From mboxrd@z Thu Jan 1 00:00:00 1970 Path: main.gmane.org!not-for-mail From: Davis Herring Newsgroups: gmane.emacs.devel Subject: Re: The `risky-local-variable' blacklist Date: Tue, 31 Aug 2004 15:42:03 -0600 (MDT) Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Message-ID: References: NNTP-Posting-Host: deer.gmane.org Mime-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="-1518306044-1765067110-1093988523=:31548" X-Trace: sea.gmane.org 1093988551 11243 80.91.224.253 (31 Aug 2004 21:42:31 GMT) X-Complaints-To: usenet@sea.gmane.org NNTP-Posting-Date: Tue, 31 Aug 2004 21:42:31 +0000 (UTC) Cc: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Tue Aug 31 23:42:22 2004 Return-path: Original-Received: from lists.gnu.org ([199.232.76.165]) by deer.gmane.org with esmtp (Exim 3.35 #1 (Debian)) id 1C2GOT-0000gs-00 for ; Tue, 31 Aug 2004 23:42:22 +0200 Original-Received: from localhost ([127.0.0.1] helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.33) id 1C2GTN-0001kc-4G for ged-emacs-devel@m.gmane.org; Tue, 31 Aug 2004 17:47:25 -0400 Original-Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.33) id 1C2GTF-0001kS-DW for emacs-devel@gnu.org; Tue, 31 Aug 2004 17:47:17 -0400 Original-Received: from exim by lists.gnu.org with spam-scanned (Exim 4.33) id 1C2GTD-0001kD-LH for emacs-devel@gnu.org; Tue, 31 Aug 2004 17:47:17 -0400 Original-Received: from [199.232.76.173] (helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.33) id 1C2GTD-0001kA-JM for emacs-devel@gnu.org; Tue, 31 Aug 2004 17:47:15 -0400 Original-Received: from [192.65.95.54] (helo=mailwasher-b.lanl.gov) by monty-python.gnu.org with esmtp (TLSv1:DES-CBC3-SHA:168) (Exim 4.34) id 1C2GOE-000355-54 for emacs-devel@gnu.org; Tue, 31 Aug 2004 17:42:06 -0400 Original-Received: from mailrelay3.lanl.gov (localhost.localdomain [127.0.0.1]) by mailwasher-b.lanl.gov (8.12.10/8.12.10/(ccn-5)) with ESMTP id i7VLg56U004980 for ; Tue, 31 Aug 2004 15:42:05 -0600 Original-Received: from x-mail.lanl.gov (x-mail.lanl.gov [128.165.4.125]) by mailrelay3.lanl.gov (8.12.11/8.12.11/(ccn-5)) with ESMTP id i7VLg48s028898; Tue, 31 Aug 2004 15:42:04 -0600 Original-Received: from x-mail.lanl.gov (localhost.localdomain [127.0.0.1]) by x-mail.lanl.gov (8.12.10/8.12.10/(ccn-5)) with ESMTP id i7VLg3u6021600; Tue, 31 Aug 2004 15:42:03 -0600 Original-Received: from localhost (herring@localhost) by x-mail.lanl.gov (8.12.10/8.12.10/Submit) with ESMTP id i7VLg3mN021595; Tue, 31 Aug 2004 15:42:03 -0600 X-Authentication-Warning: x-mail.lanl.gov: herring owned process doing -bs Original-To: Stefan In-Reply-To: X-PMX-Version: 4.6.1.107272 X-Scanned-By: MIMEDefang 2.35 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: main.gmane.org gmane.emacs.devel:26657 X-Report-Spam: http://spam.gmane.org/gmane.emacs.devel:26657 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. ---1518306044-1765067110-1093988523=:31548 Content-Type: TEXT/PLAIN; charset=US-ASCII > Actually, for mode-line variables, the situation is a bit more complex: > the lack of "risky-local-variable" annotation was not introducing any kind > of security hole because when we interpret a mode-line-string, we discard > any "dangerous" element (such as "eval") unless the variable is marked as > "risky". I.e. either we check its safety via the "risky" annotation or we > assume it's dangerous and we only use known-safe elements. > > So the "risky" annotation was only added in order to enable potentially > dangerous things like "eval" in that variable. We may be speaking at cross-purposes, but are you sure about that? $ emacs -q lvtest #lvtest is attached to this message M-: java-mode-abbrev-table RET >> cheese M-: java-mode-syntax-table RET >> (((nil))) Both those variables are set sans prompting with the default security settings; of course, those variables (and the nonsense values I supply) are harmless, but other random variables with no `risky' or `safe' indications might not be. I realize now that my example about timeclock is silly, because `timeclock-mode-string' wasn't dangerous before and isn't now, since it has never been included in `mode-line-format' except as a symbol, and those are not evaluated twice (so as to execute a form set as its value). However, this is itself worthy of note: gm, when he applied the `risky-local-variable' brand, had mis-diagnosed the danger of that variable. All it takes is for one person (whose code, whether part of Emacs or not, is used widely) to misdiagnose (or forget to diagnose) a variable in the other direction, and trouble ensues. So I believe my original statements about the (potential and extreme) danger of such things -- and the necessity of improvement in their control -- stand. Davis Herring -- This product is sold by volume, not by mass. If it seems too dense or too sparse, it means mass-energy conversion has occurred during shipping. ---1518306044-1765067110-1093988523=:31548 Content-Type: TEXT/PLAIN; charset=US-ASCII; name=lvtest Content-Transfer-Encoding: BASE64 Content-ID: Content-Description: Local Variables Test Content-Disposition: attachment; filename=lvtest Ly8tKi0gbW9kZTogSmF2YTsgamF2YS1tb2RlLWFiYnJldi10YWJsZSA6IGNo ZWVzZSAtKi0NCg0KLy9Mb2NhbCB2YXJpYWJsZXM6DQovL2phdmEtbW9kZS1z eW50YXgtdGFibGU6ICgoKG5pbCkpKQ0KLy9FbmQ6DQo= ---1518306044-1765067110-1093988523=:31548 Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Emacs-devel mailing list Emacs-devel@gnu.org http://lists.gnu.org/mailman/listinfo/emacs-devel ---1518306044-1765067110-1093988523=:31548--