From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Stefan Monnier Newsgroups: gmane.emacs.devel Subject: Re: Please rename trusted-content to trusted-contents Date: Sat, 21 Dec 2024 23:48:45 -0500 Message-ID: References: <86cyhmkczw.fsf@gnu.org> <86ikrea65l.fsf@gnu.org> Mime-Version: 1.0 Content-Type: text/plain Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="22627"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Gnus/5.13 (Gnus v5.13) Cc: Eli Zaretskii , rms@gnu.org, emacs-devel@gnu.org To: Stefan Kangas Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Sun Dec 22 05:49:34 2024 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1tPDuH-0005hU-3e for ged-emacs-devel@m.gmane-mx.org; Sun, 22 Dec 2024 05:49:33 +0100 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tPDtf-0002c7-QJ; Sat, 21 Dec 2024 23:48:55 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tPDte-0002bw-Lm for emacs-devel@gnu.org; Sat, 21 Dec 2024 23:48:54 -0500 Original-Received: from mailscanner.iro.umontreal.ca ([132.204.25.50]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tPDtc-00087r-1m; Sat, 21 Dec 2024 23:48:53 -0500 Original-Received: from pmg3.iro.umontreal.ca (localhost [127.0.0.1]) by pmg3.iro.umontreal.ca (Proxmox) with ESMTP id 2415A4425B5; Sat, 21 Dec 2024 23:48:49 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=iro.umontreal.ca; s=mail; t=1734842927; bh=2KWz1Q7SA6zc92VFVm3y53SrJdjg+HssooiRHLf/wAo=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From; b=Ie5Tyu9PJRYuBxWhyNlEfbdl9zn2sHgjYm5lcwPlTfTIx1bBOkgVeAqK5ANgpbwdV lae5B1qOuCPFR8x2w+D2Tdj+TFcOZic1xGVtsHW5MXiI2ihlFzgm+l78FanMRUm+Jp dEX6z8TXMfR2kdGQ0iYv81RDnirqPkHh5+fpiFuBO74JoA5AY481tNpUWumND34r/s 29MG2br2qOkHyA/qL2Zrde/4mhhza5E96RvlwDb8SZyxPkr8ldF/jT0a3qTDL2ao+C fGR1D+v5+1Oui2jtQf2X9PfHb/Oqx69PQNzRTsELSx/kIxII6nI0AeWObSu/qyWwio 3ZkWV68QCEOfw== Original-Received: from mail01.iro.umontreal.ca (unknown [172.31.2.1]) by pmg3.iro.umontreal.ca (Proxmox) with ESMTP id 24AA24425AC; Sat, 21 Dec 2024 23:48:47 -0500 (EST) Original-Received: from asado (unknown [199.119.74.1]) by mail01.iro.umontreal.ca (Postfix) with ESMTPSA id CD8941206B4; Sat, 21 Dec 2024 23:48:46 -0500 (EST) In-Reply-To: (Stefan Monnier's message of "Sat, 21 Dec 2024 23:36:27 -0500") Received-SPF: pass client-ip=132.204.25.50; envelope-from=monnier@iro.umontreal.ca; helo=mailscanner.iro.umontreal.ca X-Spam_score_int: -42 X-Spam_score: -4.3 X-Spam_bar: ---- X-Spam_report: (-4.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.devel:326839 Archived-At: >>> so if he is okay with that name, we are not in a bad place. >> I'm copying in Stefan Monnier, in case he has any comments. > Indeed, I hesitated between `trusted-content` and `trusted-contents` but > not long enough to learn which is right. OK, I tried to figure it out, but at least the info I found wasn't very definitive. It seems to have to do with whether it's countable or not, or whether it describe the "conceptual ideas" contained as opposed to the actual elements contained. I'm not sure which is more appropriate in this case and even less sure that one of the two is wrong. A related question is what to do with `untrusted-content` (which is the identifier with which I aligned mine). If we rename `trusted-content`, we should likely rename `untrusted-content` as well (and this one would require a backward compatibility alias). > I'll rename it ASAP, thanks Richard! Here's the patch I came up with via `grep` (without renaming `untrusted-content`). Stefan diff --git a/doc/emacs/misc.texi b/doc/emacs/misc.texi index 97a82747bfc..e0ce2233cfe 100644 --- a/doc/emacs/misc.texi +++ b/doc/emacs/misc.texi @@ -298,9 +298,9 @@ Host Security Flymake, completion, and some other features, unless the visited file is @dfn{trusted}. It is up to you to specify which files on your system should be trusted, by customizing the user option -@code{trusted-content}. +@code{trusted-contents}. -@defopt trusted-content +@defopt trusted-contents The value of this option is @code{nil} by default, which means no file is trusted. You can customize the variable to be a list of one or more names of trusted files and directories. A file name that ends in a diff --git a/etc/NEWS b/etc/NEWS index 61cb66387bb..5ce4c3cd7f8 100644 --- a/etc/NEWS +++ b/etc/NEWS @@ -200,7 +200,7 @@ see the variable 'url-request-extra-headers'. * Changes in Emacs 30.1 +++ -** New user option 'trusted-content' to allow potentially dangerous features. +** New user option 'trusted-contents' to allow potentially dangerous features. This variable lists those files and directories whose content Emacs