From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.io!.POSTED.ciao.gmane.io!not-for-mail
From: "Philip K." <philip@warpmail.net>
Newsgroups: gmane.emacs.bugs
Subject: bug#41619: [PATCH] Mark python-shell-virtualenv-root as safe local
 variable
Date: Tue, 16 Jun 2020 19:32:52 +0200
Message-ID: <874krark57.fsf@warpmail.net>
References: <87367htbaq.fsf@warpmail.net>
Mime-Version: 1.0
Content-Type: text/plain
Injection-Info: ciao.gmane.io; posting-host="ciao.gmane.io:159.69.161.202";
	logging-data="98784"; mail-complaints-to="usenet@ciao.gmane.io"
Cc: 41619@debbugs.gnu.org
To: Eli Zaretskii <eliz@gnu.org>
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Tue Jun 16 19:34:19 2020
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>)
	id 1jlFTX-000Pcc-5U
	for geb-bug-gnu-emacs@m.gmane-mx.org; Tue, 16 Jun 2020 19:34:19 +0200
Original-Received: from localhost ([::1]:33748 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>)
	id 1jlFTW-0008L5-4w
	for geb-bug-gnu-emacs@m.gmane-mx.org; Tue, 16 Jun 2020 13:34:18 -0400
Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:52764)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1jlFTH-0008Ky-Mg
 for bug-gnu-emacs@gnu.org; Tue, 16 Jun 2020 13:34:03 -0400
Original-Received: from debbugs.gnu.org ([209.51.188.43]:37996)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1jlFTG-0003ZK-2O
 for bug-gnu-emacs@gnu.org; Tue, 16 Jun 2020 13:34:03 -0400
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1jlFTG-0006qu-07
 for bug-gnu-emacs@gnu.org; Tue, 16 Jun 2020 13:34:02 -0400
X-Loop: help-debbugs@gnu.org
Resent-From: "Philip K." <philip@warpmail.net>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@gnu.org
Resent-Date: Tue, 16 Jun 2020 17:34:01 +0000
Resent-Message-ID: <handler.41619.B41619.159232879326283@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 41619
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: patch
Original-Received: via spool by 41619-submit@debbugs.gnu.org id=B41619.159232879326283
 (code B ref 41619); Tue, 16 Jun 2020 17:34:01 +0000
Original-Received: (at 41619) by debbugs.gnu.org; 16 Jun 2020 17:33:13 +0000
Original-Received: from localhost ([127.0.0.1]:49542 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1jlFST-0006pr-5K
 for submit@debbugs.gnu.org; Tue, 16 Jun 2020 13:33:13 -0400
Original-Received: from wout5-smtp.messagingengine.com ([64.147.123.21]:35279)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <philip@warpmail.net>) id 1jlFSR-0006pd-9I
 for 41619@debbugs.gnu.org; Tue, 16 Jun 2020 13:33:11 -0400
Original-Received: from compute2.internal (compute2.nyi.internal [10.202.2.42])
 by mailout.west.internal (Postfix) with ESMTP id 22CE6621;
 Tue, 16 Jun 2020 13:33:05 -0400 (EDT)
Original-Received: from mailfrontend1 ([10.202.2.162])
 by compute2.internal (MEProxy); Tue, 16 Jun 2020 13:33:05 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=warpmail.net; h=
 from:to:cc:subject:in-reply-to:date:message-id:mime-version
 :content-type; s=fm3; bh=MPcQXyNXoeMP5u80M377NJYNmHK2b1DhkA1o+J6
 XSBA=; b=OAiX0f31wILY4zq6x1+4giuob2ThMc93z0M/YWJcZgI0PwWbYbkhFIn
 qP2NJ2jplztmL59saBt/L1wHebINU6bwj5o9ailgHoW4eaUSgsHiiyUpcJSS2cMx
