RE: [mwelinder@gmail.com: Emacs security bug]

["Marshall, Simon" <Simon.Marshall@misys.com>]

> > - --> Observe that code from foo.c.flc is run.  Not good.
> > (This is with Emacs 21.3.1; XEmacs is also affected, although step 1
needs to
> > be adjusted.)
> >
> > Suggestions:
> >
> > a. Remove "." from fast-lock-cache-directories.  Littering little
> > files everywhere is not a good idea anyway.
> >
> > b. Don't use load to handle the .flc file.  Instead read it into a
> > buffer and read one s-expression at a time and verify that it is
sane
> > before evaluating it.
> 
> Simon, could you take a look at this (you're listed as the author of
> fast-lock.el)?

OK, it seems fast-lock writes a single (fast-lock-cache-data ...) form
into the .flc file, and fast-lock loads the .flc file.  Is there a way
to restrict the forms evaluated during a load, rather than parsing the
.flc file?  Or a better way?

Also note that fast-lock-cache-data calls font-lock-compile-keywords
(when setting font-lock-keywords amongst others) which can ultimately
eval a keyword.  That would also be a security hole, right?  (I assume
that isn't a security issue in general because font-lock-keywords is a
risky local variable, but I think that is a security issue here.)
Someone could put their nasty form in the top-level call of
fast-lock-cache-data, for font-lock-compile-keyword to eval, rather than
at the top-level of the .flc file itself.  I don't see how that could be
fixed with the current design of font-lock.el.

I know this is a bit cheeky of me, but fast-lock.el is so old that even
its successor, lazy-lock.el, is in lisp/obsolete.  It was last updated
for functional purposes in 1996.  

Probably the most reasonable fix, in the circumstances, is to make
fast-lock-cache-directories a risky local variable and remove "." from
its default value?

Simon.


 "Misys" is the trade name for Misys plc (registered in England and Wales). Registration Number: 01360027. Registered office: Burleigh House, Chapel Oak, Salford Priors, Evesham WR11 8SP. For a list of Misys group operating companies please go to http://www.misys.com/html/about_us/group_operating_companies/. This email and any attachments have been scanned for known viruses using multiple scanners. 
 
We believe that this email and any attachments are virus free, however the recipient must take full responsibility for virus checking. This email message is intended for the named recipient only. It may be privileged and/or confidential. If you are not the named recipient of this email please notify us immediately and do not copy it or use it for any purpose, nor disclose its contents to any other person. This email does not constitute the commencement of legal relations between you and Misys plc. Please refer to the executed contract between you and the relevant member of the Misys group for the identity of the contracting party with which you are dealing.