From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: "Marshall, Simon" Newsgroups: gmane.emacs.devel Subject: RE: [mwelinder@gmail.com: Emacs security bug] Date: Mon, 12 May 2008 11:10:50 +0100 Message-ID: <6EE216E1AA959543A555C60FF34FB7670418B0A2@maileube01.misys.global.ad> References: <87mymy6wnq.fsf@stupidchicken.com> NNTP-Posting-Host: lo.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable X-Trace: ger.gmane.org 1210587793 23564 80.91.229.12 (12 May 2008 10:23:13 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Mon, 12 May 2008 10:23:13 +0000 (UTC) Cc: Simon Marshall , mwelinder@gmail.com, emacs-devel@gnu.org To: "Chong Yidong" , "Eli Zaretskii" Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Mon May 12 12:23:49 2008 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([199.232.76.165]) by lo.gmane.org with esmtp (Exim 4.50) id 1JvVC7-000367-Sn for ged-emacs-devel@m.gmane.org; Mon, 12 May 2008 12:23:48 +0200 Original-Received: from localhost ([127.0.0.1]:53561 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1JvVBO-0002MH-Ss for ged-emacs-devel@m.gmane.org; Mon, 12 May 2008 06:23:02 -0400 Original-Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1JvV1b-0004zj-C5 for emacs-devel@gnu.org; Mon, 12 May 2008 06:12:55 -0400 Original-Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1JvV1X-0004yZ-GO for emacs-devel@gnu.org; Mon, 12 May 2008 06:12:54 -0400 Original-Received: from [199.232.76.173] (port=44777 helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1JvV1W-0004yF-71 for emacs-devel@gnu.org; Mon, 12 May 2008 06:12:50 -0400 Original-Received: from cluster-a.mailcontrol.com ([80.69.8.190]:47594) by monty-python.gnu.org with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.60) (envelope-from ) id 1JvV1O-0005Jq-7A; Mon, 12 May 2008 06:12:42 -0400 Original-Received: from rly20a.srv.mailcontrol.com (localhost.localdomain [127.0.0.1]) by rly20a.srv.mailcontrol.com (MailControl) with ESMTP id m4CACT7v028100; Mon, 12 May 2008 11:12:29 +0100 Original-Received: from submission.mailcontrol.com (submission.mailcontrol.com [86.111.216.190]) by rly20a.srv.mailcontrol.com (MailControl) id m4CAB02C023940; Mon, 12 May 2008 11:11:00 +0100 Original-Received: from maileube01.misys.global.ad ([217.196.233.105]) by rly20a-eth0.srv.mailcontrol.com (envelope-sender Simon.Marshall@misys.com) (MIMEDefang) with ESMTP id m4CA3B5F003902; Mon, 12 May 2008 11:10:59 +0100 (BST) X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [mwelinder@gmail.com: Emacs security bug] Thread-Index: AciyrTF2K9OGU4EUQE2Q52ssGxCZ0gBZTsSA X-Scanned-By: MailControl A-08-50-00 (www.mailcontrol.com) on 10.65.1.130 X-detected-kernel: by monty-python.gnu.org: Linux 2.4-2.6 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:97009 Archived-At: > > - --> Observe that code from foo.c.flc is run. Not good. > > (This is with Emacs 21.3.1; XEmacs is also affected, although step 1 needs to > > be adjusted.) > > > > Suggestions: > > > > a. Remove "." from fast-lock-cache-directories. Littering little > > files everywhere is not a good idea anyway. > > > > b. Don't use load to handle the .flc file. Instead read it into a > > buffer and read one s-expression at a time and verify that it is sane > > before evaluating it. >=20 > Simon, could you take a look at this (you're listed as the author of > fast-lock.el)? OK, it seems fast-lock writes a single (fast-lock-cache-data ...) form into the .flc file, and fast-lock loads the .flc file. Is there a way to restrict the forms evaluated during a load, rather than parsing the .flc file? Or a better way? Also note that fast-lock-cache-data calls font-lock-compile-keywords (when setting font-lock-keywords amongst others) which can ultimately eval a keyword. That would also be a security hole, right? (I assume that isn't a security issue in general because font-lock-keywords is a risky local variable, but I think that is a security issue here.) Someone could put their nasty form in the top-level call of fast-lock-cache-data, for font-lock-compile-keyword to eval, rather than at the top-level of the .flc file itself. I don't see how that could be fixed with the current design of font-lock.el. I know this is a bit cheeky of me, but fast-lock.el is so old that even its successor, lazy-lock.el, is in lisp/obsolete. It was last updated for functional purposes in 1996.=20=20 Probably the most reasonable fix, in the circumstances, is to make fast-lock-cache-directories a risky local variable and remove "." from its default value? Simon. "Misys" is the trade name for Misys plc (registered in England and Wales).= Registration Number: 01360027. Registered office: Burleigh House, Chapel O= ak, Salford Priors, Evesham WR11 8SP. For a list of Misys group operating c= ompanies please go to http://www.misys.com/html/about_us/group_operating_co= mpanies/. This email and any attachments have been scanned for known viruse= s using multiple scanners.=20 =20 We believe that this email and any attachments are virus free, however the = recipient must take full responsibility for virus checking. This email mess= age is intended for the named recipient only. It may be privileged and/or c= onfidential. If you are not the named recipient of this email please notify= us immediately and do not copy it or use it for any purpose, nor disclose = its contents to any other person. This email does not constitute the commen= cement of legal relations between you and Misys plc. Please refer to the ex= ecuted contract between you and the relevant member of the Misys group for = the identity of the contracting party with which you are dealing.=20