 NZSgeAJUiFrc+2qid2e3xL687AE2x9F4M9A7a59nwIx8hBHTIVr68cSwec3fWRWE
 PYixxOSErBpGLXcmbKmcnVkuIQzDeY8scR4aBcj+70XChLiF4mwj37KT+AFqf+8+
 2v7Qqi5IYHBjx7tdxRCQvn50nmLTifFP9jzy1a+3HMsJeavguXVlxO89te2GDLyW
 4tuBt/gOdaDCMHZ94hOn04W0DmuiUwA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:content-type:date:from:in-reply-to
 :message-id:mime-version:subject:to:x-me-proxy:x-me-proxy
 :x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=MPcQXyNXoeMP5u80M
 377NJYNmHK2b1DhkA1o+J6XSBA=; b=fHzp5br+EgD9hOZXHi+ifWElEoH9JAfFM
 TlvGT+L/Mq7EH4Kxd81sIdBIANCHZPL5/jHLnRuG/NzC3XVawV1h427CeOmpRCWT
 1SZfEBCaPP19nFV3Te75OA4AIAh3M/CfOTuWf8fUPwWz8ibMZEWtb8gCj6y7zup8
 l5O8PfXMgEga5f1prWZzZHXL9QqYF3eFD3Qrbvs7Q4rgZsWQ0dTE0bw6qhYJZe6E
 WkxJShsFbr7WBnchURnlEUP/xssjNpwglqWoqWyhLS4YN6eoJKai1GOyxPNNsk94
 KRCITEEuWTniMuXS/BPecwtuJC3JcLMsEHla26q2ov4H024wsWe+A==
X-ME-Sender: <xms:UALpXh_gTI3KuxbMkXO6QRppx4O1WWrdOE8a4Xu09wfNMTei_SI91A>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduhedrudejtddguddukecutefuodetggdotefrod
 ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh
 necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd
 enucfjughrpefhvffujgffkfggtgesthdtredttddttdenucfhrhhomhepfdfrhhhilhhi
 phcumfdrfdcuoehphhhilhhiphesfigrrhhpmhgrihhlrdhnvghtqeenucggtffrrghtth
 gvrhhnpeehueeiffevveekteffueefkeefjeekkeekfeejleeufedtudffudfgueeigeff
 hfenucfkphepjeelrddvudelrdduleelrddvudehnecuvehluhhsthgvrhfuihiivgeptd
 enucfrrghrrghmpehmrghilhhfrhhomhepphhhihhlihhpseifrghrphhmrghilhdrnhgv
 th
X-ME-Proxy: <xmx:UALpXltjoQH6GjjZXXuT0k3HOtQq87YQF36IGkMxPONc-OKyKgWqMQ>
 <xmx:UALpXvBnPyqiLA8A1N98eL9qOLhkxmOiYJ250OgU2IewLR8LzqJUeA>
 <xmx:UALpXldNhCrruzcUugE8u_bK2S0okr1nrBreGlNXouwTpRypEYyLZA>
 <xmx:UALpXpaGbsORELmuRjjPgosGQmDaoFitW7uGNflwPhcC73axVQkUNw>
Original-Received: from localhost (p4fdbc7d7.dip0.t-ipconnect.de [79.219.199.215])
 by mail.messagingengine.com (Postfix) with ESMTPA id 2631A3280067;
 Tue, 16 Jun 2020 13:33:04 -0400 (EDT)
In-Reply-To: <83ftav0w11.fsf@gnu.org> (message from Eli Zaretskii on Tue, 16
 Jun 2020 20:18:18 +0300)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
 the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnu-emacs>,
 <mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-gnu-emacs>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
 <mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org
Original-Sender: "bug-gnu-emacs"
 <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>
Xref: news.gmane.io gmane.emacs.bugs:182034
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/182034>

Eli Zaretskii <eliz@gnu.org> writes:

>> From: "Philip K." <philip@warpmail.net>
>> Cc: rgm@gnu.org, 41619@debbugs.gnu.org
>> Date: Tue, 16 Jun 2020 18:52:07 +0200
>> 
>> Ultimatly, my estimation was wrong, and the variable shouldn't be marked
>> as safe, at least not with any heuristics that could warn the user if
>> the path is suspicious.
>
> So all we need is to remove the :safe attribute from the variable?  Or
> something else?

That would make it harder for projects to hide malicious values of
python-shell-virtualenv-root, but it's still an attack vector in
principle.

-- 
	Philip K.