From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Newsgroups: gmane.emacs.help Subject: Re: eval and security Date: Mon, 24 Oct 2016 14:31:52 +0200 Message-ID: <20161024123151.GB10964@tuxteam.de> References: NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8; x-action=pgp-signed Content-Transfer-Encoding: 8bit X-Trace: blaine.gmane.org 1477312384 18319 195.159.176.226 (24 Oct 2016 12:33:04 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Mon, 24 Oct 2016 12:33:04 +0000 (UTC) User-Agent: Mutt/1.5.21 (2010-09-15) To: help-gnu-emacs@gnu.org Original-X-From: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane.org@gnu.org Mon Oct 24 14:32:59 2016 Return-path: Envelope-to: geh-help-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1byeQa-00012M-61 for geh-help-gnu-emacs@m.gmane.org; Mon, 24 Oct 2016 14:32:32 +0200 Original-Received: from localhost ([::1]:46451 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1byeQc-0002Js-IO for geh-help-gnu-emacs@m.gmane.org; Mon, 24 Oct 2016 08:32:34 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:55480) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1byeQ8-0002IK-CJ for help-gnu-emacs@gnu.org; Mon, 24 Oct 2016 08:32:05 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1byeQ3-00079j-Lr for help-gnu-emacs@gnu.org; Mon, 24 Oct 2016 08:32:04 -0400 Original-Received: from mail.tuxteam.de ([5.199.139.25]:58881 helo=tomasium.tuxteam.de) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1byeQ3-000769-Gg for help-gnu-emacs@gnu.org; Mon, 24 Oct 2016 08:31:59 -0400 Original-Received: from tomas by tomasium.tuxteam.de with local (Exim 4.80) (envelope-from ) id 1byePw-0002wy-20 for help-gnu-emacs@gnu.org; Mon, 24 Oct 2016 14:31:52 +0200 In-Reply-To: X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 5.199.139.25 X-BeenThere: help-gnu-emacs@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: Users list for the GNU Emacs text editor List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane.org@gnu.org Original-Sender: "help-gnu-emacs" Xref: news.gmane.org gmane.emacs.help:111609 Archived-At: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, Oct 24, 2016 at 02:20:44PM +0200, Andreas Röhler wrote: > Hi, > > remember a saying like "avoid calls like (eval 'my-symbol) in > lisp-code" as related to security issues. > > Is there some reading to learn more? Maybe I'm mistaking something? Perhaps because a randomly downloaded package can redefine 'my-symbol to be something evil? In any case, if you indirect your code through user-overridable stuff (e.g. hooks), the least you can do is to use a defvar marking the thing as "risky": then Emacs will do its best to avoid changing it when the user doesn't expect it. There's a chapter "Security Considerations" in the Emacs Lisp manual[1]. regards [1] https://www.gnu.org/software/emacs/manual/html_node/elisp/Security-Considerations.html - -- t -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlgN/zcACgkQBcgs9XrR2kalLwCfYv6yRyRAECNQ9zCepzgdZJqb 9gMAn2nR87fNoh5nzMqF+bGVi6FncgXc =QPBI -----END PGP SIGNATURE-----