From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Jean Louis Newsgroups: gmane.emacs.devel Subject: Re: Emacs Arbitrary Code Execution and How to Avoid It Date: Wed, 4 Dec 2024 12:39:00 +0300 Message-ID: References: <878qswfya2.fsf@librehacker.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="3165"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Mutt/2.2.12 (2023-09-09) Cc: Emacs Devel Mailing List To: Christopher Howard Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Wed Dec 04 12:25:29 2024 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1tInVZ-0000dO-Ds for ged-emacs-devel@m.gmane-mx.org; Wed, 04 Dec 2024 12:25:29 +0100 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tInUe-0000pD-1D; Wed, 04 Dec 2024 06:24:32 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tInUc-0000p3-RZ for emacs-devel@gnu.org; Wed, 04 Dec 2024 06:24:31 -0500 Original-Received: from stw1.rcdrun.com ([217.170.207.13]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tInUa-0006M2-6k for emacs-devel@gnu.org; Wed, 04 Dec 2024 06:24:30 -0500 Original-Received: from localhost ([::ffff:41.75.179.4]) (AUTH: PLAIN admin, TLS: TLS1.3,256bits,ECDHE_RSA_AES_256_GCM_SHA384) by stw1.rcdrun.com with ESMTPSA id 0000000000082026.0000000067503BE6.0036D27A; Wed, 04 Dec 2024 04:24:22 -0700 Mail-Followup-To: Christopher Howard , Emacs Devel Mailing List Content-Disposition: inline In-Reply-To: <878qswfya2.fsf@librehacker.com> Received-SPF: pass client-ip=217.170.207.13; envelope-from=bugs@gnu.support; helo=stw1.rcdrun.com X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.devel:326023 Archived-At: * Christopher Howard [2024-12-03 20:56]: > Hi, I read the interesting write up here: > > https://eshelyaron.com/posts/2024-11-27-emacs-aritrary-code-execution-and-how-to-avoid-it.html > > I wasn't terribly worried about this, as I don't *automatically* activate Flymake or Flycheck. But the article did mention that "code completion runs arbitrary code", and I was wondering more about that. I do not currently use Completion Preview mode. I have used Company in the past but company-mode is not currently activated. So, if I am just viewing an elisp file, i.e., not typing anything it in, nor running dabbrev commands, is there any danger? Should I setup Emacs to, by default, open all elisp files in View Mode? > > Regarding dabbrev, I know dabbrev can search all buffers but I don't know if it does any macro expansion. > > I was going to e-mail the author of the post, but cloudflare won't let me see his e-mail address. In every programming language it is possible to obscure the code and execute arbitrary code. I do not see it as special security issue, it is common, known. -- Jean Louis