From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Thien-Thi Nguyen Newsgroups: gmane.emacs.devel Subject: Re: Security flaw in enable-local-eval; new release plan Date: Mon, 13 Aug 2012 08:32:57 +0200 Message-ID: <87r4rbjo86.fsf@zigzag.favinet> References: <87obmfsczi.fsf@gnu.org> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha1; protocol="application/pgp-signature" X-Trace: dough.gmane.org 1344839611 11647 80.91.229.3 (13 Aug 2012 06:33:31 GMT) X-Complaints-To: usenet@dough.gmane.org NNTP-Posting-Date: Mon, 13 Aug 2012 06:33:31 +0000 (UTC) Cc: emacs-devel@gnu.org To: Chong Yidong Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Mon Aug 13 08:33:32 2012 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1T0oDT-00083Q-4T for ged-emacs-devel@m.gmane.org; Mon, 13 Aug 2012 08:33:31 +0200 Original-Received: from localhost ([::1]:53808 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1T0oDS-00055W-3m for ged-emacs-devel@m.gmane.org; Mon, 13 Aug 2012 02:33:30 -0400 Original-Received: from eggs.gnu.org ([208.118.235.92]:43180) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1T0oDP-00055P-2K for emacs-devel@gnu.org; Mon, 13 Aug 2012 02:33:28 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1T0oDO-0001RE-7c for emacs-devel@gnu.org; Mon, 13 Aug 2012 02:33:26 -0400 Original-Received: from smtp205.alice.it ([82.57.200.101]:42323) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1T0oDM-0001Oh-Ht; Mon, 13 Aug 2012 02:33:24 -0400 Original-Received: from zigzag.favinet (80.180.3.200) by smtp205.alice.it (8.6.023.02) id 500F3F9E03C41A62; Mon, 13 Aug 2012 08:33:03 +0200 Original-Received: from ttn by zigzag.favinet with local (Exim 4.72) (envelope-from ) id 1T0oDB-0006q6-8b; Mon, 13 Aug 2012 08:33:13 +0200 In-Reply-To: <87obmfsczi.fsf@gnu.org> (Chong Yidong's message of "Mon, 13 Aug 2012 11:10:57 +0800") User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.1 (gnu/linux) X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 82.57.200.101 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:152460 Archived-At: --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable () Chong Yidong () Mon, 13 Aug 2012 11:10:57 +0800 (let ((safe (or (hack-one-local-variable-eval-safep (eval (quote val))) ;; In case previously marked safe (bug#5636). (safe-local-variable-p var val)))) ;; If not safe and e-l-v =3D :safe, ignore totally. (when (or safe (not (eq enable-local-variables :safe))) (push elt all-vars) (or (eq enable-local-eval t) safe (push elt unsafe-vars)))) It seems control reaches =E2=80=98eval=E2=80=99 before reaching the =E2=80= =98:safe=E2=80=99 check, thus defeating the check. Am i missing something? =2D-=20 Thien-Thi Nguyen ..................................... GPG key: 4C807502 . NB: ttn at glug dot org is not me . . (and has not been since 2007 or so) . . ACCEPT NO SUBSTITUTES . ........... please send technical questions to mailing lists ........... --=-=-= Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAlAon58ACgkQZwMiJEyAdQKkdgCeOE4tST2cfjJIHLvhPSguyPMy Xw0AnRlsvLR4RFN2lBIbcKSP7kOHT1c0 =wfCv -----END PGP SIGNATURE----- --=-=-=--