From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Christopher Howard Newsgroups: gmane.emacs.devel Subject: Emacs Arbitrary Code Execution and How to Avoid It Date: Tue, 03 Dec 2024 08:53:57 -0900 Message-ID: <878qswfya2.fsf@librehacker.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="24256"; mail-complaints-to="usenet@ciao.gmane.io" To: Emacs Devel Mailing List Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Tue Dec 03 18:54:59 2024 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1tIX6w-0006AS-Pi for ged-emacs-devel@m.gmane-mx.org; Tue, 03 Dec 2024 18:54:58 +0100 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tIX6C-0006ST-1c; Tue, 03 Dec 2024 12:54:12 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tIX68-0006SF-OB for emacs-devel@gnu.org; Tue, 03 Dec 2024 12:54:08 -0500 Original-Received: from mx.kolabnow.com ([212.103.80.155]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tIX66-0006Ei-QO for emacs-devel@gnu.org; Tue, 03 Dec 2024 12:54:08 -0500 Original-Received: from localhost (unknown [127.0.0.1]) by mx.kolabnow.com (Postfix) with ESMTP id D79903070C70 for ; Tue, 3 Dec 2024 18:54:02 +0100 (CET) Authentication-Results: ext-mx-out013.mykolab.com (amavis); dkim=pass (2048-bit key) reason="pass (just generated, assumed good)" header.d=kolabnow.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kolabnow.com; h= content-transfer-encoding:content-type:content-type:mime-version :message-id:date:date:subject:subject:from:from:received :received:received; s=dkim20240523; t=1733248441; x=1735062842; bh=RqTZXyQMnTGzvC2XPO/P46O0HuX7iUVcQOw3YRY+FSU=; b=CzRztxHhcwCj F5AE8h9G5GMw8wRxhdUa55Jcb4WQ4YPaf6OMxQBgeMCb9wfhc7gVIIquQ1zhnTuC Dg95E5WaGjkWPnVzztV+2gmRSnOkzAhaZRlO6Rv1W05PVtlEzOs6T/S+mM4RA7Ye xUJecRFzd4Th9/Ua4A6YzPoShv7aPyQQo2rWOpeu+vqH4RctV3nY8GbRBAOjUmpL NiCrkOUtrwNyPstAXGUu9BhPJzCAnE/TWh2h0bYTJzjRZ9bRPEcFWEAOxZ5SdFPH 2AI8m+iG/Gxtk4j2OW5pf62sAyh64OtBE4OQikMBnUufJ3PR1lCGtuHusA5zc9ri 1BzaxqFt6Q== X-Virus-Scanned: amavis at mykolab.com Original-Received: from mx.kolabnow.com ([127.0.0.1]) by localhost (ext-mx-out013.mykolab.com [127.0.0.1]) (amavis, port 10024) with ESMTP id NakDbTTs4qpC for ; Tue, 3 Dec 2024 18:54:01 +0100 (CET) Original-Received: from int-mx009.mykolab.com (unknown [10.9.13.9]) by mx.kolabnow.com (Postfix) with ESMTPS id C1A49306C98E for ; Tue, 3 Dec 2024 18:54:00 +0100 (CET) Original-Received: from ext-subm010.mykolab.com (unknown [10.9.6.10]) by int-mx009.mykolab.com (Postfix) with ESMTPS id 63E453457CE3 for ; Tue, 3 Dec 2024 18:54:00 +0100 (CET) Received-SPF: none client-ip=212.103.80.155; envelope-from=christopher@librehacker.com; helo=mx.kolabnow.com X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.devel:325999 Archived-At: Hi, I read the interesting write up here: https://eshelyaron.com/posts/2024-11-27-emacs-aritrary-code-execution-and-h= ow-to-avoid-it.html I wasn't terribly worried about this, as I don't *automatically* activate F= lymake or Flycheck. But the article did mention that "code completion runs = arbitrary code", and I was wondering more about that. I do not currently us= e Completion Preview mode. I have used Company in the past but company-mode= is not currently activated. So, if I am just viewing an elisp file, i.e., = not typing anything it in, nor running dabbrev commands, is there any dange= r? Should I setup Emacs to, by default, open all elisp files in View Mode? Regarding dabbrev, I know dabbrev can search all buffers but I don't know i= f it does any macro expansion. I was going to e-mail the author of the post, but cloudflare won't let me s= ee his e-mail address. --=20 =F0=9F=93=9B Christopher Howard =F0=9F=9A=80 gemini://gem.librehacker.com =F0=9F=8C=90 http://gem.librehacker.com =D7=91=D7=A8=D7=90=D7=A9=D7=99=D7=AA =D7=91=D7=A8=D7=90 =D7=90=D7=9C=D7=94= =D7=99=D7=9D =D7=90=D7=AA =D7=94=D7=A9=D7=9E=D7=99=D7=9D =D7=95=D7=90=D7=AA= =D7=94=D7=90=D7=A8=D7=A5