From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Robert Thorpe Newsgroups: gmane.emacs.help Subject: Re: CVE-2017-14482 - Red Hat Customer Portal Date: Sun, 24 Sep 2017 19:29:17 +0100 Message-ID: <87vak8c5mq.fsf@robertthorpeconsulting.com> References: NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: blaine.gmane.org 1506277797 1746 195.159.176.226 (24 Sep 2017 18:29:57 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Sun, 24 Sep 2017 18:29:57 +0000 (UTC) Cc: help-gnu-emacs@gnu.org To: Philipp Stephani Original-X-From: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane.org@gnu.org Sun Sep 24 20:29:52 2017 Return-path: Envelope-to: geh-help-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dwBf3-0008Pc-Bm for geh-help-gnu-emacs@m.gmane.org; Sun, 24 Sep 2017 20:29:49 +0200 Original-Received: from localhost ([::1]:39026 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dwBfA-0003FS-OX for geh-help-gnu-emacs@m.gmane.org; Sun, 24 Sep 2017 14:29:56 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:37379) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dwBeh-0003E6-Ji for help-gnu-emacs@gnu.org; Sun, 24 Sep 2017 14:29:29 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dwBee-0002Qf-EA for help-gnu-emacs@gnu.org; Sun, 24 Sep 2017 14:29:27 -0400 Original-Received: from outbound-smtp02.blacknight.com ([81.17.249.8]:52136) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dwBee-0002PM-7f for help-gnu-emacs@gnu.org; Sun, 24 Sep 2017 14:29:24 -0400 Original-Received: from mail.blacknight.com (pemlinmail02.blacknight.ie [81.17.254.11]) by outbound-smtp02.blacknight.com (Postfix) with ESMTPS id 9E4301DC366 for ; Sun, 24 Sep 2017 18:29:20 +0000 (UTC) Original-Received: (qmail 31462 invoked from network); 24 Sep 2017 18:29:20 -0000 Original-Received: from unknown (HELO RTLaptop) (rt@robertthorpeconsulting.com@[51.37.105.27]) by 81.17.254.9 with ESMTPSA (AES128-SHA encrypted, authenticated); 24 Sep 2017 18:29:20 -0000 In-Reply-To: (message from Philipp Stephani on Sun, 24 Sep 2017 07:13:55 +0000) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x [fuzzy] X-Received-From: 81.17.249.8 X-BeenThere: help-gnu-emacs@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: Users list for the GNU Emacs text editor List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane.org@gnu.org Original-Sender: "help-gnu-emacs" Xref: news.gmane.org gmane.emacs.help:114391 Archived-At: Philipp Stephani writes: > Eli Zaretskii schrieb am So., 24. Sep. 2017 um 04:54 Uhr: > >> > From: Yuri Khan >> > Date: Sun, 24 Sep 2017 03:50:51 +0700 >> > Cc: "help-gnu-emacs@gnu.org" >> > >> > On Sun, Sep 24, 2017 at 12:34 AM, Eli Zaretskii wrote: >> > >> > > Why are you visiting a file about which you know nothing at all? >> > >> > Why not? Opening a file in a text editor is not normally considered a >> > hazardous activity. >> >> A file whose source you don't trust or are unfamiliar with should >> initially be examined with find-file-literally, if your security is >> indeed important for you. That emulates what most other text editors >> do when you open a file. >> >> > That's an unrealistic requirement; nobody will ever do this. Emacs must > make sure to never run untrusted code when visiting a file, unless the user > explicitly asked for (via the enable-local-eval variable). I think it would be very useful if Emacs had a concept of trusted-zones. So, a person could declare their main local partition to be trusted. Or they could declare it to be trusted except for the browser cache (for example). They could declare a lower degree of trust for some directories or mount-points. BR, Robert Thorpe