From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Stefan Monnier Newsgroups: gmane.emacs.devel Subject: Re: Please rename trusted-content to trusted-contents Date: Tue, 24 Dec 2024 00:14:38 -0500 Message-ID: References: <86cyhmkczw.fsf@gnu.org> <86ikrea65l.fsf@gnu.org> Mime-Version: 1.0 Content-Type: text/plain Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="13168"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Gnus/5.13 (Gnus v5.13) Cc: Eli Zaretskii , rms@gnu.org, emacs-devel@gnu.org To: Stefan Kangas Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Tue Dec 24 06:15:18 2024 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1tPxGI-0003IE-5y for ged-emacs-devel@m.gmane-mx.org; Tue, 24 Dec 2024 06:15:18 +0100 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tPxFp-0000F4-3d; Tue, 24 Dec 2024 00:14:49 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tPxFk-0000Eb-Di for emacs-devel@gnu.org; Tue, 24 Dec 2024 00:14:45 -0500 Original-Received: from mailscanner.iro.umontreal.ca ([132.204.25.50]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tPxFi-0002E4-KV; Tue, 24 Dec 2024 00:14:44 -0500 Original-Received: from pmg2.iro.umontreal.ca (localhost.localdomain [127.0.0.1]) by pmg2.iro.umontreal.ca (Proxmox) with ESMTP id BAE29804E6; Tue, 24 Dec 2024 00:14:40 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=iro.umontreal.ca; s=mail; t=1735017279; bh=8tAVZwdMMaRSFYeeW3JdyfSNN68hh+1FoblxKeaAwCc=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From; b=jSxJcvOHWtjaomePwXIkcklmXe0a9jazKBk05Z1U89deQ7lCbxxVNA/MDAv0F1pjn riiLO9UfLobZIbiTCXEAnvX3iqKqVWaOdKJocdR+qLWORL+d0eGYON0KqIBt7smJmb HDnf9fVxe+KXrBdTdPpVXYs4kfAQU4ZXQkXy6kwUpU8N8uJboKFz/aHNWluQ6z/9HP IGWbFxSEetHUAggIy4FATXobYZK6dnFRge1T69o7IoDEToGT76DXqF4IYjDVPnxzbD PjXYEhRqq10rYrokIz6haz10Ljo/TN3gnDn3cE5IFAgpl/D/pxxv1ThIwxHKnvgAou vUibKV8u1EEVw== Original-Received: from mail01.iro.umontreal.ca (unknown [172.31.2.1]) by pmg2.iro.umontreal.ca (Proxmox) with ESMTP id 6103E8047F; Tue, 24 Dec 2024 00:14:39 -0500 (EST) Original-Received: from pastel (104-195-225-43.cpe.teksavvy.com [104.195.225.43]) by mail01.iro.umontreal.ca (Postfix) with ESMTPSA id 213B512064D; Tue, 24 Dec 2024 00:14:39 -0500 (EST) In-Reply-To: (Stefan Monnier's message of "Sat, 21 Dec 2024 23:48:45 -0500") Received-SPF: pass client-ip=132.204.25.50; envelope-from=monnier@iro.umontreal.ca; helo=mailscanner.iro.umontreal.ca X-Spam_score_int: -42 X-Spam_score: -4.3 X-Spam_bar: ---- X-Spam_report: (-4.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.devel:326960 Archived-At: The ensuing discussion makes me think the current identifiers are fine. Stefan Stefan Monnier [2024-12-21 23:48:45] wrote: >>>> so if he is okay with that name, we are not in a bad place. >>> I'm copying in Stefan Monnier, in case he has any comments. >> Indeed, I hesitated between `trusted-content` and `trusted-contents` but >> not long enough to learn which is right. > > OK, I tried to figure it out, but at least the info I found wasn't > very definitive. It seems to have to do with whether it's countable or > not, or whether it describe the "conceptual ideas" contained as opposed > to the actual elements contained. > I'm not sure which is more appropriate in this case and even less sure > that one of the two is wrong. > > A related question is what to do with `untrusted-content` (which is the > identifier with which I aligned mine). If we rename `trusted-content`, > we should likely rename `untrusted-content` as well (and this one > would require a backward compatibility alias). > >> I'll rename it ASAP, thanks Richard! > > Here's the patch I came up with via `grep` (without renaming > `untrusted-content`). > > > Stefan > > > diff --git a/doc/emacs/misc.texi b/doc/emacs/misc.texi > index 97a82747bfc..e0ce2233cfe 100644 > --- a/doc/emacs/misc.texi > +++ b/doc/emacs/misc.texi > @@ -298,9 +298,9 @@ Host Security > Flymake, completion, and some other features, unless the visited file is > @dfn{trusted}. It is up to you to specify which files on your system > should be trusted, by customizing the user option > -@code{trusted-content}. > +@code{trusted-contents}. > > -@defopt trusted-content > +@defopt trusted-contents > The value of this option is @code{nil} by default, which means no file > is trusted. You can customize the variable to be a list of one or more > names of trusted files and directories. A file name that ends in a > diff --git a/etc/NEWS b/etc/NEWS > index 61cb66387bb..5ce4c3cd7f8 100644 > --- a/etc/NEWS > +++ b/etc/NEWS > @@ -200,7 +200,7 @@ see the variable 'url-request-extra-headers'. > * Changes in Emacs 30.1 > > +++ > -** New user option 'trusted-content' to allow potentially dangerous features. > +** New user option 'trusted-contents' to allow potentially dangerous features. > This variable lists those files and directories whose