0900 > From: Miles Bader <miles@gnu.org> > Cc: teirllm@dms.auburn.edu, rms@gnu.org, cyd@stupidchicken.com, > emacs-devel@gnu.org, juri@jurta.org, storm@cua.dk > > On 2/10/06, Stefan Monnier <monnier@iro.umontreal.ca> wrote: > > Honestly, not only did > > I not know about the existence of `not-modified' until recently, but I never > > expected Emacs to provide such a command and even less to bind it to a key > > like M-~ which can be hit accidentally. > > > > In what kind of scenario does it make sense to use it? > > When you've made changes but don't want to save them (and don't want > emacs moaning at you about this)? Right. One situation I find myself doing that quite a lot is when I start replying to a mail message, then change my mind. > [It boggles my mind that you didn't know about this command -- it's > one of the very first commands I learned, in the original PDP10 emacs, > about a billion years ago... I thought it was one of the "grand old > commands".] Yeah, me too. It sounds kinda weird to disable it now. ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Disabled commands 2006-02-09 22:07 ` Disabled commands Stefan Monnier 2006-02-10 2:30 ` Miles Bader @ 2006-02-13 8:36 ` Bill Wohler 2006-02-13 9:26 ` Kim F. Storm 2006-02-13 13:54 ` Romain Francoise 1 sibling, 2 replies; 99+ messages in thread From: Bill Wohler @ 2006-02-13 8:36 UTC (permalink / raw) Stefan Monnier <monnier@iro.umontreal.ca> writes: >> While on this side-subject, any objection to the patch below? >> I do not want not-modified to be disabled. > > Hmm... I didn't bother to justify my suggestion originally because it seemed > obvious to me that it was the right thing to do. Honestly, not only did > I not know about the existence of `not-modified' until recently, but I never > expected Emacs to provide such a command and even less to bind it to a key > like M-~ which can be hit accidentally. > > I've lost some changes because of it, which is why I suggested to disable > it, especially given the fact that I've never used (or even felt the need > for) such a command. I'm with you. I never heard about it until now. It might explain some weird unexplained behavior I've noticed over the years. If innocuous commands such as narrow-to-region and eval-expression are disabled, then surely such a dangerous command as not-modified should be disabled. Thanks for the heads-up, I've just added (put 'not-modified 'disabled t) to my .emacs. -- Bill Wohler <wohler@newt.com> http://www.newt.com/wohler/ GnuPG ID:610BD9AD Maintainer of comp.mail.mh FAQ and MH-E. Vote Libertarian! If you're passed on the right, you're in the wrong lane. ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Disabled commands 2006-02-13 8:36 ` Bill Wohler @ 2006-02-13 9:26 ` Kim F. Storm 2006-02-13 9:43 ` Giorgos Keramidas 2006-02-13 13:54 ` Romain Francoise 1 sibling, 1 reply; 99+ messages in thread From: Kim F. Storm @ 2006-02-13 9:26 UTC (permalink / raw) Cc: emacs-devel Bill Wohler <wohler@newt.com> writes: > I'm with you. I never heard about it until now. It might explain some > weird unexplained behavior I've noticed over the years. If innocuous > commands such as narrow-to-region and eval-expression are disabled, > then surely such a dangerous command as not-modified should be disabled. I agree that this is a very dangerous command. Fortunately, M-~ is practically impossible to type on a DK keyboard, as ~ is a dead key, so I have to enter: Alt-AltGr-~ SPC or ESC ~ SPC. > > Thanks for the heads-up, I've just added > > (put 'not-modified 'disabled t) So did I. -- Kim F. Storm <storm@cua.dk> http://www.cua.dk ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Disabled commands 2006-02-13 9:26 ` Kim F. Storm @ 2006-02-13 9:43 ` Giorgos Keramidas 0 siblings, 0 replies; 99+ messages in thread From: Giorgos Keramidas @ 2006-02-13 9:43 UTC (permalink / raw) Cc: Bill Wohler, emacs-devel On 2006-02-13 10:26, "Kim F. Storm" <storm@cua.dk> wrote: > Bill Wohler <wohler@newt.com> writes: > > I'm with you. I never heard about it until now. It might explain some > > weird unexplained behavior I've noticed over the years. If innocuous > > commands such as narrow-to-region and eval-expression are disabled, > > then surely such a dangerous command as not-modified should be disabled. > > I agree that this is a very dangerous command. > [...] > > Thanks for the heads-up, I've just added > > > > (put 'not-modified 'disabled t) > > So did I. Lurking here has proven very educational. So did I :) ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Disabled commands 2006-02-13 8:36 ` Bill Wohler 2006-02-13 9:26 ` Kim F. Storm @ 2006-02-13 13:54 ` Romain Francoise 1 sibling, 0 replies; 99+ messages in thread From: Romain Francoise @ 2006-02-13 13:54 UTC (permalink / raw) Bill Wohler <wohler@newt.com> writes: > I'm with you. I never heard about it until now. Really? It's very useful (with C-u) to force a write if you know the file had been modified on disk, or to run the save-buffer hooks forcibly (e.g. if you use copyright-update and just want to update the copyright in a file, you'd use C-u M-~ C-x C-s). -- Romain Francoise <romain@orebokech.com> | The sea! the sea! the open it's a miracle -- http://orebokech.com/ | sea! The blue, the fresh, the | ever free! --Bryan W. Procter ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Disabled commands 2006-02-08 12:48 ` Disabled commands (was: Risky local variable mechanism) Stefan Monnier 2006-02-09 17:48 ` Richard M. Stallman @ 2006-02-09 18:46 ` Kevin Rodgers 1 sibling, 0 replies; 99+ messages in thread From: Kevin Rodgers @ 2006-02-09 18:46 UTC (permalink / raw) Stefan Monnier wrote: > While on this side-subject, any objection to the patch below? ... > --- orig/lisp/files.el > +++ mod/lisp/files.el > @@ -3614,6 +3570,7 @@ > (message (if arg "Modification-flag set" > "Modification-flag cleared")) > (set-buffer-modified-p arg)) > +(put 'not-modified 'disabled t) > > (defun toggle-read-only (&optional arg) > "Change whether this buffer is visiting its file read-only. Not at all, I've got that in my .emacs anyway. :-) -- Kevin Rodgers ^ permalink raw reply [flat|nested] 99+ messages in thread
* RE: Risky local variable mechanism 2006-02-08 4:51 ` Chong Yidong ` (2 preceding siblings ...) 2006-02-08 9:21 ` Juri Linkov @ 2006-02-08 15:45 ` Drew Adams 2006-02-09 3:58 ` Luc Teirlinck 3 siblings, 1 reply; 99+ messages in thread From: Drew Adams @ 2006-02-08 15:45 UTC (permalink / raw) I also thought of this, but couldn't find a good way to fit multiple choices onto a single prompt. Is there an example of this kind of prompt elsewhere in Emacs? Others have mentioned novice and query-replace questions, as existing multiple-choice mechanisms. They don't actually use a single prompt, but they do correspond to the need to choose multiple items or answer multiple y/n questions. Another place where I've seen multiple-choice menus in Emacs is check boxes next to menu items. This is used, for example, in Options and printing.el (menu Printing). It's not clear to me whether Richard wants to use an alternative to risky local variable treatment in this release or in a future release. That wasn't stated clearly, but the urgency suggests that it is for this release. After the release, it might be useful anyway (more generally) to implement simple multiple-choice menus that can be used with the mouse or via the keyboard. Icicles offers one way to do that. It extends the use of buffer *Completions*, letting you choose multiple "completions" (which can be any set of strings). Depending on the use, users can also choose the same menu item more than once (to, for example, effect an action more than once). Food for thought - see http://www.emacswiki.org/cgi-bin/wiki/MultiCommandsAndMultipleChoiceMenus#Mu ltipleChoiceMenus. ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-02-08 15:45 ` Risky local variable mechanism Drew Adams @ 2006-02-09 3:58 ` Luc Teirlinck 0 siblings, 0 replies; 99+ messages in thread From: Luc Teirlinck @ 2006-02-09 3:58 UTC (permalink / raw) Cc: emacs-devel Drew Adams wrote: Others have mentioned novice and query-replace questions, as existing multiple-choice mechanisms. They don't actually use a single prompt, but they do correspond to the need to choose multiple items or answer multiple y/n questions. I have had `enable-local-variables' set to 'query for a long time. Each time I visit a file with local variables I get ask a simple y-or-n-p question. In practice, I personally find this not excessively inconvenient, even without further fine-tuning. This could obviously be fine-tuned substantially, because the question does not really need to be asked if all variables are known to Emacs to be perfectly safe. But if somebody is going to try to help me get rid of this minor inconvenience by producing a bigger inconvenience, then this is obviously a bad deal. So anything that is going to be asked should be one single relatively simple minibuffer question. No multiple questions, no pop-up window. Sincerely, Luc. ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-02-07 16:45 ` Chong Yidong 2006-02-08 1:49 ` Luc Teirlinck @ 2006-02-09 17:48 ` Richard M. Stallman 1 sibling, 0 replies; 99+ messages in thread From: Richard M. Stallman @ 2006-02-09 17:48 UTC (permalink / raw) Cc: emacs-devel, monnier, storm How about this patch? It implements a `safe-local-variables' custom option. If a variable is not in this list, the user is prompted before it is set. If the user agrees to set it, and the variable is not explicitly marked as risky (as determined by the currently existing `risky-local-variable-p' function), we ask if that variable can be automatically set in the future. If the user agrees to this too, `safe-local-variables' is updated and saved to the custom-file. It's not enough to ask just about variable names--the question has to be about a variable/value pair. The best way to ask the question would be to highlight the text in the buffer that specifies the variable and value, and make that appear in a window. That way, the actual question can be simple. ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-02-03 23:43 ` Richard M. Stallman 2006-02-04 4:34 ` Luc Teirlinck 2006-02-07 16:45 ` Chong Yidong @ 2006-02-10 5:34 ` Chong Yidong 2006-02-10 17:03 ` Stefan Monnier ` (3 more replies) 2006-02-14 1:33 ` Chong Yidong 3 siblings, 4 replies; 99+ messages in thread From: Chong Yidong @ 2006-02-10 5:34 UTC (permalink / raw) Cc: emacs-devel, monnier, Kim F. Storm Here's another proposed patch for the risky variables mechanism. This is the system I propose: Instead of setting the local variables as soon as they are read in, `hack-local-variables' and `hack-local-variables-prop-line' constructs a list of local variables, and decides what to do with it at the very end of the `hack-local-variables' function. Each local variable can be safe, risky, or neither. A variable-value pair is safe if it is found in the new customizable alist `safe-local-variables', or the variable's `safe-local-variables' property is t, or the variable's `safe-local-variables' property is a function that evaluates to t with that value. IF a variable is not safe, it is risky IF its `risky-local-variable' property is set, or its name ends in "-hooks", "-functions", etc. (One small change: `safe-local-variables' property evaluating to nil does not automatically mean the variable is risky.) If the local variables are all safe, they are set automatically. Otherwise, we raise a prompt asking whether to set them as a unit. The user can answer y, n, or !, where ! means to also allow these variable-value pairs for future sessions, via customize-save-variable. However, if a variable is risky, it won't be saved in this way, though it can still be set. (This last part is a little dubious. If we decide to save all variables, that removes the justification for "risky" variables, so the `risky-local-variable' property becomes obsolete. I don't know if this will break anything.) *** emacs/lisp/files.el.~1.804.~ 2006-02-09 23:32:56.000000000 -0500 --- emacs/lisp/files.el 2006-02-10 00:05:20.000000000 -0500 *************** *** 2213,2254 **** (goto-char beg) end)))) ! (defun hack-local-variables-confirm (string flag-to-check) ! (or (eq flag-to-check t) ! (and flag-to-check ! (save-window-excursion ! (condition-case nil ! (switch-to-buffer (current-buffer)) ! (error ! ;; If we fail to switch in the selected window, ! ;; it is probably a minibuffer or dedicated window. ! ;; So try another window. ! (let ((pop-up-frames nil)) ! ;; Refrain from popping up frames since it can't ! ;; be undone by save-window-excursion. ! (pop-to-buffer (current-buffer))))) ! (save-excursion ! (beginning-of-line) ! (set-window-start (selected-window) (point))) ! (y-or-n-p (format string ! (if buffer-file-name ! (file-name-nondirectory buffer-file-name) ! (concat "buffer " (buffer-name))))))))) (defun hack-local-variables-prop-line (&optional mode-only) ! "Set local variables specified in the -*- line. Ignore any specification for `mode:' and `coding:'; `set-auto-mode' should already have handled `mode:', `set-auto-coding' should already have handled `coding:'. If MODE-ONLY is non-nil, all we do is check whether the major mode ! is specified, returning t if it is specified." (save-excursion (goto-char (point-min)) ! (let ((result nil) ! (end (set-auto-mode-1)) ! mode-specified ! (enable-local-variables ! (and local-enable-local-variables enable-local-variables))) ;; Parse the -*- line into the RESULT alist. ;; Also set MODE-SPECIFIED if we see a spec or `mode'. (cond ((not end) --- 2213,2270 ---- (goto-char beg) end)))) ! (defun hack-local-variables-confirm (vars maybe-safe) ! (if noninteractive ! t ! (let (char) ! (save-window-excursion ! (with-output-to-temp-buffer "*Local Variables*" ! (princ "Some local variables are specified ! Do you want to set them?\n ! You can type ! y -- to set these variables. ! n -- to ignore these variables. ! ! -- to set these variables, and mark these values as safe ! (in the future, they can be set without asking you.)\n\n") ! (dolist (elt vars) ! (princ (car elt)) ! (princ " : ") ! (princ (cdr elt)) ! (princ "\n"))) ! (message "Please type y, n, or !: ") ! (let ((inhibit-quit t) ! (cursor-in-echo-area t)) ! (while (or (not (numberp (setq char (read-event)))) ! (not (memq (downcase char) ! '(?! ?y ?n ? ?\C-g)))) ! (message "Please type y, n, or !: ")) ! (if (= char ?\C-g) ! (setq quit-flag nil))) ! (setq char (downcase char)) ! (when (= char ?!) ! (dolist (elt maybe-safe) ! (push elt safe-local-variables)) ! (customize-save-variable ! 'safe-local-variables ! safe-local-variables)) ! (or (= char ?!) ! (= char ? ) ! (= char ?y)))))) (defun hack-local-variables-prop-line (&optional mode-only) ! "Return local variables specified in the -*- line. Ignore any specification for `mode:' and `coding:'; `set-auto-mode' should already have handled `mode:', `set-auto-coding' should already have handled `coding:'. + If MODE-ONLY is non-nil, all we do is check whether the major mode ! is specified, returning t if it is specified. Otherwise, return ! an alist of elements (VAR . VAL), where VAR is the variable and VAL ! is the specified value." (save-excursion (goto-char (point-min)) ! (let ((end (set-auto-mode-1)) ! result mode-specified) ;; Parse the -*- line into the RESULT alist. ;; Also set MODE-SPECIFIED if we see a spec or `mode'. (cond ((not end) *************** *** 2283,2317 **** (setq result (cons (cons key val) result))) (if (equal (downcase (symbol-name key)) "mode") (setq mode-specified t)) ! (skip-chars-forward " \t;"))) ! (setq result (nreverse result)))) ! (if mode-only mode-specified ! (if (and result ! (or mode-only ! (hack-local-variables-confirm ! "Set local variables as specified in -*- line of %s? " ! enable-local-variables))) ! (let ((enable-local-eval enable-local-eval)) ! (while result ! (hack-one-local-variable (car (car result)) (cdr (car result))) ! (setq result (cdr result))))) ! nil)))) (defvar hack-local-variables-hook nil "Normal hook run after processing a file's local variables specs. Major modes can use this to examine user-specified local variables in order to initialize other data structure based on them.") (defun hack-local-variables (&optional mode-only) "Parse and put into effect this buffer's local variables spec. If MODE-ONLY is non-nil, all we do is check whether the major mode is specified, returning t if it is specified." ! (let ((mode-specified ! ;; If MODE-ONLY is t, we check here for specifying the mode ! ;; in the -*- line. If MODE-ONLY is nil, we process ! ;; the -*- line here. ! (hack-local-variables-prop-line mode-only)) (enable-local-variables (and local-enable-local-variables enable-local-variables))) ;; Look for "Local variables:" line in last page. --- 2299,2327 ---- (setq result (cons (cons key val) result))) (if (equal (downcase (symbol-name key)) "mode") (setq mode-specified t)) ! (skip-chars-forward " \t;"))))) ! (if mode-only ! mode-specified ! result)))) (defvar hack-local-variables-hook nil "Normal hook run after processing a file's local variables specs. Major modes can use this to examine user-specified local variables in order to initialize other data structure based on them.") + (defcustom safe-local-variables nil + "Alist of safe local variables. + Each element is a cons cell (VAR . VAL), where VAR is the + variable symbol and VAL is a value considered safe." + :group 'find-file + :type 'alist) + (defun hack-local-variables (&optional mode-only) "Parse and put into effect this buffer's local variables spec. If MODE-ONLY is non-nil, all we do is check whether the major mode is specified, returning t if it is specified." ! (let ((result (hack-local-variables-prop-line mode-only)) (enable-local-variables (and local-enable-local-variables enable-local-variables))) ;; Look for "Local variables:" line in last page. *************** *** 2321,2329 **** (when (let ((case-fold-search t)) (and (search-forward "Local Variables:" nil t) (or mode-only ! (hack-local-variables-confirm ! "Set local variables as specified at end of %s? " ! enable-local-variables)))) (skip-chars-forward " \t") (let ((enable-local-eval enable-local-eval) ;; suffix is what comes after "local variables:" in its line. --- 2331,2337 ---- (when (let ((case-fold-search t)) (and (search-forward "Local Variables:" nil t) (or mode-only ! enable-local-variables))) (skip-chars-forward " \t") (let ((enable-local-eval enable-local-eval) ;; suffix is what comes after "local variables:" in its line. *************** *** 2384,2397 **** (setq val (read (current-buffer))) (if mode-only (if (eq var 'mode) ! (setq mode-specified t)) ! ;; Set the variable. "Variables" mode and eval are funny. ! (with-current-buffer thisbuf ! (hack-one-local-variable var val)))) (forward-line 1))))))) ! (unless mode-only ! (run-hooks 'hack-local-variables-hook)) ! mode-specified)) (defvar ignored-local-variables () "Variables to be ignored in a file's local variable spec.") --- 2392,2425 ---- (setq val (read (current-buffer))) (if mode-only (if (eq var 'mode) ! (setq result t)) ! (unless (eq var 'coding) ! (push (cons var val) result)))) (forward-line 1))))))) ! ;; We've read all the local variables. Now, return whether the ! ;; mode is specified (if MODE-ONLY