From mboxrd@z Thu Jan  1 00:00:00 1970
Path: main.gmane.org!not-for-mail
From: Stefan <monnier@iro.umontreal.ca>
Newsgroups: gmane.emacs.devel
Subject: Re: The `risky-local-variable' blacklist
Date: 31 Aug 2004 10:01:03 -0400
Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Message-ID: <m1wtzfctrb.fsf-monnier+emacs@gnu.org>
References: <Pine.LNX.4.44.0408301850400.31548-100000@x-mail.lanl.gov>
NNTP-Posting-Host: deer.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Trace: sea.gmane.org 1093960892 20303 80.91.224.253 (31 Aug 2004 14:01:32 GMT)
X-Complaints-To: usenet@sea.gmane.org
NNTP-Posting-Date: Tue, 31 Aug 2004 14:01:32 +0000 (UTC)
Cc: emacs-devel@gnu.org
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Tue Aug 31 16:01:21 2004
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Original-Received: from lists.gnu.org ([199.232.76.165])
	by deer.gmane.org with esmtp (Exim 3.35 #1 (Debian))
	id 1C29CL-0000Tf-00
	for <ged-emacs-devel@m.gmane.org>; Tue, 31 Aug 2004 16:01:21 +0200
Original-Received: from localhost ([127.0.0.1] helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.33)
	id 1C29HD-0006f5-6P
	for ged-emacs-devel@m.gmane.org; Tue, 31 Aug 2004 10:06:23 -0400
Original-Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.33)
	id 1C29H6-0006eq-G9
	for emacs-devel@gnu.org; Tue, 31 Aug 2004 10:06:16 -0400
Original-Received: from exim by lists.gnu.org with spam-scanned (Exim 4.33)
	id 1C29H4-0006ee-Tk
	for emacs-devel@gnu.org; Tue, 31 Aug 2004 10:06:16 -0400
Original-Received: from [199.232.76.173] (helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.33) id 1C29H4-0006eb-QT
	for emacs-devel@gnu.org; Tue, 31 Aug 2004 10:06:14 -0400
Original-Received: from [206.47.199.164] (helo=simmts6-srv.bellnexxia.net)
	by monty-python.gnu.org with esmtp (Exim 4.34) id 1C29C4-0000Ge-Ir
	for emacs-devel@gnu.org; Tue, 31 Aug 2004 10:01:04 -0400
Original-Received: from empanada-wifi.home ([67.68.217.250])
	by simmts6-srv.bellnexxia.net
	(InterMail vM.5.01.06.10 201-253-122-130-110-20040306) with ESMTP id
	<20040831140049.SCKY1635.simmts6-srv.bellnexxia.net@empanada-wifi.home>;
	Tue, 31 Aug 2004 10:00:49 -0400
Original-Received: by empanada-wifi.home (Postfix, from userid 502)
	id 0E1302CD532; Tue, 31 Aug 2004 10:01:03 -0400 (EDT)
Original-To: Davis Herring <herring@lanl.gov>
In-Reply-To: <Pine.LNX.4.44.0408301850400.31548-100000@x-mail.lanl.gov>
Original-Lines: 20
User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.3.50
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <http://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <http://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Xref: main.gmane.org gmane.emacs.devel:26645
X-Report-Spam: http://spam.gmane.org/gmane.emacs.devel:26645

> (Apologies in advance for a long message, but this is a long issue.)
> While looking at diffs for `timeclock.el', I noticed the addition of a
> risk-local-variable declaration for "timeclock-mode-string".  This is
> certainly justified, but calls forth a bigger concern: is it wise to apply
> a 'trust by default' policy when such innocuous-looking variables as that
> mode-string can completely compromise a user's security (including
> modifying configurations for further attacks)?

Actually, for mode-line variables, the situation is a bit more complex:
the lack of "risky-local-variable" annotation was not introducing any kind
of security hole because when we interpret a mode-line-string, we discard
any "dangerous" element (such as "eval") unless the variable is marked as
"risky".  I.e. either we check its safety via the "risky" annotation or we
assume it's dangerous and we only use known-safe elements.

So the "risky" annotation was only added in order to enable potentially
dangerous things like "eval" in that variable.


        Stefan