should consider as sufficiently trusted to run any part of the code contained therein even without any explicit user request. @@ -1871,7 +1871,7 @@ In the past they included a terminating newline in most cases but not all. +++ *** 'elisp-flymake-byte-compile' is disabled for untrusted files. For security reasons, this backend can be used only in those files -specified as trusted according to 'trusted-content' and emits an +specified as trusted according to 'trusted-contents' and emits an "untrusted content" warning otherwise. This fixes CVE-2024-53920. diff --git a/lisp/files.el b/lisp/files.el index 86eff296459..62905da1ee5 100644 --- a/lisp/files.el +++ b/lisp/files.el @@ -714,7 +714,7 @@ untrusted-content This variable might be subject to change without notice.") (put 'untrusted-content 'permanent-local t) -(defcustom trusted-content nil +(defcustom trusted-contents nil "List of files and directories whose content we trust. Be extra careful here since trusting means that Emacs might execute the code contained within those files and directories without an explicit @@ -732,21 +732,21 @@ trusted-content :type '(choice (repeat :tag "List" file) (const :tag "Trust everything (DANGEROUS!)" :all)) :version "30.1") -(put 'trusted-content 'risky-local-variable t) +(put 'trusted-contents 'risky-local-variable t) -(defun trusted-content-p () +(defun trusted-contents-p () "Return non-nil if we trust the contents of the current buffer. Here, \"trust\" means that we are willing to run code found inside of it. -See also `trusted-content'." +See also `trusted-contents'." ;; We compare with `buffer-file-truename' i.s.o `buffer-file-name' ;; to try and avoid marking as trusted a file that's merely accessed ;; via a symlink that happens to be inside a trusted dir. (and (not untrusted-content) (or - (eq trusted-content :all) + (eq trusted-contents :all) (and buffer-file-truename - (with-demoted-errors "trusted-content-p: %S" + (with-demoted-errors "trusted-contents-p: %S" (let ((exists (file-exists-p buffer-file-truename))) (or ;; We can't avoid trusting the user's init file. @@ -755,7 +755,7 @@ trusted-content-p (equal buffer-file-truename user-init-file)) (let ((file (abbreviate-file-name buffer-file-truename)) (trusted nil)) - (dolist (tf trusted-content) + (dolist (tf trusted-contents) (when (or (if exists (file-equal-p tf file) (equal tf file)) ;; We don't use `file-in-directory-p' here, because ;; we want to err on the conservative side: "guilty diff --git a/lisp/ielm.el b/lisp/ielm.el index 7511d4b02ae..da5ad992389 100644 --- a/lisp/ielm.el +++ b/lisp/ielm.el @@ -580,7 +580,7 @@ inferior-emacs-lisp-mode ielm-fontify-input-enable (comint-fontify-input-mode)) - (setq-local trusted-content :all) + (setq-local trusted-contents :all) (setq comint-prompt-regexp (concat "^" (regexp-quote ielm-prompt))) (setq-local paragraph-separate "\\'") (setq-local paragraph-start comint-prompt-regexp) diff --git a/lisp/progmodes/elisp-mode.el b/lisp/progmodes/elisp-mode.el index 17606352c4a..c48861712de 100644 --- a/lisp/progmodes/elisp-mode.el +++ b/lisp/progmodes/elisp-mode.el @@ -451,7 +451,7 @@ elisp--local-macroenv (defvar elisp--macroexpand-untrusted-warning t) (defun elisp--safe-macroexpand-all (sexp) - (if (not (trusted-content-p)) + (if (not (trusted-contents-p)) ;; FIXME: We should try and do better here, either using a notion ;; of "safe" macros, or with `bwrap', or ... (progn @@ -1338,7 +1338,7 @@ lisp-interaction-mode \\{lisp-interaction-mode-map}" :abbrev-table nil (setq-local lexical-binding t) - (setq-local trusted-content :all)) + (setq-local trusted-contents :all)) ;;; Emacs Lisp Byte-Code mode @@ -2203,7 +2203,7 @@ elisp-flymake-byte-compile "A Flymake backend for elisp byte compilation. Spawn an Emacs process that byte-compiles a file representing the current buffer state and calls REPORT-FN when done." - (unless (trusted-content-p) + (unless (trusted-contents-p) ;; FIXME: Use `bwrap' and friends to compile untrusted content. ;; FIXME: We emit a message *and* signal an error, because by default ;; Flymake doesn't display the warning it puts into "*flmake log*". diff --git a/lisp/simple.el b/lisp/simple.el index 088678ba857..fd027ec1915 100644 --- a/lisp/simple.el +++ b/lisp/simple.el @@ -2033,7 +2033,7 @@ read--expression (set-syntax-table emacs-lisp-mode-syntax-table) (add-hook 'completion-at-point-functions #'elisp-completion-at-point nil t) - (setq-local trusted-content :all) + (setq-local trusted-contents :all) (run-hooks 'eval-expression-minibuffer-setup-hook)) (read-from-minibuffer prompt initial-contents read--expression-map t