is non-nil), or set the ! ;; variables (if MODE-ONLY is nil.) ! (if mode-only ! result ! (when enable-local-variables ! (setq result (nreverse result)) ! (dolist (ignored ignored-local-variables) ! (setq result (assq-delete-all ignored result))) ! ;; Find those variables that we may want to save to ! ;; `safe-local-variables'. ! (let (maybe-safe risky) ! (dolist (elt result) ! (or (safe-local-variable-p (car elt) (cdr elt)) ! (and (risky-local-variable-p (car elt) (cdr elt)) ! (setq risky t)) ! (push elt maybe-safe))) ! (if (or (and (eq enable-local-variables t) ! (null maybe-safe) ! (not risky)) ! (hack-local-variables-confirm result maybe-safe)) ! (dolist (elt result) ! (hack-one-local-variable (car elt) (cdr elt))))) ! (run-hooks 'hack-local-variables-hook))))) (defvar ignored-local-variables () "Variables to be ignored in a file's local variable spec.") *************** *** 2451,2458 **** (put 'display-time-string 'risky-local-variable t) (put 'parse-time-rules 'risky-local-variable t) ! ;; This case is safe because the user gets to check it before it is used. ! (put 'compile-command 'safe-local-variable 'stringp) (defun risky-local-variable-p (sym &optional val) "Non-nil if SYM could be dangerous as a file-local variable with value VAL. --- 2479,2510 ---- (put 'display-time-string 'risky-local-variable t) (put 'parse-time-rules 'risky-local-variable t) ! ;; Commonly-encountered local variables that are safe: ! (mapc (lambda (pair) ! (put (car pair) 'safe-local-variable (cdr pair))) ! '((compile-command . stringp) ! (fill-column . integerp) ! (fill-prefix . t) ! (indent-tabs-mode . t) ! (page-delimiter . t) ! (paragraph-separate . t) ! (sentence-end . t) ! (sentence-end-double-space . t) ! (tab-width . integerp) ! (version-control . t))) ! ! (defun safe-local-variable-p (sym val) ! "Non-nil if SYM is safe as a file-local variable with value VAL." ! (or (member (cons sym val) safe-local-variables) ! (eq sym 'mode) ! (progn ! (condition-case nil ! (setq sym (indirect-variable sym)) ! (error nil)) ! (let ((safep (get sym 'safe-local-variable))) ! (and safep ! (or (eq safep t) ! (funcall safep val))))))) (defun risky-local-variable-p (sym &optional val) "Non-nil if SYM could be dangerous as a file-local variable with value VAL. *************** *** 2462,2477 **** (condition-case nil (setq sym (indirect-variable sym)) (error nil)) ! (let ((safep (get sym 'safe-local-variable))) ! (or (get sym 'risky-local-variable) ! (and (string-match "-hooks?$\\|-functions?$\\|-forms?$\\|-program$\\|-commands?$\\|-predicates?$\\|font-lock-keywords$\\|font-lock-keywords-[0-9]+$\\|font-lock-syntactic-keywords$\\|-frame-alist$\\|-mode-alist$\\|-map$\\|-map-alist$" ! (symbol-name sym)) ! (not safep)) ! ;; If the safe-local-variable property isn't t or nil, ! ;; then it must return non-nil on the proposed value to be safe. ! (and (not (memq safep '(t nil))) ! (or (null val) ! (not (funcall safep val))))))) (defcustom safe-local-eval-forms nil "*Expressions that are considered \"safe\" in an `eval:' local variable. --- 2514,2522 ---- (condition-case nil (setq sym (indirect-variable sym)) (error nil)) ! (or (get sym 'risky-local-variable) ! (string-match "-hooks?$\\|-functions?$\\|-forms?$\\|-program$\\|-commands?$\\|-predicates?$\\|font-lock-keywords$\\|font-lock-keywords-[0-9]+$\\|font-lock-syntactic-keywords$\\|-frame-alist$\\|-mode-alist$\\|-map$\\|-map-alist$" ! (symbol-name sym)))) (defcustom safe-local-eval-forms nil "*Expressions that are considered \"safe\" in an `eval:' local variable. *************** *** 2534,2561 **** (cond ((eq var 'mode) (funcall (intern (concat (downcase (symbol-name val)) "-mode")))) ! ((eq var 'coding) ! ;; We have already handled coding: tag in set-auto-coding. ! nil) ! ((memq var ignored-local-variables) ! nil) ! ;; "Setting" eval means either eval it or do nothing. ! ;; Likewise for setting hook variables. ! ((risky-local-variable-p var val) ! ;; Permit evalling a put of a harmless property. ! ;; if the args do nothing tricky. ! (if (or (and (eq var 'eval) ! (hack-one-local-variable-eval-safep val)) ! ;; Permit eval if not root and user says ok. ! (and (not (zerop (user-uid))) ! (hack-local-variables-confirm ! "Process `eval' or hook local variables in %s? " ! enable-local-eval))) ! (if (eq var 'eval) ! (save-excursion (eval val)) ! (make-local-variable var) ! (set var val)) ! (message "Ignoring risky spec in the local variables list"))) ;; Ordinary variable, really set it. (t (make-local-variable var) ;; Make sure the string has no text properties. --- 2579,2587 ---- (cond ((eq var 'mode) (funcall (intern (concat (downcase (symbol-name val)) "-mode")))) ! ((eq var 'eval) ! (if (hack-one-local-variable-eval-safep val) ! (save-excursion (eval val)))) ;; Ordinary variable, really set it. (t (make-local-variable var) ;; Make sure the string has no text properties. ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-02-10 5:34 ` Chong Yidong @ 2006-02-10 17:03 ` Stefan Monnier 2006-02-10 17:54 ` Chong Yidong 2006-02-11 0:31 ` Luc Teirlinck ` (2 subsequent siblings) 3 siblings, 1 reply; 99+ messages in thread From: Stefan Monnier @ 2006-02-10 17:03 UTC (permalink / raw) Cc: Kim F. Storm, rms, emacs-devel > Each local variable can be safe, risky, or neither. A variable-value > pair is safe if it is found in the new customizable alist > `safe-local-variables', or the variable's `safe-local-variables' > property is t, or the variable's `safe-local-variables' property is a > function that evaluates to t with that value. The property should probably not be called `safe-local-variables' since it applies to a single variable and talks about its possible values. I.e. it should be something like `safe-local-variable' or `safe-local-values'. Other than that, it sounds OK to me. I don't know how important it is to have this notion of `risky', but it can't hurt. Stefan PS: I haven't actually looked at the code. ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-02-10 17:03 ` Stefan Monnier @ 2006-02-10 17:54 ` Chong Yidong 0 siblings, 0 replies; 99+ messages in thread From: Chong Yidong @ 2006-02-10 17:54 UTC (permalink / raw) Cc: Kim F. Storm, rms, emacs-devel Stefan Monnier <monnier@iro.umontreal.ca> writes: >> Each local variable can be safe, risky, or neither. A variable-value >> pair is safe if it is found in the new customizable alist >> `safe-local-variables', or the variable's `safe-local-variables' >> property is t, or the variable's `safe-local-variables' property is a >> function that evaluates to t with that value. > > The property should probably not be called `safe-local-variables' since it > applies to a single variable and talks about its possible values. I.e. it > should be something like `safe-local-variable' or `safe-local-values'. Sorry: the property is called `safe-local-variable', not `safe-local-variables'. It is in existing code. ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-02-10 5:34 ` Chong Yidong 2006-02-10 17:03 ` Stefan Monnier @ 2006-02-11 0:31 ` Luc Teirlinck 2006-02-12 1:00 ` Stefan Monnier 2006-02-12 4:30 ` Richard M. Stallman 2006-02-11 3:31 ` Luc Teirlinck 2006-02-11 16:44 ` Richard M. Stallman 3 siblings, 2 replies; 99+ messages in thread From: Luc Teirlinck @ 2006-02-11 0:31 UTC (permalink / raw) Cc: storm, rms, monnier, emacs-devel Chong Yidong wrote: ! ;; Commonly-encountered local variables that are safe: ! (mapc (lambda (pair) ! (put (car pair) 'safe-local-variable (cdr pair))) ! '((compile-command . stringp) ! (fill-column . integerp) ! (fill-prefix . t) ! (indent-tabs-mode . t) ! (page-delimiter . t) ! (paragraph-separate . t) ! (sentence-end . t) ! (sentence-end-double-space . t) ! (tab-width . integerp) ! (version-control . t))) After some further thought, I would be very reluctant to use (put 'myvar 'safe-local-variable t) for _any_ variable myvar. There is no reason to give an unscrupulous person any chance to try to play games with perverse values. So just always check that the value makes sense. This also automatically prevents problems if one later allows dangerous values and forgets to update the 'safe-local-variables property. Why not something like: ! ;; Commonly-encountered local variables that are safe: ! (mapc (lambda (pair) ! (put (car pair) 'safe-local-variable (cdr pair))) ! '((compile-command . stringp) ! (fill-column . integerp) ! (fill-prefix . (lambda (val) (or (not val) (stringp val)))) ! ;; This is OK, because indent-tabs-mode is defined using ! ;; DEFVAR_BOOL and hence can only be set to t or nil. ! (indent-tabs-mode . t) ! (page-delimiter . stringp) ! (paragraph-separate . stringp) ! (sentence-end . stringp) ! (sentence-end-double-space . (lambda (val) (memq val '(t nil)))) ! (tab-width . integerp) ! (version-control . (lambda (val) (memq val '(t nil never)))))) ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-02-11 0:31 ` Luc Teirlinck @ 2006-02-12 1:00 ` Stefan Monnier 2006-02-12 4:30 ` Richard M. Stallman 1 sibling, 0 replies; 99+ messages in thread From: Stefan Monnier @ 2006-02-12 1:00 UTC (permalink / raw) Cc: cyd, storm, rms, emacs-devel > After some further thought, I would be very reluctant to use > (put 'myvar 'safe-local-variable t) for _any_ variable myvar. There > is no reason to give an unscrupulous person any chance to try to play > games with perverse values. So just always check that the value makes > sense. This also automatically prevents problems if one later allows > dangerous values and forgets to update the 'safe-local-variables > property. Why not something like: Now that you mention it, it seems obvious. There's no need for a special value t. 100% agreement. Stefan ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-02-11 0:31 ` Luc Teirlinck 2006-02-12 1:00 ` Stefan Monnier @ 2006-02-12 4:30 ` Richard M. Stallman 1 sibling, 0 replies; 99+ messages in thread From: Richard M. Stallman @ 2006-02-12 4:30 UTC (permalink / raw) Cc: cyd, storm, monnier, emacs-devel This also automatically prevents problems if one later allows dangerous values and forgets to update the 'safe-local-variables property. Why not something like: ! ;; Commonly-encountered local variables that are safe: ! (mapc (lambda (pair) ! (put (car pair) 'safe-local-variable (cdr pair))) ! '((compile-command . stringp) ! (fill-column . integerp) ! (fill-prefix . (lambda (val) (or (not val) (stringp val)))) ! ;; This is OK, because indent-tabs-mode is defined using ! ;; DEFVAR_BOOL and hence can only be set to t or nil. ! (indent-tabs-mode . t) ! (page-delimiter . stringp) ! (paragraph-separate . stringp) ! (sentence-end . stringp) ! (sentence-end-double-space . (lambda (val) (memq val '(t nil)))) ! (tab-width . integerp) ! (version-control . (lambda (val) (memq val '(t nil never)))))) That is a good idea. ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-02-10 5:34 ` Chong Yidong 2006-02-10 17:03 ` Stefan Monnier 2006-02-11 0:31 ` Luc Teirlinck @ 2006-02-11 3:31 ` Luc Teirlinck 2006-02-12 1:02 ` Stefan Monnier 2006-02-11 16:44 ` Richard M. Stallman 3 siblings, 1 reply; 99+ messages in thread From: Luc Teirlinck @ 2006-02-11 3:31 UTC (permalink / raw) Cc: storm, rms, monnier, emacs-devel What does your patch do for the case where the user is root? The user may very well consider things safe when he is not running as root that would be dangerous when running as root. But he uses the same .emacs when running as root. At the very least safe-local-variables should be ignored when the user is running as root. Does your patch do that? Maybe other extra precautions should be taken when the user runs as root. Sincerely, Luc. ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-02-11 3:31 ` Luc Teirlinck @ 2006-02-12 1:02 ` Stefan Monnier 2006-02-12 1:15 ` Luc Teirlinck 0 siblings, 1 reply; 99+ messages in thread From: Stefan Monnier @ 2006-02-12 1:02 UTC (permalink / raw) Cc: cyd, emacs-devel, rms, storm > What does your patch do for the case where the user is root? The user > may very well consider things safe when he is not running as root that > would be dangerous when running as root. But he uses the same .emacs > when running as root. I think if something is not safe enough for root, it should also be considered unsafe for random users. So I don't see any need to make a distinction. Stefan ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-02-12 1:02 ` Stefan Monnier @ 2006-02-12 1:15 ` Luc Teirlinck 0 siblings, 0 replies; 99+ messages in thread From: Luc Teirlinck @ 2006-02-12 1:15 UTC (permalink / raw) Cc: cyd, emacs-devel, rms, storm Stefan Monnier wrote: I think if something is not safe enough for root, it should also be considered unsafe for random users. So I don't see any need to make a distinction. OK, so maybe not. Sincerely, Luc. ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-02-10 5:34 ` Chong Yidong ` (2 preceding siblings ...) 2006-02-11 3:31 ` Luc Teirlinck @ 2006-02-11 16:44 ` Richard M. Stallman 3 siblings, 0 replies; 99+ messages in thread From: Richard M. Stallman @ 2006-02-11 16:44 UTC (permalink / raw) Cc: storm, monnier, emacs-devel What you've implemented is the sort of thing I had in mind. It seems basically right. Here are a few comments on minor details. ! (or (= char ?!) ! (= char ? ) It would be better to use \s. + (defcustom safe-local-variables nil I would call it safe-local-variable-values. + "Alist of safe local variables. It is not really an alist. In an alist, the car of an element is a key, so only the first element with a given car really counts. This is a list of variable-value pairs. + :type 'alist) It is ok to use `alist' as the custom type if it gives the right results in the custom buffer, as it seems to do. But it might be cleaner to do this another way just to avoid misleading someone. By the way, this variable should be marked risky. ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-02-03 23:43 ` Richard M. Stallman ` (2 preceding siblings ...) 2006-02-10 5:34 ` Chong Yidong @ 2006-02-14 1:33 ` Chong Yidong 2006-02-14 2:50 ` Luc Teirlinck ` (2 more replies) 3 siblings, 3 replies; 99+ messages in thread From: Chong Yidong @ 2006-02-14 1:33 UTC (permalink / raw) I've installed the patch changing the way file local variables are handled. Please see if there are any problems. If you encounter any file variables that should be marked safe, so that Emacs in its default configuration doesn't bother you before setting it, go ahead and add an appropriate `safe-local-variable' property. For major mode-specific variables, this can take place in the mode's file, because the "mode:" variable is acted on before the other file variables are read. One behavior I haven't mentioned is that when a set of file variables requires confirmation (because the values are not known to be safe, or the variables are risky), but Emacs is non-interactive, those variables are just ignored. I don't think this breaks anything, but it may be good to keep an eye out. ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-02-14 1:33 ` Chong Yidong @ 2006-02-14 2:50 ` Luc Teirlinck 2006-02-14 22:17 ` Richard M. Stallman 2006-02-14 3:16 ` Luc Teirlinck 2006-02-16 14:02 ` safe-local-variable additions (was: Risky local variable mechanism) Reiner Steib 2 siblings, 1 reply; 99+ messages in thread From: Luc Teirlinck @ 2006-02-14 2:50 UTC (permalink / raw) Cc: emacs-devel Chong Yidong wrote: I've installed the patch changing the way file local variables are handled. Please see if there are any problems. I have not yet taken any real look at it, but I believe that @var{(var . val)} is bad Texinfo. It believe that it should be @code{(@var{var} . @var{val}}: ===File ~/variables.texi-diff-2============================= *** variables.texi 13 Feb 2006 19:55:31 -0600 1.72 --- variables.texi 13 Feb 2006 20:00:18 -0600 *************** *** 1794,1801 **** @defopt safe-local-variable-values This variable provides another way to mark variables as safe. It is a ! list of cons cells @var{(var . val)}, where @var{var} is a variable ! name and @var{val} is a value of that variable that is safe. When Emacs asks the user whether or not to obey a set of file variable specifications, the user can choose to mark them as safe. This adds --- 1794,1801 ---- @defopt safe-local-variable-values This variable provides another way to mark variables as safe. It is a ! list of cons cells @code{(@var{var} . @var{val})}, where @var{var} is ! a variable name and @var{val} is a value of that variable that is safe. When Emacs asks the user whether or not to obey a set of file variable specifications, the user can choose to mark them as safe. This adds ============================================================ ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-02-14 2:50 ` Luc Teirlinck @ 2006-02-14 22:17 ` Richard M. Stallman 0 siblings, 0 replies; 99+ messages in thread From: Richard M. Stallman @ 2006-02-14 22:17 UTC (permalink / raw) Cc: cyd, emacs-devel I have not yet taken any real look at it, but I believe that @var{(var . val)} is bad Texinfo. It believe that it should be @code{(@var{var} . @var{val}}: I fixed that. Thanks. ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-02-14 1:33 ` Chong Yidong 2006-02-14 2:50 ` Luc Teirlinck @ 2006-02-14 3:16 ` Luc Teirlinck 2006-02-14 3:32 ` Luc Teirlinck 2006-02-14 3:48 ` Chong Yidong 2006-02-16 14:02 ` safe-local-variable additions (was: Risky local variable mechanism) Reiner Steib 2 siblings, 2 replies; 99+ messages in thread From: Luc Teirlinck @ 2006-02-14 3:16 UTC (permalink / raw) Cc: emacs-devel Chong Yidong wrote: I've installed the patch changing the way file local variables are handled. Please see if there are any problems. There are problems. I get this pop-up question for _every_ single file I visit, even files that contain no local variables whatsoever, and that do not even contain the words "local variables". This makes Emacs nearly unusable. Also, before your patch, with `enable-local-variables' set to t, I could always take a look at the _entire_ local variables list, even for variables that Emacs deems safe, before enabling those variables. After your patch, this is apparently no longer an option. Sincerely, Luc. ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-02-14 3:16 ` Luc Teirlinck @ 2006-02-14 3:32 ` Luc Teirlinck 2006-02-14 3:38 ` Luc Teirlinck 2006-02-14 3:48 ` Chong Yidong 1 sibling, 1 reply; 99+ messages in thread From: Luc Teirlinck @ 2006-02-14 3:32 UTC (permalink / raw) Cc: emacs-devel >From my earlier message: There are problems. I get this pop-up question for _every_ single file I visit, even files that contain no local variables whatsoever, and that do not even contain the words "local variables". This makes Emacs nearly unusable. I forgot to test this in `emacs -q'. What you have to do in `emacs -q' to see the problem is set `enable-local-variables' to 'query. What should happen is that I should be asked no questions if there are no local variables and that I should get to see _all_ local variables if there are any before enabling them, no matter how much they are considered safe by default. Sincerely, Luc. ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-02-14 3:32 ` Luc Teirlinck @ 2006-02-14 3:38 ` Luc Teirlinck 0 siblings, 0 replies; 99+ messages in thread From: Luc Teirlinck @ 2006-02-14 3:38 UTC (permalink / raw) Cc: emacs-devel >From my previous message: I forgot to test this in `emacs -q'. What you have to do in `emacs -q' to see the problem is set `enable-local-variables' to 'query. What should happen is that I should be asked no questions if there are no local variables and that I should get to see _all_ local variables if there are any before enabling them, no matter how much they are considered safe by default. To avoid confusion: with "What should happen", I of course mean "What should happen, given the fact that I have `enable-local-variables' set to 'query." Sincerely, Luc. ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-02-14 3:16 ` Luc Teirlinck 2006-02-14 3:32 ` Luc Teirlinck @ 2006-02-14 3:48 ` Chong Yidong 2006-02-14 4:11 ` Luc Teirlinck 1 sibling, 1 reply; 99+ messages in thread From: Chong Yidong @ 2006-02-14 3:48 UTC (permalink / raw) Cc: emacs-devel > There are problems. I get this pop-up question for _every_ single > file I visit, even files that contain no local variables whatsoever, > and that do not even contain the words "local variables". Fixed, thanks. > Also, before your patch, with `enable-local-variables' set to t, I > could always take a look at the _entire_ local variables list, even for > variables that Emacs deems safe, before enabling those variables. > After your patch, this is apparently no longer an option. No idea what you're referring --- are you referring to ignored variables? ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-02-14 3:48 ` Chong Yidong @ 2006-02-14 4:11 ` Luc Teirlinck 2006-02-14 4:26 ` Chong Yidong 0 siblings, 1 reply; 99+ messages in thread From: Luc Teirlinck @ 2006-02-14 4:11 UTC (permalink / raw) Cc: emacs-devel Chong Yidong wrote: > Also, before your patch, with `enable-local-variables' set to t, I > could always take a look at the _entire_ local variables list, even for > variables that Emacs deems safe, before enabling those variables. > After your patch, this is apparently no longer an option. No idea what you're referring --- are you referring to ignored variables? Now I see that in certain situations it does ask me. Did you make `coding' the only exception? When visiting lisp/Changelog, I get asked no questions (with `enable-local-variables' set to 'query), even though lisp/Changelog has a local variables list. Sincerely, Luc. ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-02-14 4:11 ` Luc Teirlinck @ 2006-02-14 4:26 ` Chong Yidong 0 siblings, 0 replies; 99+ messages in thread From: Chong Yidong @ 2006-02-14 4:26 UTC (permalink / raw) Cc: emacs-devel > Now I see that in certain situations it does ask me. Did you make > `coding' the only exception? `coding' has always been handled separately, by `set-auto-coding'. (`mode' is also handled specially.) ^ permalink raw reply [flat|nested] 99+ messages in thread
* safe-local-variable additions (was: Risky local variable mechanism) 2006-02-14 1:33 ` Chong Yidong 2006-02-14 2:50 ` Luc Teirlinck 2006-02-14 3:16 ` Luc Teirlinck @ 2006-02-16 14:02 ` Reiner Steib 2006-02-17 2:47 ` safe-local-variable additions Chong Yidong 2 siblings, 1 reply; 99+ messages in thread From: Reiner Steib @ 2006-02-16 14:02 UTC (permalink / raw) On Tue, Feb 14 2006, Chong Yidong wrote: > I've installed the patch changing the way file local variables are > handled. Please see if there are any problems. > > If you encounter any file variables that should be marked safe, so > that Emacs in its default configuration doesn't bother you before > setting it, go ahead and add an appropriate `safe-local-variable' > property. `truncate-lines' could be added. Any objection against adding it? Is adding it to the "Commonly-encountered local variables that are safe:" expression in `files.el' the right way to do this? --8<---------------cut here---------------start------------->8--- --- files.el 15 Feb 2006 16:04:59 +0100 1.811 +++ files.el 15 Feb 2006 16:38:42 +0100 @@ -2563,6 +2563,7 @@ (sentence-end . ,string-or-null) (sentence-end-double-space . t) (tab-width . integerp) + (truncate-lines . t) (version-control . t))))) (defun safe-local-variable-p (sym val) --8<---------------cut here---------------end--------------->8--- `ispell-check-comments' and `ispell-local-dictionary' should also be added, IMHO. Is it better to put them in `files.el' or add it to `ispell.el' right after the corresponding `defcustom'? --8<---------------cut here---------------start------------->8--- (put 'ispell-check-comments 'safe-local-variable (lambda (a) (or (null a) (eq t a) (eq 'exclusive a)))) (put 'ispell-local-dictionary 'safe-local-variable (lambda (a) (or (stringp a) (null a)))) --8<---------------cut here---------------end--------------->8--- Bye, Reiner. -- ,,, (o o) ---ooO-(_)-Ooo--- | PGP key available | http://rsteib.home.pages.de/ ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: safe-local-variable additions 2006-02-16 14:02 ` safe-local-variable additions (was: Risky local variable mechanism) Reiner Steib @ 2006-02-17 2:47 ` Chong Yidong 2006-02-17 14:30 ` Reiner Steib 0 siblings, 1 reply; 99+ messages in thread From: Chong Yidong @ 2006-02-17 2:47 UTC (permalink / raw) Reiner Steib <reinersteib+gmane@imap.cc> writes: > `truncate-lines' could be added. Any objection against adding it? > + (truncate-lines . t) Sure, go ahead. > `ispell-check-comments' and `ispell-local-dictionary' should also be > added, IMHO. > > Is it better to put them in `files.el' or add it to `ispell.el' right > after the corresponding `defcustom'? Yes, safety declarations for minor mode variables should probably go into files.el, since otherwise Emacs wouldn't know about them unless the minor mode is loaded. (Safety declarations for major mode variables can go into their own files, since those are loaded before the file variables are processed.) ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: safe-local-variable additions 2006-02-17 2:47 ` safe-local-variable additions Chong Yidong @ 2006-02-17 14:30 ` Reiner Steib 0 siblings, 0 replies; 99+ messages in thread From: Reiner Steib @ 2006-02-17 14:30 UTC (permalink / raw) Cc: emacs-devel On Fri, Feb 17 2006, Chong Yidong wrote: > Reiner Steib <reinersteib+gmane@imap.cc> writes: > >> `truncate-lines' could be added. Any objection against adding it? >> + (truncate-lines . t) > > Sure, go ahead. Done. >> Is it better to put them in `files.el' or add it to `ispell.el' right >> after the corresponding `defcustom'? > > Yes, safety declarations for minor mode variables should probably go > into files.el, since otherwise Emacs wouldn't know about them unless > the minor mode is loaded. (Safety declarations for major mode > variables can go into their own files, since those are loaded before > the file variables are processed.) Maybe this should be added as a comment in `files.el'. At least for me it's not obvious. Bye, Reiner. -- ,,, (o o) ---ooO-(_)-Ooo--- | PGP key available | http://rsteib.home.pages.de/ ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-02-02 4:17 ` Richard M. Stallman 2006-02-02 12:42 ` Kim F. Storm @ 2006-02-02 12:47 ` Kim F. Storm 1 sibling, 0 replies; 99+ messages in thread From: Kim F. Storm @ 2006-02-02 12:47 UTC (permalink / raw) Cc: Stefan Monnier, emacs-devel "Richard M. Stallman" <rms@gnu.org> writes: > Another idea: just check to see if the value is a function name, or if > any function name (including lambda) appears in it. If so, the value > is risky. That is quite simple and does not depend on knowing the > custom type. This doesn't work for string variables corresponding to external programs or commands run by emacs. -- Kim F. Storm <storm@cua.dk> http://www.cua.dk ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-01-31 23:09 Risky local variable mechanism Richard M. Stallman 2006-02-01 0:37 ` Stefan Monnier @ 2006-02-01 2:30 ` Chong Yidong 2006-02-02 4:15 ` Richard M. Stallman 1 sibling, 1 reply; 99+ messages in thread From: Chong Yidong @ 2006-02-01 2:30 UTC (permalink / raw) Cc: emacs-devel "Richard M. Stallman" <rms@gnu.org> writes: > A few days ago I sent a message about possibly replacing the risky > local variable mechanism with something safer. Nobody has responded > yet. This problem is important; please help me think about the issue. If you want to be really restrictive, you can introduce a list of `safe-local-variables', and prompt for anything outside that list (the prompt could have an additional choice, [(a) always allow this variable], a variable to the list). Setting `enable-local-variables' to (e.g.) 'unless-risky could bring back the old behavior, i.e., allowing everything except those marked as risky. It seems like people only actually use a handful of file variables, anyway. From looking at the source trees of Emacs and some other projects, the file local variables in use are: allout-layout byte-compile-dynamic byte-compile-warnings c-basic-offset c-indent-level coding compile-command fill-column fill-prefix indent-tabs-mode kept-new-versions make-backup-files mode outline-layout page-delimiter paragraph-separate sentence-end sentence-end-double-space sgml-omittag sgml-shorttag sgml-minimize-attributes sgml-always-quote-attributes sgml-indent-step sgml-indent-data sgml-parent-document sgml-exposed-tags sgml-local-catalogs sgml-local-ecat-files tab-width time-stamp-end time-stamp-format time-stamp-start trim-versions-without-asking version-control ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-02-01 2:30 ` Chong Yidong @ 2006-02-02 4:15 ` Richard M. Stallman 2006-02-02 9:54 ` David Kastrup 0 siblings, 1 reply; 99+ messages in thread From: Richard M. Stallman @ 2006-02-02 4:15 UTC (permalink / raw) Cc: emacs-devel If you want to be really restrictive, you can introduce a list of `safe-local-variables', and prompt for anything outside that list (the prompt could have an additional choice, [(a) always allow this variable], a variable to the list). Perhaps that is the best solution. However, if only 2% of all file local variable settings are outside that list, it will still cause annoyance to a lot of people. So let's first see if some more general method based on custom types can be made to work. If that can't be made to work, we can fall back on this approach. ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-02-02 4:15 ` Richard M. Stallman @ 2006-02-02 9:54 ` David Kastrup 2006-02-02 14:54 ` Kim F. Storm 0 siblings, 1 reply; 99+ messages in thread From: David Kastrup @ 2006-02-02 9:54 UTC (permalink / raw) Cc: Chong Yidong, emacs-devel "Richard M. Stallman" <rms@gnu.org> writes: > If you want to be really restrictive, you can introduce a list of > `safe-local-variables', and prompt for anything outside that list (the > prompt could have an additional choice, [(a) always allow this > variable], a variable to the list). > > Perhaps that is the best solution. However, if only 2% of all file > local variable settings are outside that list, it will still cause > annoyance to a lot of people. > > So let's first see if some more general method based on custom types > can be made to work. If that can't be made to work, we can fall back > on this approach. I agree with others that this is not something that makes sense to try to push into Emacs 22.1. I'd even be hesitant to have it move into 23.1: I think that 23.1 should basically concentrate on pushing out multi-tty and unicode-2 branches, as well as an update of frozen externally maintained packages (like tramp). Once we have that off our chest, there is a better time to work on what clearly is a new feature requiring lots of testing and experiments. -- David Kastrup, Kriemhildstr. 15, 44793 Bochum ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-02-02 9:54 ` David Kastrup @ 2006-02-02 14:54 ` Kim F. Storm 2006-02-03 5:04 ` Richard M. Stallman 0 siblings, 1 reply; 99+ messages in thread From: Kim F. Storm @ 2006-02-02 14:54 UTC (permalink / raw) Cc: Chong Yidong, rms, emacs-devel David Kastrup <dak@gnu.org> writes: > Once we have that off our chest, there is a better time to work on > what clearly is a new feature requiring lots of testing and > experiments. I agree. Will someone please explain how emacs 22.1 will be less safe than 21.4 if we don't change this "risky business" before the release. -- Kim F. Storm <storm@cua.dk> http://www.cua.dk ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-02-02 14:54 ` Kim F. Storm @ 2006-02-03 5:04 ` Richard M. Stallman 0 siblings, 0 replies; 99+ messages in thread From: Richard M. Stallman @ 2006-02-03 5:04 UTC (permalink / raw) Cc: cyd, emacs-devel Will someone please explain how emacs 22.1 will be less safe than 21.4 if we don't change this "risky business" before the release. This is a serious problem; that it is not new is no reason to accept it. ^ permalink raw reply [flat|nested] 99+ messages in thread
[parent not found: <E1F46oA-0005O8-FC@monty-python.gnu.org>]
* Re: Risky local variable mechanism [not found] <E1F46oA-0005O8-FC@monty-python.gnu.org> @ 2006-02-01 15:24 ` Jonathan Yavner 2006-02-01 17:00 ` Stefan Monnier ` (2 more replies) 0 siblings, 3 replies; 99+ messages in thread From: Jonathan Yavner @ 2006-02-01 15:24 UTC (permalink / raw) Cc: Stefan Monnier Stefan wrote: > Maybe "string and integer custom vars" are all safe, I don't know. No, sendmail-program is not safe, nor is max-eval-lisp-depth. ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-02-01 15:24 ` Jonathan Yavner @ 2006-02-01 17:00 ` Stefan Monnier 2006-02-01 23:31 ` Kim F. Storm 2006-02-01 23:12 ` Chong Yidong 2006-02-02 16:21 ` Richard M. Stallman 2 siblings, 1 reply; 99+ messages in thread From: Stefan Monnier @ 2006-02-01 17:00 UTC (permalink / raw) Cc: emacs-devel >> Maybe "string and integer custom vars" are all safe, I don't know. > No, sendmail-program is not safe, nor is max-eval-lisp-depth. Indeed, names of external programs need to be ruled out. OTOH I think the only danger with max-eval-lisp-depth is DoS, which I'd rather ignore because it's a tremendously harder problem to solve than direct security holes. Stefan ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-02-01 17:00 ` Stefan Monnier @ 2006-02-01 23:31 ` Kim F. Storm 2006-02-02 5:05 ` Stefan Monnier 0 siblings, 1 reply; 99+ messages in thread From: Kim F. Storm @ 2006-02-01 23:31 UTC (permalink / raw) Cc: Jonathan Yavner, emacs-devel Stefan Monnier <monnier@iro.umontreal.ca> writes: >>> Maybe "string and integer custom vars" are all safe, I don't know. >> No, sendmail-program is not safe, nor is max-eval-lisp-depth. > > Indeed, names of external programs need to be ruled out. Maybe all variables matching "-program$" and "-path$" should be ruled out. -- Kim F. Storm <storm@cua.dk> http://www.cua.dk ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-02-01 23:31 ` Kim F. Storm @ 2006-02-02 5:05 ` Stefan Monnier 0 siblings, 0 replies; 99+ messages in thread From: Stefan Monnier @ 2006-02-02 5:05 UTC (permalink / raw) Cc: Jonathan Yavner, emacs-devel >>>> Maybe "string and integer custom vars" are all safe, I don't know. >>> No, sendmail-program is not safe, nor is max-eval-lisp-depth. >> Indeed, names of external programs need to be ruled out. > Maybe all variables matching "-program$" and "-path$" should be > ruled out. I'd much rather start with a known-safe set (the empty set) and only add to it elements that are known to be safe. Rather than add large unsafe sets (like all custom vars of type string) and then try to safen them by removing known unsafe cases. Stefan ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-02-01 15:24 ` Jonathan Yavner 2006-02-01 17:00 ` Stefan Monnier @ 2006-02-01 23:12 ` Chong Yidong 2006-02-02 16:21 ` Richard M. Stallman 2 siblings, 0 replies; 99+ messages in thread From: Chong Yidong @ 2006-02-01 23:12 UTC (permalink / raw) Cc: Stefan Monnier, emacs-devel Jonathan Yavner <jyavner@member.fsf.org> writes: > Stefan wrote: >> Maybe "string and integer custom vars" are all safe, I don't know. > > No, sendmail-program is not safe, nor is max-eval-lisp-depth. We already treat as risky any variable names that match hooks, functions, forms, program, commands, predicates, fontlockkeywords, fontlockkeywords, fontlocksyntactickeywords, framealist, modealist, map, or mapalist. ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-02-01 15:24 ` Jonathan Yavner 2006-02-01 17:00 ` Stefan Monnier 2006-02-01 23:12 ` Chong Yidong @ 2006-02-02 16:21 ` Richard M. Stallman 2006-02-02 17:00 ` Stefan Monnier 2 siblings, 1 reply; 99+ messages in thread From: Richard M. Stallman @ 2006-02-02 16:21 UTC (permalink / raw) Cc: monnier, emacs-devel > Maybe "string and integer custom vars" are all safe, I don't know. No, sendmail-program is not safe, nor is max-eval-lisp-depth. The worst you can do by setting max-lisp-eval-depth is to make Emacs crash or get an error. I am not sure binding sendmail-program is unsafe. It will generally have no effect if you bind it locally in a buffer that isn't a mail buffer. But looking at the more general issue of binding variables that specify programs to run, I am not sure how much of a security issue that is, other than for root. It can only run programs that exist. Even if you could set sendmail-program globally in Emacs, could you actually find a value that would predictably do harm? ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism 2006-02-02 16:21 ` Richard M. Stallman @ 2006-02-02 17:00 ` Stefan Monnier 0 siblings, 0 replies; 99+ messages in thread From: Stefan Monnier @ 2006-02-02 17:00 UTC (permalink / raw) Cc: Jonathan Yavner, emacs-devel > I am not sure binding sendmail-program is unsafe. > It will generally have no effect if you bind it locally > in a buffer that isn't a mail buffer. But looking at the more > general issue of binding variables that specify programs to run, > I am not sure how much of a security issue that is, > other than for root. It can only run programs that exist. > Even if you could set sendmail-program globally in Emacs, > could you actually find a value that would predictably do harm? It mostly depends on whether or not the string represent the filename of a program or the beginning of a shell command (i.e. can it include arguments?). "Interesting" commands can be "rm" (of course), "echo foobar ~/.ssh/authorized_keys", ... Stefan ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Risky local variable mechanism
@ 2006-02-02 8:14 LENNART BORGMAN
0 siblings, 0 replies; 99+ messages in thread
From: LENNART BORGMAN @ 2006-02-02 8:14 UTC (permalink / raw)
Cc: Chong Yidong, emacs-devel
From: "Richard M. Stallman" <rms@gnu.org>
> If you want to be really restrictive, you can introduce a list of
> `safe-local-variables', and prompt for anything outside that
> list (the
> prompt could have an additional choice, [(a) always allow this
> variable], a variable to the list).
>
> Perhaps that is the best solution. However, if only 2% of all file
> local variable settings are outside that list, it will still cause
> annoyance to a lot of people.
>
> So let's first see if some more general method based on custom types
> can be made to work. If that can't be made to work, we can fall back
> on this approach.
It is much more annoying if there is a possible security hole. Please follow Stefans advice on this. (To have a small set of known safe variables.)