content Emacs should > consider as sufficiently trusted to run any part of the code contained > therein even without any explicit user request. > @@ -1871,7 +1871,7 @@ In the past they included a terminating newline in most cases but not all. > +++ > *** 'elisp-flymake-byte-compile' is disabled for untrusted files. > For security reasons, this backend can be used only in those files > -specified as trusted according to 'trusted-content' and emits an > +specified as trusted according to 'trusted-contents' and emits an > "untrusted content" warning otherwise. > This fixes CVE-2024-53920. > > diff --git a/lisp/files.el b/lisp/files.el > index 86eff296459..62905da1ee5 100644 > --- a/lisp/files.el > +++ b/lisp/files.el > @@ -714,7 +714,7 @@ untrusted-content > This variable might be subject to change without notice.") > (put 'untrusted-content 'permanent-local t) > > -(defcustom trusted-content nil > +(defcustom trusted-contents nil > "List of files and directories whose content we trust. > Be extra careful here since trusting means that Emacs might execute the > code contained within those files and directories without an explicit > @@ -732,21 +732,21 @@ trusted-content > :type '(choice (repeat :tag "List" file) > (const :tag "Trust everything (DANGEROUS!)" :all)) > :version "30.1") > -(put 'trusted-content 'risky-local-variable t) > +(put 'trusted-contents 'risky-local-variable t) > > -(defun trusted-content-p () > +(defun trusted-contents-p () > "Return non-nil if we trust the contents of the current buffer. > Here, \"trust\" means that we are willing to run code found inside of it. > -See also `trusted-content'." > +See also `trusted-contents'." > ;; We compare with `buffer-file-truename' i.s.o `buffer-file-name' > ;; to try and avoid marking as trusted a file that's merely accessed > ;; via a symlink that happens to be inside a trusted dir. > (and (not untrusted-content) > (or > - (eq trusted-content :all) > + (eq trusted-contents :all) > (and > buffer-file-truename > - (with-demoted-errors "trusted-content-p: %S" > + (with-demoted-errors "trusted-contents-p: %S" > (let ((exists (file-exists-p buffer-file-truename))) > (or > ;; We can't avoid trusting the user's init file. > @@ -755,7 +755,7 @@ trusted-content-p > (equal buffer-file-truename user-init-file)) > (let ((file (abbreviate-file-name buffer-file-truename)) > (trusted nil)) > - (dolist (tf trusted-content) > + (dolist (tf trusted-contents) > (when (or (if exists (file-equal-p tf file) (equal tf file)) > ;; We don't use `file-in-directory-p' here, because > ;; we want to err on the conservative side: "guilty > diff --git a/lisp/ielm.el b/lisp/ielm.el > index 7511d4b02ae..da5ad992389 100644 > --- a/lisp/ielm.el > +++ b/lisp/ielm.el > @@ -580,7 +580,7 @@ inferior-emacs-lisp-mode > ielm-fontify-input-enable > (comint-fontify-input-mode)) > > - (setq-local trusted-content :all) > + (setq-local trusted-contents :all) > (setq comint-prompt-regexp (concat "^" (regexp-quote ielm-prompt))) > (setq-local paragraph-separate "\\'") > (setq-local paragraph-start comint-prompt-regexp) > diff --git a/lisp/progmodes/elisp-mode.el b/lisp/progmodes/elisp-mode.el > index 17606352c4a..c48861712de 100644 > --- a/lisp/progmodes/elisp-mode.el > +++ b/lisp/progmodes/elisp-mode.el > @@ -451,7 +451,7 @@ elisp--local-macroenv > (defvar elisp--macroexpand-untrusted-warning t) > > (defun elisp--safe-macroexpand-all (sexp) > - (if (not (trusted-content-p)) > + (if (not (trusted-contents-p)) > ;; FIXME: We should try and do better here, either using a notion > ;; of "safe" macros, or with `bwrap', or ... > (progn > @@ -1338,7 +1338,7 @@ lisp-interaction-mode > \\{lisp-interaction-mode-map}" > :abbrev-table nil > (setq-local lexical-binding t) > - (setq-local trusted-content :all)) > + (setq-local trusted-contents :all)) > > ;;; Emacs Lisp Byte-Code mode > > @@ -2203,7 +2203,7 @@ elisp-flymake-byte-compile > "A Flymake backend for elisp byte compilation. > Spawn an Emacs process that byte-compiles a file representing the > current buffer state and calls REPORT-FN when done." > - (unless (trusted-content-p) > + (unless (trusted-contents-p) > ;; FIXME: Use `bwrap' and friends to compile untrusted content. > ;; FIXME: We emit a message *and* signal an error, because by default > ;; Flymake doesn't display the warning it puts into "*flmake log*". > diff --git a/lisp/simple.el b/lisp/simple.el > index 088678ba857..fd027ec1915 100644 > --- a/lisp/simple.el > +++ b/lisp/simple.el > @@ -2033,7 +2033,7 @@ read--expression > (set-syntax-table emacs-lisp-mode-syntax-table) > (add-hook 'completion-at-point-functions > #'elisp-completion-at-point nil t) > - (setq-local trusted-content :all) > + (setq-local trusted-contents :all) > (run-hooks 'eval-expression-minibuffer-setup-hook)) > (read-from-minibuffer prompt initial-contents > read--expression-map t