From: Stefan Monnier <monnier@iro.umontreal.ca>
To: Stefan Kangas <stefankangas@gmail.com>
Cc: Eli Zaretskii <eliz@gnu.org>, rms@gnu.org, emacs-devel@gnu.org
Subject: Re: Please rename trusted-content to trusted-contents
Date: Tue, 24 Dec 2024 00:14:38 -0500 [thread overview]
Message-ID: <jwv4j2tirxo.fsf-monnier+emacs@gnu.org> (raw)
In-Reply-To: <jwvh66wba58.fsf-monnier+emacs@gnu.org> (Stefan Monnier's message of "Sat, 21 Dec 2024 23:48:45 -0500")
The ensuing discussion makes me think the current identifiers are fine.
Stefan
Stefan Monnier [2024-12-21 23:48:45] wrote:
>>>> so if he is okay with that name, we are not in a bad place.
>>> I'm copying in Stefan Monnier, in case he has any comments.
>> Indeed, I hesitated between `trusted-content` and `trusted-contents` but
>> not long enough to learn which is right.
>
> OK, I tried to figure it out, but at least the info I found wasn't
> very definitive. It seems to have to do with whether it's countable or
> not, or whether it describe the "conceptual ideas" contained as opposed
> to the actual elements contained.
> I'm not sure which is more appropriate in this case and even less sure
> that one of the two is wrong.
>
> A related question is what to do with `untrusted-content` (which is the
> identifier with which I aligned mine). If we rename `trusted-content`,
> we should likely rename `untrusted-content` as well (and this one
> would require a backward compatibility alias).
>
>> I'll rename it ASAP, thanks Richard!
>
> Here's the patch I came up with via `grep` (without renaming
> `untrusted-content`).
>
>
> Stefan
>
>
> diff --git a/doc/emacs/misc.texi b/doc/emacs/misc.texi
> index 97a82747bfc..e0ce2233cfe 100644
> --- a/doc/emacs/misc.texi
> +++ b/doc/emacs/misc.texi
> @@ -298,9 +298,9 @@ Host Security
> Flymake, completion, and some other features, unless the visited file is
> @dfn{trusted}. It is up to you to specify which files on your system
> should be trusted, by customizing the user option
> -@code{trusted-content}.
> +@code{trusted-contents}.
>
> -@defopt trusted-content
> +@defopt trusted-contents
> The value of this option is @code{nil} by default, which means no file
> is trusted. You can customize the variable to be a list of one or more
> names of trusted files and directories. A file name that ends in a
> diff --git a/etc/NEWS b/etc/NEWS
> index 61cb66387bb..5ce4c3cd7f8 100644
> --- a/etc/NEWS
> +++ b/etc/NEWS
> @@ -200,7 +200,7 @@ see the variable 'url-request-extra-headers'.
> * Changes in Emacs 30.1
>
> +++
> -** New user option 'trusted-content' to allow potentially dangerous features.
> +** New user option 'trusted-contents' to allow potentially dangerous features.
> This variable lists those files and directories whose content Emacs should
> consider as sufficiently trusted to run any part of the code contained
> therein even without any explicit user request.
> @@ -1871,7 +1871,7 @@ In the past they included a terminating newline in most cases but not all.
> +++
> *** 'elisp-flymake-byte-compile' is disabled for untrusted files.
> For security reasons, this backend can be used only in those files
> -specified as trusted according to 'trusted-content' and emits an
> +specified as trusted according to 'trusted-contents' and emits an
> "untrusted content" warning otherwise.
> This fixes CVE-2024-53920.
>
> diff --git a/lisp/files.el b/lisp/files.el
> index 86eff296459..62905da1ee5 100644
> --- a/lisp/files.el
> +++ b/lisp/files.el
> @@ -714,7 +714,7 @@ untrusted-content
> This variable might be subject to change without notice.")
> (put 'untrusted-content 'permanent-local t)
>
> -(defcustom trusted-content nil
> +(defcustom trusted-contents nil
> "List of files and directories whose content we trust.
> Be extra careful here since trusting means that Emacs might execute the
> code contained within those files and directories without an explicit
> @@ -732,21 +732,21 @@ trusted-content
> :type '(choice (repeat :tag "List" file)
> (const :tag "Trust everything (DANGEROUS!)" :all))
> :version "30.1")
> -(put 'trusted-content 'risky-local-variable t)
> +(put 'trusted-contents 'risky-local-variable t)
>
> -(defun trusted-content-p ()
> +(defun trusted-contents-p ()
> "Return non-nil if we trust the contents of the current buffer.
> Here, \"trust\" means that we are willing to run code found inside of it.
> -See also `trusted-content'."
> +See also `trusted-contents'."
> ;; We compare with `buffer-file-truename' i.s.o `buffer-file-name'
> ;; to try and avoid marking as trusted a file that's merely accessed
> ;; via a symlink that happens to be inside a trusted dir.
