From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: =?UTF-8?Q?Andreas_R=c3=b6hler?= Newsgroups: gmane.emacs.help Subject: Re: eval and security Date: Tue, 25 Oct 2016 09:34:40 +0200 Message-ID: <3b5f2fbf-2433-9bf4-0160-41041f590370@easy-emacs.de> References: <20161024123151.GB10964@tuxteam.de> NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-Trace: blaine.gmane.org 1477380445 11753 195.159.176.226 (25 Oct 2016 07:27:25 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Tue, 25 Oct 2016 07:27:25 +0000 (UTC) User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Icedove/45.4.0 To: help-gnu-emacs@gnu.org Original-X-From: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane.org@gnu.org Tue Oct 25 09:27:19 2016 Return-path: Envelope-to: geh-help-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1byw8b-00010C-7n for geh-help-gnu-emacs@m.gmane.org; Tue, 25 Oct 2016 09:27:09 +0200 Original-Received: from localhost ([::1]:52360 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1byw8d-0004oF-Fq for geh-help-gnu-emacs@m.gmane.org; Tue, 25 Oct 2016 03:27:11 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:48059) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1byw8E-0004ny-9V for help-gnu-emacs@gnu.org; Tue, 25 Oct 2016 03:26:46 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1byw8B-0003JR-3h for help-gnu-emacs@gnu.org; Tue, 25 Oct 2016 03:26:46 -0400 Original-Received: from mout.kundenserver.de ([212.227.126.187]:55237) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1byw8A-0003JL-QY for help-gnu-emacs@gnu.org; Tue, 25 Oct 2016 03:26:43 -0400 Original-Received: from [192.168.178.35] ([77.12.67.67]) by mrelayeu.kundenserver.de (mreue001) with ESMTPSA (Nemesis) id 0Ll5XS-1cWd3W3uNi-00b0aR for ; Tue, 25 Oct 2016 09:26:41 +0200 In-Reply-To: X-Provags-ID: V03:K0:hfj4HCakcSfdRpt91EVGaTIU5Hnt/aMo4WuDCBPfpi2AeItnkOd Xyq9DD/x2J7EzS/Dh74qtd30/pnR0VBCdymDPCLa/S78xuid53DSgvokfgxraliSYCwvIJj tERmezATJzYAhShNLGKqxbV7RGnRw9PqS7NEQfIz0I0LcH6KFyca369Mz8/FmD2AmZmiCNT d1UO/sh7iFOAXDdshacYQ== X-UI-Out-Filterresults: notjunk:1;V01:K0:fk08Htd4+qA=:d2NoURHHl2q3ZjXn8Nsa+e zasnI4nAARb9Aek2rBit+Qd8H/puAj+2PAgXeoEnAZpmGMIUgqzBmGpsyBZ8VYu4srd17N2pK KeFtPBGGYIfKpHQyGw6ATC0hJsBhS5Ag0ciPl3VPtd0j1YlOQvSHJMKWaWZMO1IlUU/0aIAOQ POssOvMJBkcHrm+/uyvVMNWPU0Snbnsj6cAucliyxNnrR6yNGaRS5tFJpphBBvUXS+8TJwbNy 1SmAojJKoSk88o6h7sqhL7m5NBI7WaggfRmrgfXhGNM7u4Ilxme3SPvM0fR5V/X6Rdu4aMCPC aQIXAYrhIO3/ivRURZCxmAOiEr4GqxGQmBnRtENSoZ+Ri+VMJ/K45eycQ/rdHDlVbbSURluY1 i17oyJ9CPr7OT/jT8k4n1em6IDj0SHQ67K/6qJcGV92up+ZLrFFcOK9nkkq4pXReQea4Vk731 fzPYGmC3KtZfElGknFaqP8Nrl3zFnNllFgYzDOvet1dVKu6W03kQtLoTEEEJ0H3EdVHztz830 6ZyD90SrbGfDm+3Gj1UuS5VNQq8dcoBFsRwFlFmy5+w9Gw8orczS/x9iMX1wpt6DJYeZuzDmH PqvnEvtQST+O6tVJ3g/kX8OKNydza4jP9dgvzCP3Sl+bEyhNibi/fFq0bm/V+vk9yfpSAEN5R nX3ukmebh3QVZ12qIDVZxS8J41arzNNBa+WtbBdG7geyxfezYuqm2AXqTIPCeRoPbdnbfVOMv mWgYvCwLq88hggRk X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 212.227.126.187 X-BeenThere: help-gnu-emacs@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: Users list for the GNU Emacs text editor List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane.org@gnu.org Original-Sender: "help-gnu-emacs" Xref: news.gmane.org gmane.emacs.help:111615 Archived-At: On 24.10.2016 20:50, Philipp Stephani wrote: > schrieb am Mo., 24. Okt. 2016 um 14:32 Uhr: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On Mon, Oct 24, 2016 at 02:20:44PM +0200, Andreas Röhler wrote: >>> Hi, >>> >>> remember a saying like "avoid calls like (eval 'my-symbol) in >>> lisp-code" as related to security issues. >>> >>> Is there some reading to learn more? Maybe I'm mistaking something? >> Perhaps because a randomly downloaded package can redefine 'my-symbol >> to be something evil? >> > Randomly downloaded packages can just say > (eval-when-compile (shell-command "rm -rf /")) > No need to override symbols to do something evil. For the moment taking `symbol-value' as less powerful and sufficient at the use-cases - later calls to `looking-at' etc.