^ permalink raw reply [flat|nested] 99+ messages in thread
* re: risky local variable mechanism @ 2006-02-10 18:13 Jonathan Yavner 2006-02-11 3:19 ` Luc Teirlinck 2006-02-11 17:08 ` Chong Yidong 0 siblings, 2 replies; 99+ messages in thread From: Jonathan Yavner @ 2006-02-10 18:13 UTC (permalink / raw) (re: mechanism proposed by Chong Yidong) unsafep.el (used by SES) calls risky-local-variable-p with NIL as the second argument, because it doesn't know yet what value will be assigned. Please maintain the feature that NIL as second argument to risky-local-variable-p means "There exists at least one risky value that could be assigned to this variable." I'm not sure if your patch does this. Sorry for my poor patch-reading skills. ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: risky local variable mechanism 2006-02-10 18:13 risky " Jonathan Yavner @ 2006-02-11 3:19 ` Luc Teirlinck 2006-02-13 4:40 ` Richard M. Stallman 2006-02-11 17:08 ` Chong Yidong 1 sibling, 1 reply; 99+ messages in thread From: Luc Teirlinck @ 2006-02-11 3:19 UTC (permalink / raw) Cc: emacs-devel Jonathan Yavner wrote: unsafep.el (used by SES) calls risky-local-variable-p with NIL as the second argument, because it doesn't know yet what value will be assigned. If the current risky-local-variable-p is too unreliable for `enable-local-eval' to such a degree that an urgent fix is needed, is it really reliable enough for unsafep? Please maintain the feature that NIL as second argument to risky-local-variable-p means "There exists at least one risky value that could be assigned to this variable." I'm not sure if your patch does this. At first sight, it does not appear that Chong's patch changes this. But, of course, this means that (risky-local-variable-p myvar nil) very well may return t, even though assigning a value of nil may be perfectly safe (and probably is). At first sight, it does not appear that Chong's patch takes this into account. I am not sure that Chong's patch should use risky-local-variable-p at all. Sincerely, Luc. ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: risky local variable mechanism 2006-02-11 3:19 ` Luc Teirlinck @ 2006-02-13 4:40 ` Richard M. Stallman 0 siblings, 0 replies; 99+ messages in thread From: Richard M. Stallman @ 2006-02-13 4:40 UTC (permalink / raw) Cc: jyavner, emacs-devel unsafep.el (used by SES) calls risky-local-variable-p with NIL as the second argument, because it doesn't know yet what value will be assigned. If the current risky-local-variable-p is too unreliable for `enable-local-eval' to such a degree that an urgent fix is needed, is it really reliable enough for unsafep? Maybe it isn't. However, it is not necessary for unsafep to be completely as strict as the local variable criteria in all ways, because unsafep checks for function values. Meanwhile, as regards the special meaning of nil as the second arg to risky-local-variable-p, we could instead have a variable risky-local-variable-token, whose value is a particular cons cell, and give that cons cell the special meaning of "unspecified value". The value that hack-one-local-variable produces is made by `read' so it will never be eq to risky-local-variable-token. ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: risky local variable mechanism 2006-02-10 18:13 risky " Jonathan Yavner 2006-02-11 3:19 ` Luc Teirlinck @ 2006-02-11 17:08 ` Chong Yidong 2006-02-11 20:27 ` Jonathan Yavner 1 sibling, 1 reply; 99+ messages in thread From: Chong Yidong @ 2006-02-11 17:08 UTC (permalink / raw) Cc: emacs-devel Jonathan Yavner <jyavner@member.fsf.org> writes: > (re: mechanism proposed by Chong Yidong) > > unsafep.el (used by SES) calls risky-local-variable-p with NIL as the > second argument, because it doesn't know yet what value will be > assigned. Please maintain the feature that NIL as second argument to > risky-local-variable-p means "There exists at least one risky value > that could be assigned to this variable." Currently, `risky-local-variable-p' returns t if (1) The variable's `risky-local-variable' property is non-nil, or (2) The variable's name ends with "hook(s)", "function(s)", etc., unless `safe-local-variable' is non-nil, or (3) The variable's `safe-local-variable' property is a function that evaluates to nil when given VAR as an argument. My patch removes condition (3). The idea is that the `safe-local-variable' property can make a variable safe; it doesn't make it risky. Since SES does not use the `safe-local-variable' property, SES will be completely unaffected. (In the first place, the `safe-local-variable' property isn't used much -- pre-patch, the only place in the Emacs tree that sets it is files.el, in which we set compile-command to be always safe.) An orthogonal question is whether risky-local-variable-p has any use if we implement a whitelist. The current behavior, in the patch I posted, is that when the user presses `!' to save a set of local variables (so that Emacs will allow those values in the future), risky variables won't be saved. This seems like annoying behavior. Why should we forbid the user from saving if he explicitly says to save? We can change this so that even risky variables will be saved. But this makes risky variables just like every other variable that is not marked safe. One solution is to to keep `risky-local-variable-p' around for unsafep.el to use, but not actually use it in files.el---and just rely on the whitelist mechanism. ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: risky local variable mechanism 2006-02-11 17:08 ` Chong Yidong @ 2006-02-11 20:27 ` Jonathan Yavner 2006-02-11 20:46 ` Chong Yidong 2006-02-12 1:10 ` Luc Teirlinck 0 siblings, 2 replies; 99+ messages in thread From: Jonathan Yavner @ 2006-02-11 20:27 UTC (permalink / raw) Cc: emacs-devel Chong Yidong wrote: > One solution is to to keep `risky-local-variable-p' > around for unsafep.el to use, but not actually use it in > files.el---and just rely on the whitelist mechanism. I don't think this is a good idea. `risky-local-variable-p' was invented five years ago precisely so that files.el and unsafep.el would use the same rules for deciding whether variables were safe. If files.el says a variable is unsafe but unsafep.el thinks it's safe, that is a security hole (a spreadhseet could be written that would tickle the unsafe variable). If files.el says a variable is safe but unsafep says it isn't, that will annoy the user (who will be required to approve the use of that variable every time he loads the spreadsheet). In general, lambdas are unsafe if unsafep says they are, so we could call it instead of arbitrarily declaring that all xxx-function variables are unsafe. If a variable can be nil, a number, or a lambda, we can use unsafep instead of arbitrarily rejecting all lambda cases. Luc Teirlinck wrote: > If the current risky-local-variable-p is too unreliable for > `enable-local-eval' to such a degree that an urgent fix is needed, is > it really reliable enough for unsafep? What exactly is the problem with the current system? Are there unsafe variables erroneously declared safe? Are there file-local variables with safe values erroneously declared unsafe? What is the minimum change needed to solve the current problem? > (risky-local-variable-p myvar nil) very well may return t, even though > assigning a value of nil may be perfectly safe (and probably is). Yeah, I don't like that, either. If a variable has some safe and some unsafe values, it seems likely that nil would be one of the safe ones. Changing this calling convention would break backward compatibility, although it doesn't *seem* like the function is used outside of files.el and unsafep.el. > I am not sure that Chong's patch should use risky-local-variable-p at > all. Again, if files.el and unsafep.el do not use the same mechanism, Emacs will have two definitions for the same concept ("safe variable") which will lead to either security holes or user annoyance. ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: risky local variable mechanism 2006-02-11 20:27 ` Jonathan Yavner @ 2006-02-11 20:46 ` Chong Yidong 2006-02-12 19:29 ` Richard M. Stallman 2006-02-12 1:10 ` Luc Teirlinck 1 sibling, 1 reply; 99+ messages in thread From: Chong Yidong @ 2006-02-11 20:46 UTC (permalink / raw) Cc: emacs-devel > What exactly is the problem with the current system? Are there unsafe > variables erroneously declared safe? Are there file-local variables > with safe values erroneously declared unsafe? What is the minimum > change needed to solve the current problem? See Richard's previous emails on this subject. The rationale is that it is safer to add safe values to a whitelist than to add risky variables to a blacklist---you wouldn't know if you missed a dangerous variable. > Again, if files.el and unsafep.el do not use the same mechanism, Emacs > will have two definitions for the same concept ("safe variable") which > will lead to either security holes or user annoyance. It's unlikely that making the file local variable mechanism stricter, while keeping unsafep.el the same, will open up new security holes that didn't already exist. Anyway, it is pretty easy to change unsafep.el to reflect the changes to files.el. ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: risky local variable mechanism 2006-02-11 20:46 ` Chong Yidong @ 2006-02-12 19:29 ` Richard M. Stallman 2006-02-12 19:52 ` Chong Yidong 0 siblings, 1 reply; 99+ messages in thread From: Richard M. Stallman @ 2006-02-12 19:29 UTC (permalink / raw) Cc: jyavner, emacs-devel It's unlikely that making the file local variable mechanism stricter, while keeping unsafep.el the same, will open up new security holes that didn't already exist. Anyway, it is pretty easy to change unsafep.el to reflect the changes to files.el. Could you take a look at doing that? It may not be quite trivial. In particular, the fact that unsafep checks for functions could make some things safe, which otherwise would not be. ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: risky local variable mechanism 2006-02-12 19:29 ` Richard M. Stallman @ 2006-02-12 19:52 ` Chong Yidong 2006-02-13 20:05 ` Richard M. Stallman 0 siblings, 1 reply; 99+ messages in thread From: Chong Yidong @ 2006-02-12 19:52 UTC (permalink / raw) Cc: jyavner, emacs-devel "Richard M. Stallman" <rms@gnu.org> writes: > It's unlikely that making the file local variable mechanism stricter, > while keeping unsafep.el the same, will open up new security holes > that didn't already exist. Anyway, it is pretty easy to change > unsafep.el to reflect the changes to files.el. > > Could you take a look at doing that? It may not be quite trivial. > In particular, the fact that unsafep checks for functions > could make some things safe, which otherwise would not be. The relevant part is the function `unsafep-variable', which can be adapted easily. The other things that unsafep.el checks are not related to file variables. *** emacs/lisp/emacs-lisp/unsafep.el.~1.10.~ 2006-02-06 23:43:22.000000000 -0500 --- emacs/lisp/emacs-lisp/unsafep.el 2006-02-11 12:16:17.000000000 -0500 *************** *** 255,261 **** (cond ((not (symbolp sym)) `(variable ,sym)) ! ((risky-local-variable-p sym nil) `(risky-local-variable ,sym)) ((not (or global-okay (memq sym unsafep-vars) --- 255,262 ---- (cond ((not (symbolp sym)) `(variable ,sym)) ! ((and (risky-local-variable-p sym) ! (not (safe-local-variable-p sym val))) `(risky-local-variable ,sym)) ((not (or global-okay (memq sym unsafep-vars) ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: risky local variable mechanism 2006-02-12 19:52 ` Chong Yidong @ 2006-02-13 20:05 ` Richard M. Stallman 2006-02-13 21:03 ` Chong Yidong 0 siblings, 1 reply; 99+ messages in thread From: Richard M. Stallman @ 2006-02-13 20:05 UTC (permalink / raw) Cc: jyavner, emacs-devel The relevant part is the function `unsafep-variable', which can be adapted easily. The other things that unsafep.el checks are not related to file variables. That seems wrong, because it refers to `val' which does not exist in the function unsafep-variable. However, beyond that, it is not clearly right for unsafep to reject binding all variables that would be rejected in a local variables list, given that unsafep can detect giving functions as values. ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: risky local variable mechanism 2006-02-13 20:05 ` Richard M. Stallman @ 2006-02-13 21:03 ` Chong Yidong 0 siblings, 0 replies; 99+ messages in thread From: Chong Yidong @ 2006-02-13 21:03 UTC (permalink / raw) Cc: jyavner, emacs-devel > it is not clearly right for unsafep to reject binding all variables > that would be rejected in a local variables list, given that unsafep > can detect giving functions as values. The commentary section of unsafep.el says: ;; A temporary binding is unsafe if its symbol: ;; 1. Has the `risky-local-variable' property. ;; 2. Has a name that ends with -command, font-lock-keywords(-[0-9]+)?, ;; font-lock-syntactic-keywords, -form, -forms, -frame-alist, -function, ;; -functions, -history, -hook, -hooks, -map, -map-alist, -mode-alist, ;; -predicate, or -program. This is exactly the definition of risky variables in my patch. In fact, the *current* definition of risky-local-variable-p does not match this definition exactly, since it also checks `safe-local-property'. (The way it checks it is rather inconsistent, BTW, there is no way to distinguish between VAL=nil meaning "any value of the variable" and VAL=nil meaning "the value nil is supplied" when `safe-local-property' is a function. So if unsafep.el relied on this, it was relying on a bug). Maybe the commentary section of unsafep.el is wrong, and the latter definition is intended. But according to the docstring of `unsafep-variable', it is supposed to detect if a variable is "safe as a let-binding" -- no mention of file local variables there. To clarify this issue, I'd like to ask: what's the specific goal of unsafep.el? Can anyone come up with a precise example of a problem with using unsafep.el resulting from the proposed changes to the file local variables code? With a specific example, we can look into how to adapt unsafep.el; otherwise, we're just going around in circles. (Since SES seems to be the only package that uses unsafep.el, it looks like the example will have to come from there.) ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: risky local variable mechanism 2006-02-11 20:27 ` Jonathan Yavner 2006-02-11 20:46 ` Chong Yidong @ 2006-02-12 1:10 ` Luc Teirlinck 2006-02-12 19:29 ` Richard M. Stallman 1 sibling, 1 reply; 99+ messages in thread From: Luc Teirlinck @ 2006-02-12 1:10 UTC (permalink / raw) Cc: cyd, emacs-devel Jonathan Yavner wrote: What exactly is the problem with the current system? Richard only said that "it was not reliable enough". There seems to be a big sense of urgency and importance about this, however. What is the minimum change needed to solve the current problem? I believe that it seems clear from previous postings that Richard is not interested in a "minimum change" type solution. Are there file-local variables with safe values erroneously declared unsafe? I do not believe that we are currently worrying about that. We are worrying about mistakenly considering dangerous things safe. I _believe_ that Richard is mainly concerned with certain variables, whose value can be a function that Emacs could later call, slipping through the risky-local-variable-p mechanism. The new mechanism, which requires an explicit 'safe-local-variable property for a variable to be considered safe by default, might also not only prevent this easy type of abuse, but might also prevent potential more sophisticated types of attack. Sincerely, Luc. ^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: risky local variable mechanism 2006-02-12 1:10 ` Luc Teirlinck @ 2006-02-12 19:29 ` Richard M. Stallman 0 siblings, 0 replies; 99+ messages in thread From: Richard M. Stallman @ 2006-02-12 19:29 UTC (permalink / raw) Cc: jyavner, cyd, emacs-devel I _believe_ that Richard is mainly concerned with certain variables, whose value can be a function that Emacs could later call, slipping through the risky-local-variable-p mechanism. Exactly. ^ permalink raw reply [flat|nested] 99+ messages in thread
end of thread, other threads:[~2006-02-17 14:30 UTC | newest] Thread overview: 99+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2006-01-31 23:09 Risky local variable mechanism Richard M. Stallman 2006-02-01 0:37 ` Stefan Monnier 2006-02-01 0:41 ` Luc Teirlinck 2006-02-01 2:39 ` Stefan Monnier 2006-02-02 4:17 ` Richard M. Stallman 2006-02-02 12:42 ` Kim F. Storm 2006-02-03 23:43 ` Richard M. Stallman 2006-02-04 4:34 ` Luc Teirlinck 2006-02-05 17:34 ` Richard M. Stallman 2006-02-06 6:00 ` Luc Teirlinck 2006-02-07 6:07 ` Richard M. Stallman 2006-02-07 2:47 ` Luc Teirlinck 2006-02-07 16:45 ` Chong Yidong 2006-02-08 1:49 ` Luc Teirlinck 2006-02-08 2:09 ` Chong Yidong 2006-02-08 2:18 ` Luc Teirlinck 2006-02-08 4:30 ` Chong Yidong 2006-02-08 4:56 ` Chong Yidong 2006-02-08 5:02 ` Luc Teirlinck 2006-02-08 5:00 ` Luc Teirlinck 2006-02-08 5:28 ` Chong Yidong 2006-02-08 3:13 ` Stefan Monnier 2006-02-08 4:51 ` Chong Yidong 2006-02-08 5:07 ` Stefan Monnier 2006-02-08 5:25 ` Chong Yidong 2006-02-08 6:00 ` Stefan Monnier 2006-02-08 13:35 ` Chong Yidong 2006-02-08 21:41 ` Stefan Monnier 2006-02-08 6:06 ` Luc Teirlinck 2006-02-08 6:49 ` Stefan Monnier 2006-02-08 5:48 ` Luc Teirlinck 2006-02-08 6:08 ` Stefan Monnier 2006-02-08 6:17 ` Luc Teirlinck 2006-02-08 6:48 ` Stefan Monnier 2006-02-09 17:47 ` Richard M. Stallman 2006-02-09 17:47 ` Richard M. Stallman 2006-02-10 23:57 ` Luc Teirlinck 2006-02-08 9:21 ` Juri Linkov 2006-02-08 12:48 ` Disabled commands (was: Risky local variable mechanism) Stefan Monnier 2006-02-09 17:48 ` Richard M. Stallman 2006-02-09 22:07 ` Disabled commands Stefan Monnier 2006-02-10 2:30 ` Miles Bader 2006-02-10 7:47 ` Eli Zaretskii 2006-02-13 8:36 ` Bill Wohler 2006-02-13 9:26 ` Kim F. Storm 2006-02-13 9:43 ` Giorgos Keramidas 2006-02-13 13:54 ` Romain Francoise 2006-02-09 18:46 ` Kevin Rodgers 2006-02-08 15:45 ` Risky local variable mechanism Drew Adams 2006-02-09 3:58 ` Luc Teirlinck 2006-02-09 17:48 ` Richard M. Stallman 2006-02-10 5:34 ` Chong Yidong 2006-02-10 17:03 ` Stefan Monnier 2006-02-10 17:54 ` Chong Yidong 2006-02-11 0:31 ` Luc Teirlinck 2006-02-12 1:00 ` Stefan Monnier 2006-02-12 4:30 ` Richard M. Stallman 2006-02-11 3:31 ` Luc Teirlinck 2006-02-12 1:02 ` Stefan Monnier 2006-02-12 1:15 ` Luc Teirlinck 2006-02-11 16:44 ` Richard M. Stallman 2006-02-14 1:33 ` Chong Yidong 2006-02-14 2:50 ` Luc Teirlinck 2006-02-14 22:17 ` Richard M. Stallman 2006-02-14 3:16 ` Luc Teirlinck 2006-02-14 3:32 ` Luc Teirlinck 2006-02-14 3:38 ` Luc Teirlinck 2006-02-14 3:48 ` Chong Yidong 2006-02-14 4:11 ` Luc Teirlinck 2006-02-14 4:26 ` Chong Yidong 2006-02-16 14:02 ` safe-local-variable additions (was: Risky local variable mechanism) Reiner Steib 2006-02-17 2:47 ` safe-local-variable additions Chong Yidong 2006-02-17 14:30 ` Reiner Steib 2006-02-02 12:47 ` Risky local variable mechanism Kim F. Storm 2006-02-01 2:30 ` Chong Yidong 2006-02-02 4:15 ` Richard M. Stallman 2006-02-02 9:54 ` David Kastrup 2006-02-02 14:54 ` Kim F. Storm 2006-02-03 5:04 ` Richard M. Stallman [not found] <E1F46oA-0005O8-FC@monty-python.gnu.org> 2006-02-01 15:24 ` Jonathan Yavner 2006-02-01 17:00 ` Stefan Monnier 2006-02-01 23:31 ` Kim F. Storm 2006-02-02 5:05 ` Stefan Monnier 2006-02-01 23:12 ` Chong Yidong 2006-02-02 16:21 ` Richard M. Stallman 2006-02-02 17:00 ` Stefan Monnier -- strict thread matches above, loose matches on Subject: below -- 2006-02-02 8:14 LENNART BORGMAN 2006-02-10 18:13 risky " Jonathan Yavner 2006-02-11 3:19 ` Luc Teirlinck 2006-02-13 4:40 ` Richard M. Stallman 2006-02-11 17:08 ` Chong Yidong 2006-02-11 20:27 ` Jonathan Yavner 2006-02-11 20:46 ` Chong Yidong 2006-02-12 19:29 ` Richard M. Stallman 2006-02-12 19:52 ` Chong Yidong 2006-02-13 20:05 ` Richard M. Stallman 2006-02-13 21:03 ` Chong Yidong 2006-02-12 1:10 ` Luc Teirlinck 2006-02-12 19:29 ` Richard M. Stallman
Code repositories for project(s) associated with this public inbox https://git.savannah.gnu.org/cgit/emacs.git This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).