> (and (not untrusted-content)
> (or
> - (eq trusted-content :all)
> + (eq trusted-contents :all)
> (and
> buffer-file-truename
> - (with-demoted-errors "trusted-content-p: %S"
> + (with-demoted-errors "trusted-contents-p: %S"
> (let ((exists (file-exists-p buffer-file-truename)))
> (or
> ;; We can't avoid trusting the user's init file.
> @@ -755,7 +755,7 @@ trusted-content-p
> (equal buffer-file-truename user-init-file))
> (let ((file (abbreviate-file-name buffer-file-truename))
> (trusted nil))
> - (dolist (tf trusted-content)
> + (dolist (tf trusted-contents)
> (when (or (if exists (file-equal-p tf file) (equal tf file))
> ;; We don't use `file-in-directory-p' here, because
> ;; we want to err on the conservative side: "guilty
> diff --git a/lisp/ielm.el b/lisp/ielm.el
> index 7511d4b02ae..da5ad992389 100644
> --- a/lisp/ielm.el
> +++ b/lisp/ielm.el
> @@ -580,7 +580,7 @@ inferior-emacs-lisp-mode
> ielm-fontify-input-enable
> (comint-fontify-input-mode))
>
> - (setq-local trusted-content :all)
> + (setq-local trusted-contents :all)
> (setq comint-prompt-regexp (concat "^" (regexp-quote ielm-prompt)))
> (setq-local paragraph-separate "\\'")
> (setq-local paragraph-start comint-prompt-regexp)
> diff --git a/lisp/progmodes/elisp-mode.el b/lisp/progmodes/elisp-mode.el
> index 17606352c4a..c48861712de 100644
> --- a/lisp/progmodes/elisp-mode.el
> +++ b/lisp/progmodes/elisp-mode.el
> @@ -451,7 +451,7 @@ elisp--local-macroenv
> (defvar elisp--macroexpand-untrusted-warning t)
>
> (defun elisp--safe-macroexpand-all (sexp)
> - (if (not (trusted-content-p))
> + (if (not (trusted-contents-p))
> ;; FIXME: We should try and do better here, either using a notion
> ;; of "safe" macros, or with `bwrap', or ...
> (progn
> @@ -1338,7 +1338,7 @@ lisp-interaction-mode
> \\{lisp-interaction-mode-map}"
> :abbrev-table nil
> (setq-local lexical-binding t)
> - (setq-local trusted-content :all))
> + (setq-local trusted-contents :all))
>
> ;;; Emacs Lisp Byte-Code mode
>
> @@ -2203,7 +2203,7 @@ elisp-flymake-byte-compile
> "A Flymake backend for elisp byte compilation.
> Spawn an Emacs process that byte-compiles a file representing the
> current buffer state and calls REPORT-FN when done."
> - (unless (trusted-content-p)
> + (unless (trusted-contents-p)
> ;; FIXME: Use `bwrap' and friends to compile untrusted content.
> ;; FIXME: We emit a message *and* signal an error, because by default
> ;; Flymake doesn't display the warning it puts into "*flmake log*".
> diff --git a/lisp/simple.el b/lisp/simple.el
> index 088678ba857..fd027ec1915 100644
> --- a/lisp/simple.el
> +++ b/lisp/simple.el
> @@ -2033,7 +2033,7 @@ read--expression
> (set-syntax-table emacs-lisp-mode-syntax-table)
> (add-hook 'completion-at-point-functions
> #'elisp-completion-at-point nil t)
> - (setq-local trusted-content :all)
> + (setq-local trusted-contents :all)
> (run-hooks 'eval-expression-minibuffer-setup-hook))
> (read-from-minibuffer prompt initial-contents
> read--expression-map t
next prev parent reply other threads:[~2024-12-24 5:14 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-20 5:23 Please rename trusted-content to trusted-contents Richard Stallman
2024-12-20 7:52 ` Eli Zaretskii
2024-12-20 9:42 ` Stefan Kangas
2024-12-20 12:30 ` Eli Zaretskii
2024-12-22 4:06 ` Stefan Kangas
2024-12-22 4:36 ` Stefan Monnier
2024-12-22 4:48 ` Stefan Monnier
2024-12-22 18:01 ` Morgan Willcock
2024-12-24 5:17 ` Stefan Monnier
2024-12-24 7:32 ` tomas
2024-12-22 18:30 ` [External] : " Drew Adams
2024-12-23 0:31 ` Björn Bidar
2024-12-24 4:53 ` Richard Stallman
2024-12-23 4:08 ` Richard Stallman
2024-12-23 13:32 ` Björn Bidar
[not found] ` <87ed1yv82u.fsf@>
2024-12-25 4:48 ` Richard Stallman
2024-12-24 5:14 ` Stefan Monnier [this message]
2024-12-23 4:08 ` Richard Stallman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=jwv4j2tirxo.fsf-monnier+emacs@gnu.org \
--to=monnier@iro.umontreal.ca \
--cc=eliz@gnu.org \
--cc=emacs-devel@gnu.org \
--cc=rms@gnu.org \
--cc=stefankangas@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).