RE: [mwelinder@gmail.com: Emacs security bug]

["Marshall, Simon" <Simon.Marshall@misys.com>]

[-- Attachment #1: Type: text/plain, Size: 1399 bytes --]

> I see no point in investing any significant time to try and fix
> this problem.

Phew.

> > Probably the most reasonable fix, in the circumstances, is to make
> > fast-lock-cache-directories a risky local variable and remove "."
from
> > its default value?
> 
> Sounds OK.

Attached is a patch.  Simon.



 "Misys" is the trade name for Misys plc (registered in England and Wales). Registration Number: 01360027. Registered office: Burleigh House, Chapel Oak, Salford Priors, Evesham WR11 8SP. For a list of Misys group operating companies please go to http://www.misys.com/html/about_us/group_operating_companies/. This email and any attachments have been scanned for known viruses using multiple scanners. 
 
We believe that this email and any attachments are virus free, however the recipient must take full responsibility for virus checking. This email message is intended for the named recipient only. It may be privileged and/or confidential. If you are not the named recipient of this email please notify us immediately and do not copy it or use it for any purpose, nor disclose its contents to any other person. This email does not constitute the commencement of legal relations between you and Misys plc. Please refer to the executed contract between you and the relevant member of the Misys group for the identity of the contracting party with which you are dealing. 

[-- Attachment #2: fast-lock.diff --]
[-- Type: application/octet-stream, Size: 2124 bytes --]

*** fast-lock.el.~1~	Thu Jan 10 12:15:40 2008
--- fast-lock.el	Mon May 12 17:30:28 2008
***************
*** 286,292 ****
  				      (integer :tag "size")))))
    :group 'fast-lock)
  
! (defcustom fast-lock-cache-directories '("." "~/.emacs-flc")
  ; - `internal', keep each file's Font Lock cache file in the same file.
  ; - `external', keep each file's Font Lock cache file in the same directory.
    "*Directories in which Font Lock cache files are saved and read.
--- 286,292 ----
  				      (integer :tag "size")))))
    :group 'fast-lock)
  
! (defcustom fast-lock-cache-directories '("~/.emacs-flc")
  ; - `internal', keep each file's Font Lock cache file in the same file.
  ; - `external', keep each file's Font Lock cache file in the same directory.
    "*Directories in which Font Lock cache files are saved and read.
***************
*** 304,315 ****
   ((\"^/your/true/home/directory/\" . \".\") \"~/.emacs-flc\")
  
  would cause a file's current directory to be used if the file is under your
! home directory hierarchy, or otherwise the absolute directory `~/.emacs-flc'."
    :type '(repeat (radio (directory :tag "directory")
  			(cons :tag "Matching"
  			      (regexp :tag "regexp")
  			      (directory :tag "directory"))))
    :group 'fast-lock)
  
  (defcustom fast-lock-save-events '(kill-buffer kill-emacs)
    "*Events under which caches will be saved.
--- 304,318 ----
   ((\"^/your/true/home/directory/\" . \".\") \"~/.emacs-flc\")
  
  would cause a file's current directory to be used if the file is under your
! home directory hierarchy, or otherwise the absolute directory `~/.emacs-flc'.
! For security reasons, it is not advisable to use the file's current directory
! to avoid the possibility of using the cache of another user."
    :type '(repeat (radio (directory :tag "directory")
  			(cons :tag "Matching"
  			      (regexp :tag "regexp")
  			      (directory :tag "directory"))))
    :group 'fast-lock)
+ (put 'fast-lock-cache-directories 'risky-local-variable t)
  
  (defcustom fast-lock-save-events '(kill-buffer kill-emacs)
    "*Events under which caches will be saved.

[-- Attachment #3: ChangeLog.diff --]
[-- Type: application/octet-stream, Size: 389 bytes --]

*** ChangeLog~	Wed Mar 26 13:32:44 2008
--- ChangeLog	Mon May 12 17:33:38 2008
***************
*** 1,3 ****
--- 1,8 ----
+ 2008-05-12  Simon Marshall  <simon@gnu.org>
+ 
+ 	* fast-lock.el (fast-lock-cache-directories): Remove "." from its
+ 	default value and give it the risky-local-variable property.
+ 
  2008-03-26  Chong Yidong  <cyd@stupidchicken.com>
  
  	* Version 22.2 released.