unofficial mirror of emacs-devel@gnu.org 
 help / color / mirror / code / Atom feed
From: Stefan Monnier <monnier@iro.umontreal.ca>
To: Stefan Kangas <stefankangas@gmail.com>
Cc: Eli Zaretskii <eliz@gnu.org>,  rms@gnu.org,  emacs-devel@gnu.org
Subject: Re: Please rename trusted-content to trusted-contents
Date: Tue, 24 Dec 2024 00:14:38 -0500	[thread overview]
Message-ID: <jwv4j2tirxo.fsf-monnier+emacs@gnu.org> (raw)
In-Reply-To: <jwvh66wba58.fsf-monnier+emacs@gnu.org> (Stefan Monnier's message of "Sat, 21 Dec 2024 23:48:45 -0500")

The ensuing discussion makes me think the current identifiers are fine.


        Stefan


Stefan Monnier [2024-12-21 23:48:45] wrote:

>>>> so if he is okay with that name, we are not in a bad place.
>>> I'm copying in Stefan Monnier, in case he has any comments.
>> Indeed, I hesitated between `trusted-content` and `trusted-contents` but
>> not long enough to learn which is right.
>
> OK, I tried to figure it out, but at least the info I found wasn't
> very definitive.  It seems to have to do with whether it's countable or
> not, or whether it describe the "conceptual ideas" contained as opposed
> to the actual elements contained.
> I'm not sure which is more appropriate in this case and even less sure
> that one of the two is wrong.
>
> A related question is what to do with `untrusted-content` (which is the
> identifier with which I aligned mine).  If we rename `trusted-content`,
> we should likely rename `untrusted-content` as well (and this one
> would require a backward compatibility alias).
>
>> I'll rename it ASAP, thanks Richard!
>
> Here's the patch I came up with via `grep` (without renaming
> `untrusted-content`).
>
>
>         Stefan
>
>
> diff --git a/doc/emacs/misc.texi b/doc/emacs/misc.texi
> index 97a82747bfc..e0ce2233cfe 100644
> --- a/doc/emacs/misc.texi
> +++ b/doc/emacs/misc.texi
> @@ -298,9 +298,9 @@ Host Security
>  Flymake, completion, and some other features, unless the visited file is
>  @dfn{trusted}.  It is up to you to specify which files on your system
>  should be trusted, by customizing the user option
> -@code{trusted-content}.
> +@code{trusted-contents}.
>  
> -@defopt trusted-content
> +@defopt trusted-contents
>  The value of this option is @code{nil} by default, which means no file
>  is trusted.  You can customize the variable to be a list of one or more
>  names of trusted files and directories.  A file name that ends in a
> diff --git a/etc/NEWS b/etc/NEWS
> index 61cb66387bb..5ce4c3cd7f8 100644
> --- a/etc/NEWS
> +++ b/etc/NEWS
> @@ -200,7 +200,7 @@ see the variable 'url-request-extra-headers'.
>  * Changes in Emacs 30.1
>  
>  +++
> -** New user option 'trusted-content' to allow potentially dangerous features.
> +** New user option 'trusted-contents' to allow potentially dangerous features.
>  This variable lists those files and directories whose content Emacs should
>  consider as sufficiently trusted to run any part of the code contained
>  therein even without any explicit user request.
> @@ -1871,7 +1871,7 @@ In the past they included a terminating newline in most cases but not all.
>  +++
>  *** 'elisp-flymake-byte-compile' is disabled for untrusted files.
>  For security reasons, this backend can be used only in those files
> -specified as trusted according to 'trusted-content' and emits an
> +specified as trusted according to 'trusted-contents' and emits an
>  "untrusted content" warning otherwise.
>  This fixes CVE-2024-53920.
>  
> diff --git a/lisp/files.el b/lisp/files.el
> index 86eff296459..62905da1ee5 100644
> --- a/lisp/files.el
> +++ b/lisp/files.el
> @@ -714,7 +714,7 @@ untrusted-content
>  This variable might be subject to change without notice.")
>  (put 'untrusted-content 'permanent-local t)
>  
> -(defcustom trusted-content nil
> +(defcustom trusted-contents nil
>    "List of files and directories whose content we trust.
>  Be extra careful here since trusting means that Emacs might execute the
>  code contained within those files and directories without an explicit
> @@ -732,21 +732,21 @@ trusted-content
>    :type '(choice (repeat :tag "List" file)
>                   (const :tag "Trust everything (DANGEROUS!)" :all))
>    :version "30.1")
> -(put 'trusted-content 'risky-local-variable t)
> +(put 'trusted-contents 'risky-local-variable t)
>  
> -(defun trusted-content-p ()
> +(defun trusted-contents-p ()
>    "Return non-nil if we trust the contents of the current buffer.
>  Here, \"trust\" means that we are willing to run code found inside of it.
> -See also `trusted-content'."
> +See also `trusted-contents'."
>    ;; We compare with `buffer-file-truename' i.s.o `buffer-file-name'
>    ;; to try and avoid marking as trusted a file that's merely accessed
>    ;; via a symlink that happens to be inside a trusted dir.
>    (and (not untrusted-content)
>         (or
> -        (eq trusted-content :all)
> +        (eq trusted-contents :all)
>          (and
>           buffer-file-truename
> -         (with-demoted-errors "trusted-content-p: %S"
> +         (with-demoted-errors "trusted-contents-p: %S"
>             (let ((exists (file-exists-p buffer-file-truename)))
>               (or
>                ;; We can't avoid trusting the user's init file.
> @@ -755,7 +755,7 @@ trusted-content-p
>                  (equal buffer-file-truename user-init-file))
>                (let ((file (abbreviate-file-name buffer-file-truename))
>                      (trusted nil))
> -                (dolist (tf trusted-content)
> +                (dolist (tf trusted-contents)
>                    (when (or (if exists (file-equal-p tf file) (equal tf file))
>                              ;; We don't use `file-in-directory-p' here, because
>                              ;; we want to err on the conservative side: "guilty
> diff --git a/lisp/ielm.el b/lisp/ielm.el
> index 7511d4b02ae..da5ad992389 100644
> --- a/lisp/ielm.el
> +++ b/lisp/ielm.el
> @@ -580,7 +580,7 @@ inferior-emacs-lisp-mode
>         ielm-fontify-input-enable
>         (comint-fontify-input-mode))
>  
> -  (setq-local trusted-content :all)
> +  (setq-local trusted-contents :all)
>    (setq comint-prompt-regexp (concat "^" (regexp-quote ielm-prompt)))
>    (setq-local paragraph-separate "\\'")
>    (setq-local paragraph-start comint-prompt-regexp)
> diff --git a/lisp/progmodes/elisp-mode.el b/lisp/progmodes/elisp-mode.el
> index 17606352c4a..c48861712de 100644
> --- a/lisp/progmodes/elisp-mode.el
> +++ b/lisp/progmodes/elisp-mode.el
> @@ -451,7 +451,7 @@ elisp--local-macroenv
>  (defvar elisp--macroexpand-untrusted-warning t)
>  
>  (defun elisp--safe-macroexpand-all (sexp)
> -  (if (not (trusted-content-p))
> +  (if (not (trusted-contents-p))
>        ;; FIXME: We should try and do better here, either using a notion
>        ;; of "safe" macros, or with `bwrap', or ...
>        (progn
> @@ -1338,7 +1338,7 @@ lisp-interaction-mode
>  \\{lisp-interaction-mode-map}"
>    :abbrev-table nil
>    (setq-local lexical-binding t)
> -  (setq-local trusted-content :all))
> +  (setq-local trusted-contents :all))
>  
>  ;;; Emacs Lisp Byte-Code mode
>  
> @@ -2203,7 +2203,7 @@ elisp-flymake-byte-compile
>    "A Flymake backend for elisp byte compilation.
>  Spawn an Emacs process that byte-compiles a file representing the
>  current buffer state and calls REPORT-FN when done."
> -  (unless (trusted-content-p)
> +  (unless (trusted-contents-p)
>      ;; FIXME: Use `bwrap' and friends to compile untrusted content.
>      ;; FIXME: We emit a message *and* signal an error, because by default
>      ;; Flymake doesn't display the warning it puts into "*flmake log*".
> diff --git a/lisp/simple.el b/lisp/simple.el
> index 088678ba857..fd027ec1915 100644
> --- a/lisp/simple.el
> +++ b/lisp/simple.el
> @@ -2033,7 +2033,7 @@ read--expression
>          (set-syntax-table emacs-lisp-mode-syntax-table)
>          (add-hook 'completion-at-point-functions
>                    #'elisp-completion-at-point nil t)
> -        (setq-local trusted-content :all)
> +        (setq-local trusted-contents :all)
>          (run-hooks 'eval-expression-minibuffer-setup-hook))
>      (read-from-minibuffer prompt initial-contents
>                            read--expression-map t




  parent reply	other threads:[~2024-12-24  5:14 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-12-20  5:23 Please rename trusted-content to trusted-contents Richard Stallman
2024-12-20  7:52 ` Eli Zaretskii
2024-12-20  9:42   ` Stefan Kangas
2024-12-20 12:30     ` Eli Zaretskii
2024-12-22  4:06       ` Stefan Kangas
2024-12-22  4:36         ` Stefan Monnier
2024-12-22  4:48           ` Stefan Monnier
2024-12-22 18:01             ` Morgan Willcock
2024-12-24  5:17               ` Stefan Monnier
2024-12-24  7:32                 ` tomas
2024-12-22 18:30             ` [External] : " Drew Adams
2024-12-23  0:31               ` Björn Bidar
2024-12-24  4:53               ` Richard Stallman
2024-12-23  4:08             ` Richard Stallman
2024-12-23 13:32               ` Björn Bidar
     [not found]               ` <87ed1yv82u.fsf@>
2024-12-25  4:48                 ` Richard Stallman
2024-12-24  5:14             ` Stefan Monnier [this message]
2024-12-23  4:08     ` Richard Stallman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://www.gnu.org/software/emacs/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=jwv4j2tirxo.fsf-monnier+emacs@gnu.org \
    --to=monnier@iro.umontreal.ca \
    --cc=eliz@gnu.org \
    --cc=emacs-devel@gnu.org \
    --cc=rms@gnu.org \
    --cc=stefankangas@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).